> ## Documentation Index
> Fetch the complete documentation index at: https://rootea.es/llms.txt
> Use this file to discover all available pages before exploring further.

# SQL Injection

> Recursos cross-platform para SQL Injection: máquinas HTB, labs PortSwigger y rooms TryHackMe curados, con writeups validados y skills relacionadas.

# SQL Injection

Esta página agrega los **recursos para practicar SQL Injection** de forma cross-platform: máquinas retiradas de Hack The Box, labs de PortSwigger Web Security Academy y rooms de TryHackMe, más recursos curados (HackTricks, PortSwigger, etc.) y skills relacionadas.

## Recursos curados

| Fuente      | Enlace                                                                                                                                             |
| ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
| HackTricks  | [https://book.hacktricks.wiki/en/pentesting-web/sql-injection/index.html](https://book.hacktricks.wiki/en/pentesting-web/sql-injection/index.html) |
| PortSwigger | [https://portswigger.net/web-security/sql-injection](https://portswigger.net/web-security/sql-injection)                                           |

## Máquinas HTB que practican SQL Injection (36)

| Máquina                                                  | SO      | Dificultad                                           |
| -------------------------------------------------------- | ------- | ---------------------------------------------------- |
| [Altered](/htb/machines/linux/dificil/altered)           | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Bankrobber](/htb/machines/windows/insano/bankrobber)    | Windows | <span className="dbadge dbadge-insane">INSANE</span> |
| [Bastard](/htb/machines/windows/medio/bastard)           | Windows | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Breadcrumbs](/htb/machines/windows/dificil/breadcrumbs) | Windows | <span className="dbadge dbadge-hard">HARD</span>     |
| [Cache](/htb/machines/linux/medio/cache)                 | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Cascade](/htb/machines/windows/medio/cascade)           | Windows | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Catch](/htb/machines/linux/medio/catch)                 | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Charon](/htb/machines/linux/dificil/charon)             | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Control](/htb/machines/windows/dificil/control)         | Windows | <span className="dbadge dbadge-hard">HARD</span>     |
| [Cronos](/htb/machines/linux/medio/cronos)               | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [EarlyAccess](/htb/machines/linux/dificil/earlyaccess)   | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Enterprise](/htb/machines/linux/medio/enterprise)       | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Europa](/htb/machines/linux/medio/europa)               | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Falafel](/htb/machines/linux/dificil/falafel)           | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Fighter](/htb/machines/windows/insano/fighter)          | Windows | <span className="dbadge dbadge-insane">INSANE</span> |
| [Flujab](/htb/machines/linux/dificil/flujab)             | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Giddy](/htb/machines/windows/medio/giddy)               | Windows | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [GoodGames](/htb/machines/linux/facil/goodgames)         | Linux   | <span className="dbadge dbadge-easy">EASY</span>     |
| [Holiday](/htb/machines/linux/dificil/holiday)           | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Mango](/htb/machines/linux/medio/mango)                 | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [MultiMaster](/htb/machines/windows/insano/multimaster)  | Windows | <span className="dbadge dbadge-insane">INSANE</span> |
| [Nightmare](/htb/machines/linux/insano/nightmare)        | Linux   | <span className="dbadge dbadge-insane">INSANE</span> |
| [NodeBlog](/htb/machines/linux/facil/nodeblog)           | Linux   | <span className="dbadge dbadge-easy">EASY</span>     |
| [Overflow](/htb/machines/linux/dificil/overflow)         | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [OverGraph](/htb/machines/linux/dificil/overgraph)       | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Oz](/htb/machines/linux/dificil/oz)                     | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Pandora](/htb/machines/linux/facil/pandora)             | Linux   | <span className="dbadge dbadge-easy">EASY</span>     |
| [Phoenix](/htb/machines/linux/dificil/phoenix)           | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [Scavenger](/htb/machines/linux/dificil/scavenger)       | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |
| [SecNotes](/htb/machines/windows/medio/secnotes)         | Windows | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [StreamIO](/htb/machines/windows/medio/streamio)         | Windows | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Toolbox](/htb/machines/windows/facil/toolbox)           | Windows | <span className="dbadge dbadge-easy">EASY</span>     |
| [Union](/htb/machines/linux/medio/union)                 | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Validation](/htb/machines/linux/facil/validation)       | Linux   | <span className="dbadge dbadge-easy">EASY</span>     |
| [Writer](/htb/machines/linux/medio/writer)               | Linux   | <span className="dbadge dbadge-medium">MEDIUM</span> |
| [Zetta](/htb/machines/linux/dificil/zetta)               | Linux   | <span className="dbadge dbadge-hard">HARD</span>     |

## Labs PortSwigger que practican SQL Injection (22)

| Lab                                                                                                                                                                                     | Dificultad                                                 | Topic           | Oficial                                                                                                                          |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------- | -------------------------------------------------------------------------------------------------------------------------------- |
| [Detecting NoSQL injection](/portswigger/labs/nosql-injection/nosql-injection-detection)                                                                                                | <span className="dbadge dbadge-easy">APPRENTICE</span>     | NoSQL Injection | [Abrir](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-detection)                                      |
| [Exploiting NoSQL operator injection to bypass authentication](/portswigger/labs/nosql-injection/nosql-injection-bypass-authentication)                                                 | <span className="dbadge dbadge-easy">APPRENTICE</span>     | NoSQL Injection | [Abrir](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-bypass-authentication)                          |
| [SQL injection vulnerability allowing login bypass](/portswigger/labs/sql-injection/login-bypass)                                                                                       | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/lab-login-bypass)                                                     |
| [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](/portswigger/labs/sql-injection/retrieve-hidden-data)                                                   | <span className="dbadge dbadge-easy">APPRENTICE</span>     | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)                                             |
| [Blind SQL injection with conditional errors](/portswigger/labs/sql-injection/blind-conditional-errors)                                                                                 | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors)                                         |
| [Blind SQL injection with conditional responses](/portswigger/labs/sql-injection/blind-conditional-responses)                                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses)                                      |
| [Blind SQL injection with out-of-band data exfiltration](/portswigger/labs/sql-injection/blind-out-of-band-data-exfiltration)                                                           | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band-data-exfiltration)                              |
| [Blind SQL injection with out-of-band interaction](/portswigger/labs/sql-injection/blind-out-of-band)                                                                                   | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-out-of-band)                                                |
| [Blind SQL injection with time delays](/portswigger/labs/sql-injection/blind-time-delays)                                                                                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays)                                                |
| [Blind SQL injection with time delays and information retrieval](/portswigger/labs/sql-injection/blind-time-delays-info-retrieval)                                                      | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-time-delays-info-retrieval)                                 |
| [Exploiting NoSQL injection to extract data](/portswigger/labs/nosql-injection/nosql-injection-extract-data)                                                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | NoSQL Injection | [Abrir](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-extract-data)                                   |
| [Exploiting NoSQL operator injection to extract unknown fields](/portswigger/labs/nosql-injection/nosql-injection-extract-unknown-fields)                                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | NoSQL Injection | [Abrir](https://portswigger.net/web-security/nosql-injection/lab-nosql-injection-extract-unknown-fields)                         |
| [SQL injection attack, listing the database contents on non-Oracle databases](/portswigger/labs/sql-injection/examining-the-database-listing-database-contents-non-oracle)              | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle)      |
| [SQL injection attack, listing the database contents on Oracle](/portswigger/labs/sql-injection/examining-the-database-listing-database-contents-oracle)                                | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle)          |
| [SQL injection attack, querying the database type and version on MySQL and Microsoft](/portswigger/labs/sql-injection/examining-the-database-querying-database-version-mysql-microsoft) | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft) |
| [SQL injection attack, querying the database type and version on Oracle](/portswigger/labs/sql-injection/examining-the-database-querying-database-version-oracle)                       | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-oracle)          |
| [SQL injection UNION attack, determining the number of columns returned by the query](/portswigger/labs/sql-injection/union-attacks-determine-number-of-columns)                        | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns)                        |
| [SQL injection UNION attack, finding a column containing text](/portswigger/labs/sql-injection/union-attacks-find-column-containing-text)                                               | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text)                        |
| [SQL injection UNION attack, retrieving data from other tables](/portswigger/labs/sql-injection/union-attacks-retrieve-data-from-other-tables)                                          | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables)                    |
| [SQL injection UNION attack, retrieving multiple values in a single column](/portswigger/labs/sql-injection/union-attacks-retrieve-multiple-values-in-single-column)                    | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column)          |
| [SQL injection with filter bypass via XML encoding](/portswigger/labs/sql-injection/sql-injection-with-filter-bypass-via-xml-encoding)                                                  | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)                |
| [Visible error-based SQL injection](/portswigger/labs/sql-injection/blind-sql-injection-visible-error-based)                                                                            | <span className="dbadge dbadge-medium">PRACTITIONER</span> | SQL Injection   | [Abrir](https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based)                          |

## Rooms TryHackMe que practican SQL Injection (20)

| Room                                                                | Dificultad                                         | Tipo        | Acceso  | Oficial                                                    |
| ------------------------------------------------------------------- | -------------------------------------------------- | ----------- | ------- | ---------------------------------------------------------- |
| [25 Days of Cyber Security](/tryhackme/rooms/learncyberin25days)    | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/learncyberin25days)     |
| [Advent of Cyber 2 \[2020\]](/tryhackme/rooms/adventofcyber2)       | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/adventofcyber2)         |
| [Advent of Cyber 2022](/tryhackme/rooms/adventofcyber4)             | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/adventofcyber4)         |
| [Advent of Cyber 3 (2021)](/tryhackme/rooms/adventofcyber3)         | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/adventofcyber3)         |
| [Avengers Blog](/tryhackme/rooms/avengers)                          | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🔵 VIP  | [Abrir](https://tryhackme.com/room/avengers)               |
| [Custom Tooling Using Python](/tryhackme/rooms/customtoolingpython) | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/customtoolingpython)    |
| [NoSQL Injection](/tryhackme/rooms/nosqlinjectiontutorial)          | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/nosqlinjectiontutorial) |
| [OWASP Juice Shop](/tryhackme/rooms/owaspjuiceshop)                 | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/owaspjuiceshop)         |
| [Simple CTF](/tryhackme/rooms/easyctf)                              | <span className="dbadge dbadge-easy">EASY</span>   | Challenge   | 🟢 Free | [Abrir](https://tryhackme.com/room/easyctf)                |
| [SQLMap: The Basics](/tryhackme/rooms/sqlmapthebasics)              | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🔵 VIP  | [Abrir](https://tryhackme.com/room/sqlmapthebasics)        |
| [WAF: Introduction](/tryhackme/rooms/wafintroduction)               | <span className="dbadge dbadge-easy">EASY</span>   | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/wafintroduction)        |
| [Advanced SQL Injection](/tryhackme/rooms/advancedsqlinjection)     | <span className="dbadge dbadge-easy">MEDIUM</span> | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/advancedsqlinjection)   |
| [CTF collection Vol.2](/tryhackme/rooms/ctfcollectionvol2)          | <span className="dbadge dbadge-easy">MEDIUM</span> | Challenge   | 🟢 Free | [Abrir](https://tryhackme.com/room/ctfcollectionvol2)      |
| [Prioritise](/tryhackme/rooms/prioritise)                           | <span className="dbadge dbadge-easy">MEDIUM</span> | Challenge   | 🟢 Free | [Abrir](https://tryhackme.com/room/prioritise)             |
| [SQHell](/tryhackme/rooms/sqhell)                                   | <span className="dbadge dbadge-easy">MEDIUM</span> | Challenge   | 🟢 Free | [Abrir](https://tryhackme.com/room/sqhell)                 |
| [SQL Injection](/tryhackme/rooms/sqlinjectionlm)                    | <span className="dbadge dbadge-easy">MEDIUM</span> | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/sqlinjectionlm)         |
| [TryHack3M: Sch3Ma D3Mon](/tryhackme/rooms/sch3mad3mon)             | <span className="dbadge dbadge-easy">MEDIUM</span> | Walkthrough | 🟢 Free | [Abrir](https://tryhackme.com/room/sch3mad3mon)            |
| [Wekor](/tryhackme/rooms/wekorra)                                   | <span className="dbadge dbadge-easy">MEDIUM</span> | Challenge   | 🟢 Free | [Abrir](https://tryhackme.com/room/wekorra)                |
| [Daily Bugle](/tryhackme/rooms/dailybugle)                          | <span className="dbadge dbadge-easy">HARD</span>   | Challenge   | 🔵 VIP  | [Abrir](https://tryhackme.com/room/dailybugle)             |
| [Sequel Dump](/tryhackme/rooms/hfb1sequeldump)                      | <span className="dbadge dbadge-easy">HARD</span>   | Challenge   | 🔵 VIP  | [Abrir](https://tryhackme.com/room/hfb1sequeldump)         |

## Skills relacionadas

* [/skills/rce](/skills/rce)
* [/skills/xss](/skills/xss)

***

← [Volver al glosario completo](/glosario)

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"DefinedTerm","name":"SQL Injection","termCode":"sqli","inLanguage":"es","url":"https://rootea.es/skills/sqli","inDefinedTermSet":{"@type":"DefinedTermSet","name":"Glosario táctico de pentesting","url":"https://rootea.es/glosario"}}`}
</script>

<script type="application/ld+json">
  {`{"@context":"https://schema.org","@type":"ItemList","name":"Máquinas HTB que practican SQL Injection","numberOfItems":36,"itemListElement":[{"@type":"ListItem","position":1,"url":"https://rootea.es/htb/machines/linux/dificil/altered","name":"Altered"},{"@type":"ListItem","position":2,"url":"https://rootea.es/htb/machines/windows/insano/bankrobber","name":"Bankrobber"},{"@type":"ListItem","position":3,"url":"https://rootea.es/htb/machines/windows/medio/bastard","name":"Bastard"},{"@type":"ListItem","position":4,"url":"https://rootea.es/htb/machines/windows/dificil/breadcrumbs","name":"Breadcrumbs"},{"@type":"ListItem","position":5,"url":"https://rootea.es/htb/machines/linux/medio/cache","name":"Cache"},{"@type":"ListItem","position":6,"url":"https://rootea.es/htb/machines/windows/medio/cascade","name":"Cascade"},{"@type":"ListItem","position":7,"url":"https://rootea.es/htb/machines/linux/medio/catch","name":"Catch"},{"@type":"ListItem","position":8,"url":"https://rootea.es/htb/machines/linux/dificil/charon","name":"Charon"},{"@type":"ListItem","position":9,"url":"https://rootea.es/htb/machines/windows/dificil/control","name":"Control"},{"@type":"ListItem","position":10,"url":"https://rootea.es/htb/machines/linux/medio/cronos","name":"Cronos"},{"@type":"ListItem","position":11,"url":"https://rootea.es/htb/machines/linux/dificil/earlyaccess","name":"EarlyAccess"},{"@type":"ListItem","position":12,"url":"https://rootea.es/htb/machines/linux/medio/enterprise","name":"Enterprise"},{"@type":"ListItem","position":13,"url":"https://rootea.es/htb/machines/linux/medio/europa","name":"Europa"},{"@type":"ListItem","position":14,"url":"https://rootea.es/htb/machines/linux/dificil/falafel","name":"Falafel"},{"@type":"ListItem","position":15,"url":"https://rootea.es/htb/machines/windows/insano/fighter","name":"Fighter"},{"@type":"ListItem","position":16,"url":"https://rootea.es/htb/machines/linux/dificil/flujab","name":"Flujab"},{"@type":"ListItem","position":17,"url":"https://rootea.es/htb/machines/windows/medio/giddy","name":"Giddy"},{"@type":"ListItem","position":18,"url":"https://rootea.es/htb/machines/linux/facil/goodgames","name":"GoodGames"},{"@type":"ListItem","position":19,"url":"https://rootea.es/htb/machines/linux/dificil/holiday","name":"Holiday"},{"@type":"ListItem","position":20,"url":"https://rootea.es/htb/machines/linux/medio/mango","name":"Mango"},{"@type":"ListItem","position":21,"url":"https://rootea.es/htb/machines/windows/insano/multimaster","name":"MultiMaster"},{"@type":"ListItem","position":22,"url":"https://rootea.es/htb/machines/linux/insano/nightmare","name":"Nightmare"},{"@type":"ListItem","position":23,"url":"https://rootea.es/htb/machines/linux/facil/nodeblog","name":"NodeBlog"},{"@type":"ListItem","position":24,"url":"https://rootea.es/htb/machines/linux/dificil/overflow","name":"Overflow"},{"@type":"ListItem","position":25,"url":"https://rootea.es/htb/machines/linux/dificil/overgraph","name":"OverGraph"}]}`}
</script>

*Última actualización: 2026-05-09*
