Tag: ethical hacking

SQL Injection Basics: Retrieving Hidden Data

In this part of my cybersecurity learning journey, I worked through a PortSwigger Web Security Academy lab about getting hidden data using SQL injection techniques.

They used the example of a shopping application that shows products in different categories. You click on a category and it shows you the contents of that category:

PortSwigger WebSecurity Academy’s vulnerable application

We’re interested here in the query string at the end of the URL. In this case it’s

?category=Accessories

That gets sent to the backend where the application uses it to query a database. The lab explained the SQL query may look something like this:

SELECT * FROM products WHERE category = 'Accessories' AND released = 1

To be completely honest, as a beginner, I did wonder:

How would I know about the “AND released = 1” part just from looking at the query string?

The answer is: I probably wouldn’t know from the query alone… But hey-ho. I guess it’s just for the purposes of showing us a simplified version of what goes on behind the scenes. In a real-world situation we’d probably be testing the application’s behaviour and making guesses based on its responses.

So to break it down, that SQL query runs like this:

Hey database! SELECT everything FROM the products table
WHERE the category is Accessories
AND WHERE released is equal to 1. K thx bye.

Suspending the disbelief that I would know about the released=1 condition for a moment (and assuming that released=0 is for unreleased products let’s assume that the app doesn’t have any defense against SQL injection at all. We can try and attack it by changing that query string to something like:

?category=Accessories'--

You can see we how have another product showing called “Cheshire Cat Grin”. Basically we made an alteration to the SQL query that the application would send. Now it would be something like this:

SELECT * FROM products WHERE category = 'Accessories'--' AND released = 1

Notice that double dash? In SQL, that indicates what follows next is a comment and should be ignored. Therefore it’s completely removed from the query. So now we’re gettling all the accessories!

We can also do something similar for get absolutely everything by changing the query string to:

?category=Accessories'+OR+1=1--

That gives us the SQL query:

SELECT * FROM products WHERE category = 'Accessories' OR 1=1--' AND released = 1

The key part here is:

OR 1=1

This works because 1=1 is always true. So now we’re saying:

Hey database! SELECT everything from the products table
WHERE the category is 'Accessories'
OR you know... Whatever. K thx bye.

This works because we are now asking for a catergory called ‘Accessories’ OR any category that is true. This basically means it contains any value except false or 0. This makes it output everything in the products table and it also clears the lab!

Important warning

One thing the lab points out is that even a simple-looking injection like:

OR 1=1

can be dangerous!

It might seem harmless when you are only retrieving products from a test shop, but some applications use the same input in multiple database queries.

If that injected condition reached an UPDATE or DELETE statement, it could potentially modify or delete far more data than intended.

So this is something to practise only in safe, legal environments like PortSwigger Web Security Academy labs, deliberately vulnerable apps, or your own test systems.

What I learned

The main thing I took away from this lab is that SQL injection is not magic. It is about understanding how user input can accidentally become part of a database query.

The category value in the URL looked harmless, but because the application trusted it too much, it was possible to change the logic of the SQL query.

That is why secure applications need to validate input properly and, more importantly, use safe database queries rather than directly building SQL strings from user input.

Later, we’ll look at ways to mitigate these problems, but not before exploring more SQL injection vulnerabilities! So thanks for sticking around and learning. Until the next time, until the next tutorial: Catch you later! Bye bye!

What Is SQL Injection? A Beginner’s Introduction

Information

Okay, so here we go. First attempt at actually learning something to do with CyberSecurity! Kind of exciting and a little nerve-wracking, to be honest.

Today’s topic is SQL injection.

As a web developer, I’ve heard of this a lot before. It’s one of those things that’s been around for ages and, quite frankly, isn’t something that I’ve ever actually tried or thought about since I left PHP development many years ago. I vaguely remember doing mitigating things when I had to access the MySQL backend of one of the first versions of Xperienced (back then, I believe we were Experienced.tk because the domain was free or the cheapest option). Truly premium web development… Enterprise grade… Obvs…

Modern day SQL injection? I’ve got no clue about that… So these articles are me taking notes as I start learning.

What is SQL injection?

From what I understand so far, SQL injection is a vulnerability that will allow an attacker to interfere with database queries that the application makes to its backend.

That can mean an attacker is able to view data they should not be able to see, such as hidden records, user information, or other sensitive data that should not be publicly accessible.

In more serious cases, SQL injection can be used to change the behaviour of an application, modify data, bypass login checks, or potentially create a way for an attacker to maintain access for a longer period of time.

Some attacks can even escalate further, depending on the application, database permissions, and server setup.

In short: it is not just “getting extra rows from a database”. It can become a much bigger problem.

We’re in for some fun, it seems…

What does a successful SQL injection look like?

So the goal of an SQL injection attack is to gain unauthorised access to sensitive data.

Trying to get passwords, credit card details or PII (peronally idenentifiable information). A lot of data breaches we hear about have come from SQL injection attacks or similar weaknesses and cause a lot of reputational damage and, in some cases, huge fines from governing bodies or regulators. In some cases, the attacker can leave themselves a persistent backdoor into the system for a long-term exfiltration of information that may go unnoticed for a very long time…

Very cheerful stuff… O_O

Detecting SQL injection vulnerabilities

Whilst there are tools to automate the process (like Burp Scanner) there are ways you can do this manually by testing against every entry point one by one. Entry points could include:

  • URL parameters
  • search boxes
  • login forms
  • filters
  • cookies
  • request headers
  • hidden form fields

A common starting point is the single quote character:

'

If entering a quote causes an error or unusual response, it may suggest that the input is being handled unsafely in a SQL query.

Other common testing approaches include using SQL-specific syntax that should either preserve the original query or change its behaviour. The aim is to compare the application’s responses and look for differences.

Boolean conditions are another common technique, such as:

OR 1=1

and

OR 1=2

The first condition is always true, while the second is false. If the application responds differently to each one, that may indicate that the input is affecting a SQL query.

There are also time-delay payloads, where the database is instructed to pause before responding. If the application suddenly takes longer to load, that can be another clue.

Another technique is OAST, which stands for Out-of-band Application Security Testing. This involves trying to make the target application interact with an external system controlled by the tester. If that external interaction happens, it can reveal that the payload was executed somewhere on the backend.

WHERE to do the SQL injection?

So a lot of attacks happen and vulnerabilities exist within the WHERE clause of a SELECT statement. They can also happen at other locations in the query as well for example:

  • UPDATE → within the updated values or the WHERE clause
  • INSERT → within the inserted values
  • SELECT → within the table or column name or the ORDER BY clause.

So while the classic SQL injection example is usually something like a login form or category filter, the vulnerability can appear wherever user-controlled input is included unsafely in a database query.

How to do an SQL injection attack?

There are several different SQL injection techniques, depending on the application and how it responds. The ones I have seen so far include:

Retrieving hidden information

This is where SQL injection is used to return additional results from a query. For example, a shop might normally show only released products, but a vulnerable query could be manipulated to also show hidden or unreleased products.

Subverting the application’s logic

This is where the injection changes the logic of the application. A classic example would be interfering with a login query so the database condition always evaluates to true.

UNION attacks

A UNION attack can be used to retrieve information from other database tables. For example, if a vulnerable page normally returns product information, a UNION attack might try to make it return usernames or other data from a different table.

Blind SQL injection

Blind SQL injection happens when the results of the query are not directly shown in the application’s response. That makes it harder to test, because instead of seeing the data directly, you have to infer what is happening from things like:

  • different page responses
  • error messages
  • time delays
  • external network interactions

It sounds slower and more awkward, which probably means it is exactly the kind of thing I will end up spending hours stuck on later.

Learning safely

For these articles, I am using PortSwigger Web Security Academy as my main learning resource.

I am not sponsored or affiliated with them. They are simply the tutorials and labs I found, and they seem like a safe and legal way to practise. That part is important.

SQL injection should only be tested in environments where you have permission. That means intentionally vulnerable labs, training platforms, or systems you personally own and control.

Do not test this on random websites!

Aside from being illegal, it could cause real damage.

What I have learned so far

The main thing I have taken away from this introduction is that SQL injection is about trust. If an application takes user input and includes it directly in a database query, an attacker may be able to change what that query does.

That could mean retrieving hidden data, bypassing logic, extracting information from other tables, or causing far more serious damage depending on the system.

As a developer, this is especially interesting because it connects directly to how applications are built. It is not just an abstract “hacker thing”. It is a consequence of insecure coding patterns, poor input handling, and unsafe database queries.

Next, I will start working through some practical examples and seeing how these vulnerabilities actually behave in a controlled lab environment.