In order to detect SQLi, we have three methods available:

• Error based: This method injects payloads that break out of the original query and generate an SQL error on the server, which can be detected in the content of the returned pages:

• Boolean: This method injects payloads that alter the outcome of the original query, which makes the application return different page content. Basically, we'll identify the size of a valid page versus the size of an invalid page, and then we perform Boolean queries like the one we can see here:

If the first number of the version of the database is 5, we're going to get the page with the ID 1008. If not, we're going to get the error page. If we want the exact database version, we need to automate this query and guess the value for each position.

• Time-based: This method injects a payload that triggers a delay in the SQL server while processing the query. If this delay is big enough and there is no considerable lag in the network, we can tell whether the query was executed correctly: