TryHackMe SQL Injection Walkthrough – Step-by-Step Guide

calender-iconPublished: 1 Jan 2026

clock-icon5-min read

printer-icon whatsapp-icon share-icon



Table of Contents

INTRODUCTION



Task-1: Brief

Question : What does SQL stand for?

Answer: Structured Query Language

Explanation: - SQL is a language used to to talk to databases. It helps you store, find, update, and delete data.



Task 2: What is a Database?

Q1. What is the acronym for the software that controls a database?
A1. DBMS


Q2. What is the name of the grid-like structure which holds the data?
A2. table


Explanation
DBMS is the software that stores and manages data. Think of it as a store room that keeps all the data safe and organized. SQL is the language used to talk to the DBMS. A table in DBMS stores data in rows and columns in an organized way.



Task 3: What is SQL?

Q1. What is the acronym for the software that controls a database?
A1. DBMS


Q2. What is the name of the grid-like structure which holds the data?
A2. table


Q3. What SQL statement is used to add data?
A3. INSERT

Summary
  • CREATE — Create database objects (table, database, view).
  • ALTER — Modify existing database objects.
  • DROP — Delete database objects permanently.
  • TRUNCATE — Remove all records from a table.
  • RENAME — Rename a database object.
  • INSERT — Add new records to a table.
  • UPDATE — Modify existing records.
  • DELETE — Remove specific records from a table.
  • SELECT — Retrieve data from tables.
  • GRANT — Give user permissions.
  • REVOKE — Remove user permissions.
  • COMMIT — Save transaction changes permanently.
  • ROLLBACK — Undo transaction changes.
  • SAVEPOINT — Set a rollback point within a transaction.


Task 4: What is SQL Injection?

Q1. What character signifies the end of an SQL query?
A1. ;


Explanation
SQL Injection is a type of cyberattack where an attacker inserts malicious SQL code into a website’s input fields. When the application does not properly validate user input, the database executes this code as a command. As a result, the attacker may gain unauthorized access to sensitive data, modify information, bypass login systems, or even delete entire databases. SQL Injection is dangerous because it directly targets the database, which stores critical information.



Task 5: In-Band SQLi

Q1. What is the flag after completing level 1?
A1. THM{SQL_INJECTION_3840}


Explanation
In-Band SQL Injection is the classic (and most common) form of SQL injection where the attacker uses the same channel to both send the attack and receive the results — usually through a web page’s response.

Think of it as:
Ask the database a malicious question → get the answer right back on the screen.

Because both the attack and the response travel through the same path, this technique is called in-band.
There are two common ways this happens.

1. error-based SQL injection
In error-based SQL injection, the attacker intentionally triggers database errors. These errors may reveal sensitive information like database type, version, or table names if the application displays error messages.

2. union-based SQL injection
In union-based SQL injection, the attacker uses the SQL UNION operator to combine the results of a malicious query with a legitimate one, allowing direct extraction of data such as usernames or passwords.

Process

In this example union based sql injection is used.

When the attacker injects a UNION SELECT statement, the database executes both the original query and the injected one, then returns the combined result in a single response. This allows the attacker to retrieve data from tables that were never intended to be exposed by the application.

For a UNION attack to succeed, two conditions must be met.

First - the injected query must return the same number of columns as the original query.

Second - the data types of each column must be compatible with the original query’s columns. Attackers usually determine this information by trial and error. The example below shows trails. 


1 UNION SELECT 1
1 UNION SELECT 1,2
1 UNION SELECT 1,2,3

When u don’t get error message, it means success.


1. Determine database type using database() database() is a built-in SQL function used to find the name of the currently selected (active) database. 


0 UNION SELECT 1,2,database()

Upon running it we get sqli_one as database name



2. Getting table names

information_schema is a special, built-in system database that stores metadata about all other databases on the server. It stores structure information, such as: Databases (schemas), Tables, Columns, Data types, Constraints, Indexes and Privileges.

The tables table, stores metadata about every table in every database on the server.

We will query this table to get list of all tables in the an database as shown below. 


0 UNION SELECT 1,2,group_concat(table_name) FROM information_schema.tables WHERE table_schema = 'sqli_one'

GROUP_CONCAT() is an aggregate SQL function that combines multiple row values into a single string.

In simple words:
It turns many rows into one line.
So using the above, you can get the name of all table in the database sqli_one
We get article and staff_users as tables. Upon inspection staff_users is the probable table where we can get login information.



3. Getting column names of table
Once we know the table name, we now want to know column names. The columns table in information_schema is a system table that stores metadata about every column in every table across all databases on the server.

Simply put:
It’s the blueprint of every table column.
We will use the below query to get all column Names in the ‘staff_users’ table. 


0 UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name = 'staff_users'

From the query results, we can see that the staff_users table has three columns — id, password, and username.



4. Getting table data
Now when we have all the details, we will try to get actual data using the below query 


0 UNION SELECT 1,2,group_concat(username,':',password SEPARATOR '
') FROM staff_users

What it does:

  • Takes every row in staff_users
  • Combines username and password with :
  • Separates each user with an HTML <br> line break


5. Get Flag
We can clealy see the password for martin. Upon filling the password for martin we get our flag.



Task 6: Blind SQLi — Authentication Bypass

Q1. What is the flag after completing level two? (and moving to level 3)
A1. THM{SQL_INJECTION_9581}

Explanation
Authentication bypass uses Blind SQL Injection to log in without knowing valid credentials. The goal isn’t to extract data, but to force the database to return true.

Login forms typically check whether a given username–password pair exists in the database as shown in the query below. If the query evaluates to true, access is granted. 


SELECT * FROM users
WHERE username='%username%' AND password='%password%'
LIMIT 1;

By entering the following into the password field:

' OR 1=1;-- The query becomes: 


SELECT * FROM users
WHERE username='' AND password='' OR 1=1;

So we will leave username field blank and in password field input ‘ OR 1=1; we bypass login.



Task 7: Blind SQLi — Boolean Based

Q. What is the flag after completing level three?
A. THM{SQL_INJECTION_1093}

Explanation
Boolean-based SQL injection relies on binary responses (true/false, yes/no, taken/not taken) to infer information. Even with limited feedback, attackers can fully enumerate a database by crafting queries that return true only when a condition is correct.

In the example we have an endpoint that checks checks username availability and returns true/false as can be seen in figure.

We change the username to admin123 so the original query returns flase. This is combined With our sqlinjection query using union. When the sqlinjection query evaluates to true, the result is true.

Steps

a. Find number of columns
we have to do trial with different number of columns until true response is received. Upon few trials we get ture repsone at 3 columns. 


admin123' UNION SELECT 1;--
admin123' UNION SELECT 1,2;-- 
admin123' UNION SELECT 1,2,3;--


b. Enumerate database name
we again have to do tiral and error to get database name. This is done by checking each character as shown. 


dmin123' UNION SELECT 1,2,3 WHERE database() LIKE 's%'; -

Iterating characters reveals the database name: sqli_three.



c. Enumerate table names
an trial and error method is followed for table names as shown. 


admin123' UNION SELECT 1,2,3
FROM information_schema.tables
WHERE table_schema='sqli_three' AND table_name='users'; -

Iterating characters reveals the table name: ‘users’.



d. Enumerate column names
an trial and error method is followed for column names as shown. 


admin123' UNION SELECT 1,2,3
FROM information_schema.columns
WHERE table_schema='sqli_three'
AND table_name='users';

Columns found: id, username, password.



e. Extract username and password.
Username: 


 admin123' UNION SELECT 1,2,3 FROM users WHERE username LIKE ‘a%’; —

Password 


admin123' UNION SELECT 1,2,3 FROM users
WHERE username=’admin’ AND password LIKE ‘3%’; —

Final credentials: admin / 3845
Upon entering username and password we get the flag.



Task 8: Blind SQLi — Time Based

Q. What is the final flag after completing level four?
A. THM{SQL_INJECTION_MASTER}


Explanation
A time-based blind SQL injection works similarly to a boolean-based attack, but instead of relying on true/false responses, it uses response time as the indicator.

In this case, the application provides no visible feedback to confirm whether a query is correct or incorrect. Instead, the attacker measures how long the server takes to respond.

If the response is delayed, the injected condition evaluated as true. The delay is triggered using built-in database functions such as SLEEP(x), typically combined with a UNION SELECT or conditional statement. The SLEEP() function is executed only when the injected condition is true, allowing the attacker to infer information based solely on timing differences.

Again we go through the above listed steps of finding columns, then database names, then column names and finally username and password.

Database Found = sqli_four 


referrer=admin123' UNION SELECT SLEEP(5),2 where database() like ‘sqli_four%’;--

Table Found = users 


referrer=admin123' UNION SELECT SLEEP(5),2 FROM information_schema.tables WHERE table_schema=’sqli_four’ AND table_name=’users’;--

Password Found = 4961 


 referrer=admin123' UNION SELECT SLEEP(5),2 FROM users WHERE username=’admin’ AND password LIKE ‘4961’;--


Task 9: Out-of-Band SQLi

Q. Name a protocol beginning with D that can be used to exfiltrate data from a database.
A. DNS



Explanation
Out-of-band (OOB) SQL injection is less common because it requires specific database features or application logic that can trigger external network requests.

An OOB attack uses two separate channels:

  • one to send the injection
  • another to receive the results (e.g., HTTP or DNS requests to an attacker-controlled server)

Flow:



Task 10: Remediation

Q. Name a method of protecting yourself from an SQL Injection exploit.
A. Prepared Statements

  • The attacker sends a malicious SQL payload via a vulnerable web request.
  • The application executes the payload in a database query.
  • The payload forces the database to make an external HTTP/DNS request, leaking data to the attacker.