SQL Injection (error + blind)

What it is

User input reaches a SQL query unsanitized. Tested with a battery of error, boolean, and time-based payloads across MySQL, PostgreSQL, MSSQL, and Oracle, then confirmed differentially. Leads to full database compromise.

How attackers abuse it

An attacker slips database commands into a form field or URL. The database runs them, so they can read every table (users, passwords, payments), change data, or wipe it. This is one of the most damaging bugs on the web.

Attacker playbook

1. 1Find an input that reaches the database (a search box, a login, an id in the URL).
2. 2Inject a payload that breaks the query and watch for an error or a change in the response.
3. 3Use that foothold to dump tables, bypass the login, or extract the database version and data.

How VibeSec detects and confirms it

VibeSec tests for this with an active scan, which runs only on targets you confirm you own or are authorized to test. We detect and confirm it using VibeSec native, sqlmap, OWASP ZAP, Wapiti and Nuclei. When a payload actually proves the issue, it is reported as a confirmed finding rather than a guess.

If this is in your report: how to fix it

• Use parameterized queries (prepared statements). Never build SQL by concatenating user input.
• Use your ORM's safe query methods and avoid raw string queries.
• Give the database account only the permissions it needs, so a leak is contained.