SOC127 — SQL Injection Detected WalkThrough — LetsDefend

SQL injection remains one of the most dangerous and commonly exploited web application vulnerabilities because it can expose sensitive data, bypass authentication controls, and potentially lead to full backend database compromise.

Event ID: 127 & Rule Name: SOC127 — SQL Injection Detected.

In this walkthrough, I investigate the SOC127 — SQL Injection Detected alert and analyze how an attacker systematically probed a public-facing web application using multiple SQL injection techniques observed in proxy logs.

In this walkthrough, I investigate the SOC127 — SQL Injection Detected alert and analyze how an attacker systematically probed a public-facing web application using multiple SQL injection techniques observed in proxy logs.

The investigation began with a SIEM alert, but the full attack narrative became clear after reviewing repeated malicious web requests targeting the same application parameter.

Initial Alert Review

The SIEM generated an alert indicating suspicious SQL injection activity against a web application endpoint.

During the initial triage phase, several indicators immediately stood out:

• Repeated requests against /index.php?id=
• Multiple malformed SQL payloads
• Automated attack signatures
• Requests originating from a single external IP
• Presence of the sqlmap User-Agent

This strongly suggested active SQL injection reconnaissance and exploitation attempts.

Log Analysis

Log 1.1 — UNION-Based SQL Injection + XSS + RCE Testing

Observed Request

GET /?douj=3034 AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#

GET /?douj=3034 AND 1=1 UNION ALL SELECT 1,NULL,'<script>alert("XSS")</script>',table_name FROM information_schema.tables WHERE 2>1--/**/; EXEC xp_cmdshell('cat ../../../etc/passwd')#

Analysis

This payload combines several attack techniques into a single request.

SQL Injection

AND 1=1

AND 1=1

The attacker uses a TRUE condition to validate whether injected SQL statements are processed successfully.

UNION-Based Extraction

UNION ALL SELECT ...

UNION ALL SELECT ...

The attacker attempts to merge malicious query output with legitimate application responses to retrieve database information from:

information_schema.tables

information_schema.tables

Cross-Site Scripting (XSS)

<script>alert("XSS")</script>

<script>alert("XSS")</script>

This payload tests whether user-controlled content is reflected back into the browser without sanitization.

Remote Command Execution Attempt

EXEC xp_cmdshell('cat ../../../etc/passwd')

EXEC xp_cmdshell('cat ../../../etc/passwd')

This attempts operating system command execution through SQL Server functionality.

If successful, it could expose sensitive system files.

Obfuscation

--/**/

--/**/

SQL comments are commonly used to bypass weak filtering mechanisms.

Log 1.2 — Query Breaking / Fuzzing

Payload

GET /index.php?id=1").(,(,'.(

GET /index.php?id=1").(,(,'.(

Backend Interpretation

SELECT * FROM products WHERE id = "1").(,(,'.("

SELECT * FROM products WHERE id = "1").(,(,'.("

Analysis

This payload attempts to break SQL query syntax using malformed characters such as:

• '
• "
• (
• )
• ,

Attackers commonly use these patterns during fuzzing and reconnaissance to identify:

• weak input validation,
• database error leakage,
• injectable parameters.

Log 1.3 — XSS and SQLi Reflection Testing

Payload

GET /index.php?id=1'QaEOtG<'">PRVoKd

GET /index.php?id=1'QaEOtG<'">PRVoKd

Backend Interpretation

SELECT * FROM products WHERE id='1'QaEOtG<'">PRVoKd'

SELECT * FROM products WHERE id='1'QaEOtG<'">PRVoKd'

Analysis

This payload combines:

• quote breaking,
• HTML injection,
• Reflection testing.

The attacker is checking whether:

• Input is reflected in responses,
• HTML content is interpreted,
• SQL parsing errors occur.

Log 1.4 — Boolean-Based SQL Injection

Payload

GET /index.php?id=1 AND 9816=9452-- bkmh

GET /index.php?id=1 AND 9816=9452-- bkmh

Analysis

The condition:

9816=9452

9816=9452

always evaluates FALSE.

Attackers compare application behavior between:

• TRUE conditions,
• FALSE conditions.

Behavior differences help confirm SQL injection vulnerabilities.

Log 1.5 — UNION-Based Enumeration

Payload

id=(SELECT (
CASE
WHEN (4611=4629)
THEN 1
ELSE (SELECT 4629 UNION SELECT 6288)
END
))

id=(SELECT (
CASE
WHEN (4611=4629)
THEN 1
ELSE (SELECT 4629 UNION SELECT 6288)
END
))

Analysis

This request combines:

• conditional logic,
• UNION SELECT behavior,
• database response manipulation.

The attacker is testing whether UNION queries can be processed successfully for future data extraction.

Log 1.6 — MySQL Error-Based SQL Injection

Payload

EXTRACTVALUE(
7321,
CONCAT(...)
)

EXTRACTVALUE(
7321,
CONCAT(...)
)

Analysis

The attacker abuses the MySQL EXTRACTVALUE() function to intentionally trigger database errors.

Error-based SQL injection allows attackers to leak information through application error responses.

This payload also includes:

• hexadecimal encoding,
• concatenated markers,
• conditional testing.

Log 1.7 — PostgreSQL Fingerprinting

Decoded URL: GET /index.php?id=1) AND 2574=CAST((CHR(113)||CHR(107)||CHR(107)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (2574=2574) THEN 1 ELSE 0 END)):: text||(CHR(113)||CHR(112)||CHR(122)||CHR(106)||CHR(113)) AS NUMERIC) AND (9806=9806 HTTP/1.1" 200 865 "-" "sqlmap/1.7.2#stable

Payload Characteristics

CHR(...)
::text
CAST(... AS NUMERIC)

CHR(...)
::text
CAST(... AS NUMERIC)

Analysis

These functions are strongly associated with PostgreSQL.

The attacker is fingerprinting the backend database engine while simultaneously attempting:

• boolean testing,
• type conversion errors,
• payload execution verification.

Decoded URL: GET /index.php?id=1') AND 2574=CAST((CHR(113)||CHR(107)||CHR(107)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (2574=2574) THEN 1 ELSE 0 END)):: text||(CHR(113)||CHR(112)||CHR(122)||CHR(106)||CHR(113)) AS NUMERIC) AND ('FiHf'='FiHf HTTP/1.1" 200 865 "-" "sqlmap/1.7.2#stable

Decoded URL info: "GET /index.php?id=1' AND 2574=CAST((CHR(113)||CHR(107)||CHR(107)||CHR(118)||CHR(113))||(SELECT (CASE WHEN (2574=2574) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(122)||CHR(106)||CHR(113)) AS NUMERIC) AND 'qQpG'='qQpG HTTP/1.1" 200 865 "-" "sqlmap/1.7.2

Log 1.8 & 1.9 — Encoded SQLi Payloads

The final payloads continue using:

• encoded CHR() functions,
• TRUE conditions,
• CAST operations,
• randomized markers.

The repeated syntax variations suggest the attacker was systematically adapting payloads to identify exploitable behavior.

Observed Exploitation Flow

The request sequence demonstrates a structured SQL injection attack lifecycle.

Step 1 — Reconnaissance

Initial payloads tested:

• quotes,
• brackets,
• malformed syntax,
• reflection behavior.

Step 2 — Vulnerability Validation

Boolean-based payloads validated:

• TRUE/FALSE responses,
• query manipulation capability.

Step 3 — Database Fingerprinting

The attacker identified possible backend technologies using:

• PostgreSQL-specific syntax,
• MySQL-specific functions.

Step 4 — Error Triggering

Payloads intentionally generated database errors to leak behavioral information.

Step 5 — Data Extraction Preparation

UNION-based queries attempted to identify paths for future database extraction.

Threat Assessment

Taken together, the activity strongly indicates active SQL injection exploitation attempts rather than accidental malformed traffic.

The attack sequence demonstrates:

• progression,
• adaptation,
• backend fingerprinting,
• exploitation methodology,
• automated tooling usage.

Legitimate users do not generate repeated structured SQL payloads targeting the same parameter in rapid succession.

Potential Impact

If the application had been vulnerable, the attacker could potentially achieve:

• Database enumeration
• Sensitive data disclosure
• Authentication bypass
• Administrative compromise
• Remote code execution
• Backend system access

MITRE ATT&CK mapping

| Tactic          | Technique                                     | ID                                                                |
| --------------- | --------------------------------------------- | ----------------------------------------------------------------- |
| Initial Access  | Exploit Public-Facing Application             | T1190 attack.mitre                                                |
| Discovery       | Application behavior and backend probing      | Consistent with attack staging observed in logs ldamoredev.github |
| Collection      | Data extraction via UNION/error-based methods | SQLi extraction behavior medium+1                                 |
| Defense Evasion | Encoded payloads and syntax variation         | Filter bypass patterns ldamoredev.github+1                        |

| Tactic          | Technique                                     | ID                                                                |
| --------------- | --------------------------------------------- | ----------------------------------------------------------------- |
| Initial Access  | Exploit Public-Facing Application             | T1190 attack.mitre                                                |
| Discovery       | Application behavior and backend probing      | Consistent with attack staging observed in logs ldamoredev.github |
| Collection      | Data extraction via UNION/error-based methods | SQLi extraction behavior medium+1                                 |
| Defense Evasion | Encoded payloads and syntax variation         | Filter bypass patterns ldamoredev.github+1                        |

Containment and Remediation

This alert should be classified as a True Positive SQL Injection Exploitation Attempt.

Immediate Response Actions

• Block or rate-limit the source IP
• Review web server logs
• Inspect database query logs
• Search for successful query execution
• Verify whether sensitive data was accessed

Long-Term Security Improvements

• Implement parameterized queries
• Avoid dynamic SQL construction
• Enforce strict input validation
• Suppress verbose database errors
• Apply least-privilege database permissions
• Deploy Web Application Firewall (WAF) protections

Key Takeaways & Skills Demonstrated

Through this investigation, I strengthened my understanding of how real-world SQL injection attacks are identified, analyzed, and validated from a SOC analyst perspective. By reviewing proxy logs and attacker payload behavior, I learned how adversaries progress from reconnaissance and payload testing to database fingerprinting and exploitation attempts using automated tools such as sqlmap.

This investigation improved my practical skills in:

• Web attack detection and analysis
• SQL injection payload identification
• Log analysis and traffic correlation
• Threat hunting through proxy and web logs
• Understanding attacker methodology and exploit progression
• MITRE ATT&CK mapping for web exploitation activity
• Identifying database fingerprinting techniques across MySQL and PostgreSQL
• Distinguishing false positives from true exploitation attempts

Most importantly, this walkthrough reinforced the importance of investigative thinking, behavioral analysis, and understanding attacker intent rather than relying solely on alert signatures.

From a defensive security perspective, this case highlighted the critical importance of secure coding practices, parameterized queries, input validation, proper error handling, and proactive monitoring of public-facing applications.

Final Verdict

Based on the proxy log analysis, this investigation confirms a structured SQL injection exploitation campaign against a public-facing application & the source is external, who initiated the attack with the malicious intent of extracting sensitive data. This leads the enterprise to breach.

The attacker demonstrated:

• Boolean-based SQL injection,
• Error-based probing,
• UNION-based extraction attempts,
• Database fingerprinting,
• Encoded payload obfuscation,
• Query-breaking fuzzing techniques,
• Automated exploitation tooling.

This activity should be treated as active hostile reconnaissance and attempted web application exploitation.

References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298 https://www.offsec.com/blog/cve-2025-21298/