OBJECTIVE 03 — SQL INJECTION METHODOLOGY
CEH CORE STATEMENT (MEMORIZE)
| Item | Memorize |
| SQL Injection Methodology | A step-by-step process used by attackers to detect, exploit, and extract data from vulnerable SQL queries |
SQL INJECTION METHODOLOGY — PHASES
| Phase No. | Phase |
| 1 | Detect SQL Injection |
| 2 | Identify Database |
| 3 | Enumerate Database Structure |
| 4 | Extract Data |
| 5 | Bypass Authentication |
| 6 | Execute OS Commands |
| 7 | Maintain Access |
MEMORY HOOK:
Detect → Identify → Enumerate → Extract → Bypass → Execute → Persist
PHASE 1 — DETECT SQL INJECTION
Goal
| Goal |
| Determine whether the application is vulnerable |
DETECTION TECHNIQUES
| Technique |
| Single quote injection |
| Boolean testing |
| Time delay testing |
| Error message observation |
TEST PAYLOADS (EXAM RECOGNITION)
| Payload |
| ’ |
| ” |
| ’ OR ‘1’=’1 |
| ’ AND 1=2– |
SUCCESS INDICATORS
| Indicator |
| Database error |
| Page content change |
| Response delay |
MEMORY HOOK:
Error / Change / Delay = injectable
PHASE 2 — IDENTIFY DATABASE TYPE
Goal
| Goal |
| Determine backend DBMS |
IDENTIFICATION METHODS
| Method |
| Error message fingerprinting |
| DB-specific functions |
| Version banners |
DB-SPECIFIC FUNCTIONS (EXAM MUST)
| Database | Function |
| MySQL | @@version |
| MSSQL | @@version |
| Oracle | banner from v$version |
| PostgreSQL | version() |
MEMORY HOOK:
Version function reveals DB
PHASE 3 — ENUMERATE DATABASE STRUCTURE
Goal
| Goal |
| Discover tables, columns, and schemas |
ENUMERATION TARGETS
| Target |
| Database name |
| Table names |
| Column names |
| User privileges |
| Item | Description |
| information_schema | Metadata database |
IMPORTANT TABLES (EXAM GOLD)
| Table |
| information_schema.tables |
| information_schema.columns |
| information_schema.schemata |
MEMORY HOOK:
Schema stores structure
Goal
| Goal |
| Retrieve sensitive data |
| Data |
| Usernames |
| Password hashes |
| Emails |
| Credit card details |
| Method |
| UNION-based extraction |
| Blind extraction |
| Time-based extraction |
MEMORY HOOK:
Structure first, data next
PHASE 5 — BYPASS AUTHENTICATION
Goal
| Goal |
| Gain unauthorized login |
COMMON TECHNIQUES
| Technique |
| Always-true condition |
| Commenting query |
| Login logic manipulation |
EXAM PAYLOADS
| Payload |
| ’ OR ‘1’=’1– |
| admin’– |
MEMORY HOOK:
TRUE bypasses auth
PHASE 6 — EXECUTE OS COMMANDS
Goal
| Goal |
| Execute system-level commands |
REQUIREMENTS
| Requirement |
| DB supports command execution |
| High privileges |
DB-SPECIFIC METHODS
| Database | Method |
| MSSQL | xp_cmdshell |
| MySQL | INTO OUTFILE |
| Oracle | Java stored procedures |
MEMORY HOOK:
DB → OS bridge
PHASE 7 — MAINTAIN ACCESS
Goal
| Goal |
| Persist attacker access |
TECHNIQUES
| Technique |
| Create admin users |
| Backdoors |
| Web shells |
COMPLETE SQL INJECTION FLOW (EXAM LOCK)
| Order |
| Detect |
| Identify DB |
| Enumerate |
| Extract |
| Bypass |
| Execute |
| Persist |