SQL Injection

Check List

Methodology

Black Box

Change table parameters

1

Log in to the site and look for mechanisms such as calculators or mechanisms that allow you to enter image sizes, etc., or data

2

Trace the request using Burp Suite and check whether values ​​are sent to the server with the POST method and JSON data by changing the numbers and sizes

3

Inject a quote mark (unitWeight=10') into a parameter and submit the request, and check if you get any errors from the server side, such as 500 Internal Server Error

4

The next step is to check whether this error is returned by adding another single quote to the parameter (unitWeight=10'')

5

Then use timebase payload injection for SQL like 'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z to check if the server is responding to you with a delay

6

If the server responds to you with a delay of 10 seconds, it means the server is vulnerable

7

Inspect cookies by modifying their values with SQL payloads (cookie=value' OR 1=1), checking if the server responds differently or exposes sensitive data

Cookie Parameter

1

Intercept browser traffic with a proxy Burp Suite

2

Load the target page so the relevant GET/POST request appears in the proxy

3

Send the request to Repeater (or an editor)

4

Locate the Cookie: header and identify parameters ( lang=...)

5

Modify the suspicious cookie value to a single quote ' and send the request

6

Check the server response for SQL errors or 500/DB-syntax messages

7

To confirm, change the value to a second quote ('') or otherwise balance the quote and resend; if the error disappears, this further indicates SQLi

8

(Optional verification) Inject a time-based payload compatible with the backend (IF(1=1,SLEEP(5),0)) into the cookie and measure response delay

9

If the server responds to you with 5 seconds of delay, it means it is vulnerable

Time-Based

1

Identify input fields or parameters in the target application, such as URL query strings (id=) or form inputs, that may interact with a database, focusing on features like search, deletion, or data retrieval endpoints

2

Intercept HTTP requests using a proxy tool (Burp Suite) to capture parameters like id or username, analyzing how they are sent to the server for database queries

3

Test for SQL injection by injecting a single quote (id=187') into the parameter and sending the request, observing for server errors (500 Internal Server Error) that indicate unhandled SQL syntax

4

Confirm the absence of verbose error messages in the response, noting generic error pages or no data leakage, suggesting a potential blind SQL injection vulnerability

5

Inject a time-based payload (id=187 AND SLEEP(5)) to test for a delay in the server response, confirming time-based SQL injection if the response is delayed by the specified time (5 seconds)

6

Verify the delay by sending a non-sleeping payload (id=187 AND 1=1) and comparing response times to ensure the delay is due to the SLEEP command execution

7

Test for boolean-based conditions using payloads like id=187 AND IF(1=1,SLEEP(5),0), checking for a delay when the condition is true and no delay when false (1=2)

8

Extract database metadata by injecting payloads like id=187 AND IF(SUBSTRING(version(),1,1)='5',SLEEP(5),0) to determine the database version character by character, noting delays for true conditions

9

Determine the database name length using payloads like id=187 AND IF(LENGTH(database())=10,SLEEP(5),0), incrementing the length value until a delay confirms the correct length

10

Extract the database name by iterating through each character position with payloads like id=187 AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0), testing all possible characters (a-z, 0-9) and noting delays for correct matches

11

Move to the next character position (SUBSTRING(database(),2,1)='a') after identifying the first character, repeating the process until the full database name is extracted

12

Test for additional metadata, such as table names or column names, using payloads like id=187 AND IF(EXISTS(SELECT table_name FROM information_schema.tables WHERE table_name='users'),SLEEP(5),0)to confirm the presence of specific tables

Referrer Header

1

Referer is another HTTP header which can be vulnerable to SQL injection once the application is storing it in database without sanitizing it. It's an optional header field that allows the client to specify

2

Go to the homepage and trace the request using Burp Suite

3

Then send the request to the Repeater and check the Referrer header using the following payload

GET /index.php HTTP/1.1
Host: [host]
User-Agent: 
Referer: http://www.yaboukir.com' or 1/*
4

Then check if the server shows any strange behavior after injecting the payload into this header

Refresh Token Parameter

1

Log in to the site and complete the authentication process

2

Intercept requests while completing the authentication process using Burp Suite

3

During the authentication completion process, if the site uses the OAuth mechanism, check the requests to see if you see a parameter called refresh_token

4

And if the site uses REST APIs for authentication and sends data in JSON format, look for the refresh_token parameter

5

Test SQL injection payloads by finding this parameter at the specified points to identify the vulnerability, as shown below

POST /api/v1/token HTTP/1.1
Host: tsftp.informatica.com
User-Agent: curl/7.88.1
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
Connection: close

{
  "grant_type": "refresh_token",
  "refresh_token": "'; WAITFOR DELAY '0:0:1'--"
}
6

Another example is the refresh_token parameter, which is also used in Oauth

POST /oauth2/token HTTP/1.1
Host: <token-server.example.com>
Content-Type: application/x-www-form-urlencoded
Accept: application/json
Connection: close

grant_type=refresh_token&refresh_token='; WAITFOR DELAY '0:0:1'--&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&scope=<optional_scopes>
7

By injecting this code into this parameter, it may give us an error in response, but we should look at the response time to see if it really takes that long

Fullname Parameter

1

Navigate to the SignUp page of the target website, typically located at a URL like /signup or /register Open https://example.com/signup in the browser

2

Identify the “Full Name” input field in the SignUp form, which is prone to processing user input directly into database queries Find the text box labeled “Full Name” in the form

3

Enter the payload ' OR 1=1 -- into the Full Name field to attempt bypassing the query’s conditions and access unauthorized data Input John' OR 1=1 -- in the Full Name field

4

Click the “Sign Up” button to send the payload to the server via a POST request

5

Look for a generic error (“Invalid input”) or a 400/500 status code, indicating the payload was blocked, or unexpected success, suggesting a vulnerability

6

If a 400/500 error appears, modify the payload to ' OR 1=2 -- and submit again. Compare responses: if ' OR 1=1 -- allows form submission or data access (account creation without valid input) while ' OR 1=2 -- fails, it confirms SQL injection, as the true condition (1=1) altered the query’s logic

X-Forwarded-For Header

1

Log in to the target site and record requests using Burp Suite

2

Identify the X-Forwarded-For header in logged requests

3

Routes that set and use the X-Forwarded-For header on sites and usually store its values ​​in the database : /login /signup /register /logout /user/profile /profile/update /checkout /purchase /cart/checkout /api/* /comments /comment/post /posts /posts/create /sessions /session /password/reset

4

Send the request by going to these routes and then setting this header (or if it already exists) and then examine the server response like the following request

POST /login HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Connection: close
X-Forwarded-For: 127.0.0.1

username=alice&password=Password123
5

Now, using a simple payload like the one below, we will check this header to see if the server is giving us an unusual or strange response

POST /login HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Connection: close
X-Forwarded-For: 127.0.0.1' OR 1=1 --

username=alice&password=Password123
6

If an error occurs, test a false condition payload like ' OR 1=2 -- and compare

X-Forwarded-For: 127.0.0.1' OR 1=1 -- succeeds (200 OK), but ' OR 1=2 -- errors (500), proving injectable

7

If the attack was successful, we can extract the database version using the following payload

IF(SUBSTRING(@@version,1,1)='5',SLEEP(5),0)

Time-based blind

1

Navigate to pages on the target website that display database-driven results, such as search pages, product listings, or user dashboards, often found at URLs like /search, /results, /list, /products, or /dashboard. These pages typically use query parameters for sorting or filtering

2

Look for query parameters controlling sorting or filtering, such as sortBy, order, sort, filter, or column, in the URL or form submissions, as these are often passed directly to SQL queries

3

Modify the identified parameter (sortBy) with a simple time-based payload like 1 AND SLEEP(5) -- to introduce a 5-second delay if the query executes

4

Use a browser or Burp Suite to send the modified request and measure the response time. A ~5-second delay confirms the payload executed in the database

5

Send a non-delaying request with the original parameter value (sortBy=1) or a neutral payload (sortBy=1 AND 1=1 --) to ensure no delay occurs, verifying the injection

6

Inject a payload like 1 AND IF(SUBSTRING(DB_NAME(),1,1)='A',SLEEP(5),0) -- to test if the database name starts with 'A', noting a delay for true conditions. Iterate through characters (A-Z, 0-9) to extract the name

7

Apply the same payload to similar parameters (order, filter) on other database-driven pages (/products, /list) to identify additional injection points

Testing on Author-Like Parameters

1

Go to the points on the target site where you can create a list or a book or a quiz Or for example in the /archive path, And especially pages where we as a user can publish or search for something

2

Locate the authors parameter in the POST request body, used for filtering or querying author-related data, making it a candidate for SQL injection

3

Modify the authors parameter with a time-based payload like Hurlburt'XOR(if(now()=sysdate(),sleep(4),0))OR' to induce a 4-second delay if the query executes

4

And send this request using Burp Suite and check the server response time

5

If the server response time is equal to the time specified in the payload, this parameter is vulnerable

JSON roleid Parameter

1

Navigate to an API endpoint that processes JSON data, such as /api/user, /api/roles, /api/profile, or /api/data, typically requiring authentication via a token

2

Perform a login request to retrieve a valid token, ensuring access to the API endpoint that uses the roleid parameter

3

Locate the roleid parameter in the JSON body of the API request, often used to filter user roles or permissions and directly passed to a database query

POST /api/roles HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: [variable]
Authorization: Bearer [token]
Origin: https://example.com
Referer: https://example.com/api/roles
Connection: close

{"roleid": 1}
4

Modify the roleid parameter with a simple time-based payload like 1 AND SLEEP(20) to induce a 20-second delay if the query executes

POST /api/roles HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: [variable]
Authorization: Bearer [token]
Origin: https://example.com
Referer: https://example.com/api/roles
Connection: close

{"roleid": "1 AND SLEEP(20)"}

Use Burp Suite or curl to send the modified request and measure the response time. A ~20-second delay (21,131 ms) confirms the payload executed in the database

5

Send a non-delaying request with the original roleid value ({"roleid": 1}) or a neutral payload ({"roleid": "1 AND 1=1"}) to ensure no delay occurs, verifying the injection

Filename Parameter

1

Log into the target site and intercept the requests using the Burp Suite tool

2

Then identify and check the file upload functionality on the site. This functionality is usually in the profiles, tickets, user settings, and ...

3

Then click on the Upload File option and intercept the request using intercept in Burp Suite

4

Now put --sleep(15).png in the payload file name and then check the server response to see if it responded to us after 15 seconds

5

If the server response takes 15 seconds, the SQL Injection vulnerability in the file name is confirmed and it is vulnerable

Signup Process

1

Enter a username and email in the Signup form and submit it, capturing the request with Burp Suite to inspect field validation and database behavior

2

Locate the email or username parameter in the POST request body, noting if the application allows duplicate usernames with unique emails, indicating potential truncation

3

Create a second account with the same username and a modified email (r3dbuck3t@bucket.com+++++hacker), intercepting the request with Burp Suite to add encoded spaces and extra characters.

4

Send the request and check for a 200 response, confirming the account was created despite the extra characters, suggesting truncation occurred

5

Log in with the original email (r3dbuck3t@bucket.com) and the same password to verify the account authenticates, proving truncation allows duplicate access

6

Identify an admin email (admin@book.htb) from public pages like Contact Us, then repeat the process with admin@book.htb++++++hacker to create a duplicate admin account

7

Attempt to log in with the original admin email (admin@book.htb) and the new password, checking if it grants user-level access or redirects to an admin portal

8

If user access is granted, perform directory enumeration (with Gobuster) to find an admin portal (/admin), then try logging in again to verify admin privileges

White Box

Cheat Sheet

PreviousHTTP Parameter PollutionNextLDAP Injection

Last updated