From Theory to Exploitation: A Deep Dive into SQL Injection Attacks

How I validated my recent CodeRed certification by analyzing vulnerabilities on a legal testing environment.

Sriman kundu

~3 min read · February 10, 2026 (Updated: February 10, 2026) · Free: Yes

Author: Sriman Kundu

Introduction: The Path to Continuous Learning

In the ever-evolving landscape of cybersecurity, theoretical knowledge is the foundation, but practical application is the structure we build upon it. I recently completed the "SQL Injection Attacks" course by CodeRed, and to validate my understanding, I decided to move away from the textbooks and get my hands dirty in a controlled environment.

This write-up documents my workflow — from manual enumeration to automated exploitation — demonstrating the severity of SQL Injection (SQLi) vulnerabilities and the importance of securing databases.

The Target: Ethical Testing

Disclaimer: The attacks performed below were conducted on testphp.vulnweb.com, a deliberately vulnerable application hosted by Acunetix for educational and testing purposes. Always ensure you have explicit permission before testing any system.

Phase 1: Manual Exploitation (The "Classic" Approach)

Before launching automated tools, it is crucial to understand the underlying logic of the vulnerability. I started by identifying a potential injection point in the URL parameter artist.

By injecting a UNION SELECT statement, I was able to append results from the original query with my own injected query. As seen in the screenshot below, I successfully enumerated the table names from the information_schema database.

The Payload Logic:

I used a negative parameter (-1) to ensure the first part of the query returned nothing, forcing the application to display the data from my injected UNION statement.

Figure 1: Manually extracting table names (artists, carts, users, etc.) using Union-Based SQLi.

Phase 2: Automation with SQLmap

Once the vulnerability was confirmed manually, I switched to SQLmap, the industry-standard tool for detecting and exploiting SQL injection flaws. This step demonstrates how attackers can rapidly scale their attacks.

The terminal output below confirms that the target is vulnerable to multiple types of SQLi:

Boolean-based blind
Error-based
Time-based blind
UNION query

SQLmap automatically identified the backend DBMS as MySQL $\ge$ 5.6 and began fetching the database structure.

Figure 2: Using SQLmap to fingerprint the database and identify injection vectors.

Phase 3: Visualization and Exfiltration

To visualize the attack surface better, I utilized a GUI-based SQL injection tool (jSQL). This allowed me to map out the hierarchy of the database acuart.

Navigating through the tree structure, I located the users table — the holy grail for most attackers. As shown in the final proof-of-concept, I was able to dump the column data, revealing the credentials:

Username: test
Password: test

Figure 3: dumping the 'users' table and retrieving plain-text credentials.

The Takeaway: Defense Matters

Executing these attacks highlights how a single unsanitized input can lead to a total compromise of data confidentiality.

How to prevent this?

Parameterized Queries (Prepared Statements): This is the primary defense. It ensures the database treats user input as data, not executable code.
Input Validation: Strictly validate inputs against a whitelist of allowed characters.
Principle of Least Privilege: Ensure the database user connected to the web app has only the minimum necessary permissions.

Conclusion

Earning the certificate was a great milestone, but successfully replicating the attack vectors on a live target solidified the learning. Cybersecurity is a journey of constant breaking and building. On to the next challenge!

#cybersecurity #ethical-hacking #web-security #sql-attack #sql-injection