SQL Injection Testing Skill

Purpose

Validate SQL injection (including blind SQLi) by injecting SQL syntax into user-controlled inputs and observing:

• Time-based delays (blind)
• Error messages (error-based)
• Boolean/content differences (blind)
• Data extraction via UNION
• Stacked queries where supported
• Out-of-band interactions (DNS/HTTP callbacks) when infra allows

Vulnerability Types Covered

1. Time-Based Blind SQLi (CWE-89)

Inject time-delay functions and detect response latency.

Detection Methods: SLEEP(5), pg_sleep(5), WAITFOR DELAY '0:0:5', heavy functions (e.g., randomblob() for SQLite).