Tactical Fuzzing - SQLi

Core Idea: Does the page look like it might need to call on stored data?

There exist some SQLi polyglots, i.e (Mathias Karlsson):

SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/

Works in single quote context, works in double quote context, works in “straight into query” context!

You can also leverage the large database of fuzzlists from Seclists (https://github.com/danielmiessler/SecLists)

Blind is predominant, Error based is highly unlikely.

'%2Bbenchmark(3200,SHA1(1))%2B'

'+BENCHMARK(40000000,SHA1(1337))+'

SQLMap is king!

• Use -l to parse a Burp log file.
• Use Tamper Scripts for blacklists.
• SQLiPy Burp plugin works well to instrument SQLmap quickly.

Lots of injection in web services!

• MySQL:
• PentestMonkey's mySQL injection cheat sheet
• Reiners mySQL injection Filter Evasion Cheatsheet
• MSSQL:
• EvilSQL's Error/Union/Blind MSSQL Cheatsheet
• PentestMonkey's MSSQL SQLi injection Cheat Sheet
• ORACLE:
• PentestMonkey's Oracle SQLi Cheatsheet
• POSTGRESQL:
• PentestMonkey's Postgres SQLi Cheatsheet
• Others
• Access SQLi Cheatsheet
• PentestMonkey's Ingres SQL Injection Cheat Sheet
• Pentestmonkey's DB2 SQL Injection Cheat Sheet
• Pentestmonkey's Informix SQL Injection Cheat Sheet
• SQLite3 Injection Cheat sheet
• Ruby on Rails (Active Record) SQL Injection Guide

Time-based detection payloads:

' or sleep(15) and 1=1#
' or sleep(15)#
' union select sleep(15),null#
'%2Bbenchmark(3200,SHA1(1))%2B'

Polyglot (jhaddix):

"SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/

• Legacy features and old code = most vulnerable targets
• Test both GET and POST – one method may be unprotected
• Web services/APIs especially vulnerable
• sqlmap -l burp.log –tamper=space2comment to parse Burp logs

• Full Zseano SQLi Guide