| Next revision | Previous revision |
| tbhm:06_sqli [2026/05/14 09:18] – TBHM import drew | tbhm:06_sqli [2026/05/14 09:59] (current) – integrate zseano methodology drew |
|---|
| # Tactical Fuzzing - SQLi | ====== Tactical Fuzzing - SQLi ====== |
| |
| ## SQL Injection | ===== SQL Injection ===== |
| |
| Core Idea: Does the page look like it might need to call on stored data? | Core Idea: Does the page look like it might need to call on stored data? |
| Works in single quote context, works in double quote context, works in "straight into query" context! | Works in single quote context, works in double quote context, works in "straight into query" context! |
| |
| You can also leverage the large database of fuzzlists from [[https://github.com/danielmiessler/SecLists|Seclists]] | You can also leverage the large database of fuzzlists from Seclists (https://github.com/danielmiessler/SecLists) |
| |
| ## SQL Injection Observations | ===== SQL Injection Observations ===== |
| Blind is predominant, Error based is highly unlikely. | Blind is predominant, Error based is highly unlikely. |
| |
| |
| SQLMap is king! | SQLMap is king! |
| - Use -l to parse a Burp log file. | * Use -l to parse a Burp log file. |
| - Use Tamper Scripts for blacklists. | * Use Tamper Scripts for blacklists. |
| - SQLiPy Burp plugin works well to instrument SQLmap quickly. | * SQLiPy Burp plugin works well to instrument SQLmap quickly. |
| Lots of injection in web services! | Lots of injection in web services! |
| |
| ## Best SQL injection resources | ===== Best SQL injection resources ===== |
| |
| - MySQL: | * MySQL: |
| - [[http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet|PentestMonkey's mySQL injection cheat sheet]] | * [[http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet|PentestMonkey's mySQL injection cheat sheet]] |
| - [[https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/|Reiners mySQL injection Filter Evasion Cheatsheet]] | * [[https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/|Reiners mySQL injection Filter Evasion Cheatsheet]] |
| - MSSQL: | * MSSQL: |
| - [[http://evilsql.com/main/page2.php|EvilSQL's Error/Union/Blind MSSQL Cheatsheet]] | * [[http://evilsql.com/main/page2.php|EvilSQL's Error/Union/Blind MSSQL Cheatsheet]] |
| - [[http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet|PentestMonkey's MSSQL SQLi injection Cheat Sheet]] | * [[http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet|PentestMonkey's MSSQL SQLi injection Cheat Sheet]] |
| - ORACLE: | * ORACLE: |
| - [[http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet|PentestMonkey's Oracle SQLi Cheatsheet]] | * [[http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet|PentestMonkey's Oracle SQLi Cheatsheet]] |
| - POSTGRESQL: | * POSTGRESQL: |
| - [[http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet|PentestMonkey's Postgres SQLi Cheatsheet]] | * [[http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet|PentestMonkey's Postgres SQLi Cheatsheet]] |
| - Others | * Others |
| - [[http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html|Access SQLi Cheatsheet]] | * [[http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html|Access SQLi Cheatsheet]] |
| - [[http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet|PentestMonkey's Ingres SQL Injection Cheat Sheet]] | * [[http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet|PentestMonkey's Ingres SQL Injection Cheat Sheet]] |
| - [[http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet|Pentestmonkey's DB2 SQL Injection Cheat Sheet]] | * [[http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet|Pentestmonkey's DB2 SQL Injection Cheat Sheet]] |
| - [[http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet|Pentestmonkey's Informix SQL Injection Cheat Sheet]] | * [[http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet|Pentestmonkey's Informix SQL Injection Cheat Sheet]] |
| - [[https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet|SQLite3 Injection Cheat sheet]] | * [[https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet|SQLite3 Injection Cheat sheet]] |
| - [[http://rails-sqli.org/|Ruby on Rails (Active Record) SQL Injection Guide]] | * [[http://rails-sqli.org/|Ruby on Rails (Active Record) SQL Injection Guide]] |
| | |
| | |
| | |
| | ===== Zseano/Drew SQLi Additions ===== |
| | |
| | **Time-based detection payloads:** |
| | <code> |
| | ' or sleep(15) and 1=1# |
| | ' or sleep(15)# |
| | ' union select sleep(15),null# |
| | '%2Bbenchmark(3200,SHA1(1))%2B' |
| | </code> |
| | |
| | **Polyglot (jhaddix):** |
| | <code> |
| | "SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/ |
| | </code> |
| | |
| | * Legacy features and old code = most vulnerable targets |
| | * Test both GET and POST -- one method may be unprotected |
| | * Web services/APIs especially vulnerable |
| | * ''sqlmap -l burp.log --tamper=space2comment'' to parse Burp logs |
| | |
| | * [[zseano:sqli|Full Zseano SQLi Guide]] |
| |
