The text provides a comprehensive guide to identifying SQL injection vulnerabilities, categorized by parameter type (numeric, string, search, bracket), attack technique (union-based, error-based, boolean blind, time-based, stacked queries, second-order, wide-byte, cookie/Base64), and data submission method (GET, POST, Cookie, HTTP header). It explains the core concept of UNION in SQL and how UNION injection works by appending a malicious query to the original one, allowing attackers to retrieve data from other tables if the web page displays query results. The guide emphasizes the importance of understanding these classifications for effective vulnerability detection and exploitation.
Classification of SQL Injection
This is the first step in identifying a vulnerability — figure out where in the SQL statement the user input is placed.
SELECT * FORM XXXXXX WHERE XXXXXX
1. Classification by Injection Point Parameter Type (Most Basic)
Type
Source Code
Characteristics
Attack
Detection Method
Numeric
WHERE id = $id
No quotes around the parameter
?id=1 OR 1=1 — inject logic directly
Adding ' causes an error; adding AND 1=1 returns normal; AND 1=2 returns abnormal
String (Single Quote)
WHERE name = '$name'
Parameter is wrapped in single quotes
?name=' OR '1'='1' --
Adding ' triggers an error; adding AND '1'='1 returns normal
String (Double Quote)
WHERE name = "$name"
Parameter is wrapped in double quotes
?name=" OR "1"="1" --
Search (LIKE)
WHERE title LIKE '%$key%'
Parameter is wrapped in single quotes and percent signs
?key=xx% OR 1=1 --
Must close both the percent sign and the quote
Parenthesized
WHERE id = ($id) or ('$name')
Attack must first close the parenthesis, e.g.: ?id=1) OR 1=1 --
2. Classification by Attack Technique (Best Reflects Technical Differences)
Union-Based Injection
Condition: the page displays query results
Technique: use UNION SELECT to append a malicious query structure after the original results, then read data from the page output
Condition: the database driver supports executing multiple statements at once (semicolon-separated)
Technique: directly append ; DROP TABLE ... ; and other destructive or operational statements
Most dangerous — can directly add, delete, modify, and query data, and escalate privileges.
Second-Order Injection
Condition: the attacker first submits a malicious payload that gets stored in the database; later, some feature retrieves that data and concatenates it into an SQL query for execution
Characteristic: the injection does not occur at input time, but rather at the point of "reuse"
Example: register a user admin' --, then change the actual admin's password when the reset password feature is used
Wide-Byte Injection
Condition: PHP + MySQL, using wide-byte encodings like GBK, with escaping enabled (e.g., addslashes())
Principle: escaping adds a backslash \ (0x5c) before single quotes; the attacker uses a multibyte character that combines with \ to form a valid Chinese character, "eating" the backslash and freeing the quote
Example: ?name=%df' — in GBK, %df%5c forms the character "運". The \ is consumed, and the single quote successfully closes the string
Cookie / Base64 Injection
Parameters are Base64-encoded (or similar) and placed in cookies or other headers; the backend decodes them before splicing into SQL
Technique: Base64-encode the attack payload before injecting. For example, admin' or 1=1 -- encodes to: YWRtaW4nIG9yIDE9MSAtLSA=
3. Classification by Data Submission Method (Finding the Injection Entry Point)
GET type: parameters in the URL, e.g., id=1
POST type: parameters in the request body, e.g., form submission.
Cookie type: parameters from cookie values
HTTP header injection: User-Agent, Referer, X-Forwarded-For, and other headers spliced into SQL (often used in logging scenarios)
These three classification dimensions overlap. For instance, a POST-based injection may target a string-typed parameter position and use Boolean blind injection as the attack technique. Understanding these types helps you quickly identify vulnerabilities and choose the right approach during learning and testing.
Attack Types
What is UNION?
It simply stacks two query results into one big table, top to bottom.
For example, two tables:
Table A: boys' roster (student ID, name)
Table B: girls' roster (student ID, name)
If you want to list every student's name in the school, you can use UNION
SELECT 学号,姓名 FROM 男生 UNION SELECT 学号,姓名 FROM 女生
The result is one long table containing all the boys' and girls' information. It only concatenates vertically; it does not merge columns horizontally.
UNION Syntax and Rules
SELECT 列1,列2,········FROM 表1 WHERE 条件 UNION SELECT 列1,列2,········FROM 表2 WHERE 条件
Rules you must follow:
Both queries must have the same number of columns
If the upper query selects 3 columns, the lower query must also select 3 columns, otherwise an error will occur.
Corresponding data types must match or be auto-convertible
For example, if the first column of the first query is a number, the first column of the lower query should ideally also be a number (or text that can be converted to a number), not some incompatible type.
Suppose we have two tables
SELECT name,price FROM products UNION SELECT username,score FROM users
As long as both queries follow the same pattern (e.g., text, number), it works.
Note: deduplication by default
UNION automatically removes duplicate rows by default. To keep all duplicate rows, use UNION ALL.
UNION Injection Example
Example (original statement):
-- [请输入内容]——>[1] SELECT id,title FROM news WHERE id = 1 -- 1是输入的参数
The attacker can directly append their own SQL statement after the input parameter 1 in the original query, so that the final executed statement becomes:
-- [请输入内容]-->[1 UNION SELECT username,passward FROM users] SELECT id,title FROM news WHERE id = 1 UNION SELECT username,passward FROM users
This way, the webpage that originally only displayed news titles and IDs now additionally returns usernames and passwords.
Because UNION concatenates the results of both queries together, if the webpage directly displays all the results, the attacker can see the usernames and passwords.
This is the first step in identifying a vulnerability — figure out where in the SQL statement the user input is placed.
SELECT * FORM XXXXXX WHERE XXXXXX
1. Classification by Injection Point Parameter Type (Most Basic)
Type
Source Code
Characteristics
Attack
Detection Method
Numeric
WHERE id = $id
No quotes around the parameter
?id=1 OR 1=1 — inject logic directly
Adding ' causes an error; adding AND 1=1 returns normal; AND 1=2 returns abnormal
String (Single Quote)
WHERE name = '$name'
Parameter is wrapped in single quotes
?name=' OR '1'='1' --
Adding ' triggers an error; adding AND '1'='1 returns normal
String (Double Quote)
WHERE name = "$name"
Parameter is wrapped in double quotes
?name=" OR "1"="1" --
Search (LIKE)
WHERE title LIKE '%$key%'
Parameter is wrapped in single quotes and percent signs
?key=xx% OR 1=1 --
Must close both the percent sign and the quote
Parenthesized
WHERE id = ($id) or ('$name')
Attack must first close the parenthesis, e.g.: ?id=1) OR 1=1 --
2. Classification by Attack Technique (Best Reflects Technical Differences)
3. Classification by Data Submission Method (Finding the Injection Entry Point)
These three classification dimensions overlap. For instance, a POST-based injection may target a string-typed parameter position and use Boolean blind injection as the attack technique. Understanding these types helps you quickly identify vulnerabilities and choose the right approach during learning and testing.
Attack Types
What is UNION?
For example, two tables:
If you want to list every student's name in the school, you can use UNION
SELECT 学号,姓名 FROM 男生 UNION SELECT 学号,姓名 FROM 女生
The result is one long table containing all the boys' and girls' information. It only concatenates vertically; it does not merge columns horizontally.
UNION Syntax and Rules
Rules you must follow:
Suppose we have two tables
As long as both queries follow the same pattern (e.g., text, number), it works.
Note: deduplication by default
UNION automatically removes duplicate rows by default. To keep all duplicate rows, use UNION ALL.
UNION Injection Example
Example (original statement):
The attacker can directly append their own SQL statement after the input parameter 1 in the original query, so that the final executed statement becomes:
This way, the webpage that originally only displayed news titles and IDs now additionally returns usernames and passwords.
Because UNION concatenates the results of both queries together, if the webpage directly displays all the results, the attacker can see the usernames and passwords.