The attacker is able to receive information on the same channel that they used to attack. For example, retrieved data being displayed directions on the application page. This is the easiest method to exploit.
Error
Generating a database error to get more information about the database, for example type and version. This would allow the attacker to refine their attack.
Entering a single quote to test for SQLi vulnerability (?id=') could generate this error message.
Union
Uses UNION operator to combine the results of two queries including one of your choice.
For example: ?id=' UNION SELECT username, password FROM users--
Would return all the usernames and passwords from the table 'users'
The UNION operator does have certain conditions that must be met for it to work properly.
No actual transfer of data so the results aren't shown in the application itself. This is a more difficult route than in-band injections, but just as dangerous.
Boolean
This involves asking true or false questions to see how the application responds.
For example: ?id=1
Might generate a query of: select title from product where id=1
Sending a known false payload to this application might take the form of:
?id=1 and 1=2
Which would generate a query of:
select title from product where id=1 and 1=2
A true payload could look like:
?id=1 and 1=1
Which would generate a query of:
select title from product where id=1 and 1=1
If these two queries generate different responses then the application is vulnerable to SQL injection.
To actually leverage this approach will be tricky.
Assuming there is a users table that contains a username and password: < br /> Administrator / password
It is not possible to return that password directly using this method, but it is possible to go letter by letter searching for true statements.
Payload: ?id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username = 'Adminstrator'), 1, 1) = 'a'
Query: select title from product where id=1 and SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) = 'a'
This payload assumes the attacker knows that there is a username called 'Administrator' and the substring portiion of the attack is selecting the first character of that password and comparing it (true or false) to 'a'. Because the application has been proven to respond differently to true vs false queries this can be used to determine the password one character at a time. This is a brute force attack and would best be automated.
Time
This involves getting the database to pause for a specified amount (using a sleep command) of time and then returning the results of a query.
Like the boolean example above, this may take the form of making a query as to the first letter of the password and waiting for 10 seconds. If the response DOES take 10 seconds to respond, the letter being queried was correct.
This occurs when the attacker gets the database to generate a network connection to a system that the attack controls. It is not particularly common, but a variety of protocols can be used (DNS, HTTP, etc).
This may take the form of asking the database to make a DNS query to a domain the attacker can monitor. If the query successfuly triggers a DNS look-up then the database is vulnerable.