OBJECTIVE 02 — TYPES OF SQL INJECTION
MASTER CLASSIFICATION (EXAM MUST)
| Category | Subtypes |
| In-band SQL Injection | Error-based, UNION-based |
| Inferential (Blind) SQL Injection | Boolean-based, Time-based |
| Out-of-band SQL Injection | DNS/HTTP-based |
MEMORY HOOK:
In-band → Blind → Out-of-band
1. IN-BAND SQL INJECTION
CEH DEFINITION
| Item | Memorize |
| In-band SQL Injection | Attacker uses the same communication channel to inject SQL and retrieve results |
CHARACTERISTICS
| Characteristic |
| Most common |
| Fast exploitation |
| Same request/response channel |
1.1 ERROR-BASED SQL INJECTION
DEFINITION
| Item | Memorize |
| Error-based SQL Injection | Exploits database error messages to extract information |
WHY IT WORKS
| Reason |
| Verbose database errors |
| Poor error handling |
ATTACK LOGIC
| Step | Action |
| 1 | Attacker submits malformed SQL |
| 2 | Database throws error |
| 3 | Error reveals DB info |
| Data |
| Database type |
| Table names |
| Column names |
| Query structure |
EXAM PAYLOADS (RECOGNITION)
MEMORY HOOK
Error = information
1.2 UNION-BASED SQL INJECTION
DEFINITION
| Item | Memorize |
| UNION-based SQL Injection | Uses UNION operator to combine attacker query with legitimate query |
PREREQUISITES (VERY IMPORTANT)
| Requirement |
| Same number of columns |
| Compatible data types |
ATTACK LOGIC
| Step | Action |
| 1 | Find column count |
| 2 | Identify injectable columns |
| 3 | Use UNION SELECT |
| 4 | Extract data |
EXAM PAYLOADS
| Payload |
| ’ UNION SELECT NULL– |
| ’ UNION SELECT 1,2,3– |
MEMORY HOOK
UNION = merge results
2. INFERENTIAL (BLIND) SQL INJECTION
CEH DEFINITION
| Item | Memorize |
| Blind SQL Injection | No direct database error or output is visible |
CHARACTERISTICS
| Characteristic |
| Slow |
| No visible errors |
| Inference-based |
2.1 BOOLEAN-BASED BLIND SQL INJECTION
DEFINITION
| Item | Memorize |
| Boolean-based SQL Injection | Attacker infers results by observing TRUE/FALSE responses |
ATTACK LOGIC
| Step | Action |
| 1 | Inject condition |
| 2 | Observe page response |
| 3 | Infer result |
EXAM PAYLOADS
| Payload |
| ’ AND 1=1– |
| ’ AND 1=2– |
MEMORY HOOK
Page change = answer
2.2 TIME-BASED BLIND SQL INJECTION
DEFINITION
| Item | Memorize |
| Time-based SQL Injection | Uses time delays to infer query execution |
ATTACK LOGIC
| Step | Action |
| 1 | Inject delay condition |
| 2 | Measure response time |
| 3 | Infer result |
EXAM FUNCTIONS (DB-SPECIFIC)
| DB | Function |
| MySQL | SLEEP() |
| MSSQL | WAITFOR DELAY |
| PostgreSQL | pg_sleep() |
| Oracle | DBMS_LOCK.SLEEP |
MEMORY HOOK
Delay = TRUE
3. OUT-OF-BAND SQL INJECTION
DEFINITION
| Item | Memorize |
| Out-of-band SQL Injection | Data exfiltration using a different channel |
WHEN USED
| Condition |
| In-band unavailable |
| Blind too slow |
CHANNELS USED
ATTACK LOGIC
| Step | Action |
| 1 | Inject SQL |
| 2 | DB triggers external request |
| 3 | Attacker receives data |
MEMORY HOOK
Different channel = Out-of-band
COMPLETE TYPE COMPARISON (EXAM GOLD)
| Type | Speed | Output |
| Error-based | Fast | Errors |
| UNION-based | Fast | Query results |
| Boolean-based | Slow | Page behavior |
| Time-based | Very slow | Response delay |
| Out-of-band | Medium | External response |