Cybersecurity

This is an old revision of the document!

---

# Tactical Fuzzing - SQLi

## SQL Injection

Core Idea: Does the page look like it might need to call on stored data?

There exist some SQLi polyglots, i.e (Mathias Karlsson):

SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/

Works in single quote context, works in double quote context, works in “straight into query” context!

You can also leverage the large database of fuzzlists from Seclists

## SQL Injection Observations Blind is predominant, Error based is highly unlikely.

'%2Bbenchmark(3200,SHA1(1))%2B'

'+BENCHMARK(40000000,SHA1(1337))+'

SQLMap is king! - Use -l to parse a Burp log file. - Use Tamper Scripts for blacklists. - SQLiPy Burp plugin works well to instrument SQLmap quickly. Lots of injection in web services!

## Best SQL injection resources

- MySQL:

1. PentestMonkey's mySQL injection cheat sheet
2. Reiners mySQL injection Filter Evasion Cheatsheet

- MSSQL:

1. EvilSQL's Error/Union/Blind MSSQL Cheatsheet
2. PentestMonkey's MSSQL SQLi injection Cheat Sheet

- ORACLE:

1. PentestMonkey's Oracle SQLi Cheatsheet

- POSTGRESQL:

1. PentestMonkey's Postgres SQLi Cheatsheet

- Others

1. Access SQLi Cheatsheet
2. PentestMonkey's Ingres SQL Injection Cheat Sheet
3. Pentestmonkey's DB2 SQL Injection Cheat Sheet
4. Pentestmonkey's Informix SQL Injection Cheat Sheet
5. SQLite3 Injection Cheat sheet
6. Ruby on Rails (Active Record) SQL Injection Guide