12/26/24, 12:49 PM SQLi Cheat Sheet

SQLi Cheat Sheet

Many bug hunters believe that “SQL injection is dead” or “SQL injection is hard to find”.
This is not true, and if you believe it you are missing out on critical bugs.

Bug Bounty Hunters are WRONG about this‘ OR 1=1

https://jasper-join-7e5.notion.site/SQLi-Cheat-Sheet-b03215933d234f11a8ff16b9d02869fe 1/8
12/26/24, 12:49 PM SQLi Cheat Sheet

SQL injection (SQLi) allows an attacker to interfere with the queries that an
application makes to its database. This can allow an attacker to view data that
they are not normally able to retrieve. This might include data that belongs to
other users, or any other data that the application can access. In many cases,
an attacker can modify or delete this data, causing persistent changes to the
application's content or behavior.

CVE-2024-2879
CVE-2024-2879 was awarded a 5500$ bounty, which is so far the highest paid bounty
by the WordFence bug bounty program. It is an unauthenticated SQL injection in the
LayerSlider WordPress Plugin. LayerSlider has an endpoint with the ls get popup
markup parameter, which was vulnerable to SQL injection. Check here and here for
further details.

3 Types of SQLi

1. Basic SQLi

1.1. Error-based SQLi

Error-based SQLi relies on error messages thrown by the database server to

obtain information about the structure of the database.

1.2. Union-based SQLi

Union-based SQLi leverages the UNION SQL operator to combine the results
of two or more SELECT statements into a single result which is then returned
as part of the HTTP response.

2. Blind SQLi

https://jasper-join-7e5.notion.site/SQLi-Cheat-Sheet-b03215933d234f11a8ff16b9d02869fe 2/8
12/26/24, 12:49 PM SQLi Cheat Sheet

2.1 Boolean-based SQLi

Boolean-based SQLi relies on sending an SQL query to the database which

forces the application to return a different result depending on whether the
query returns a TRUE or FALSE result.

2.2 Time-based Blind SQLi

Time-based SQLi relies on sending an SQL query to the database which forces
the database to wait for a specified amount of time before responding. The
response time will indicate to the attacker whether the result of the query is
TRUE or FALSE.

3. Out-of-band SQLi

Out-of-band SQLi occurs when an attacker uses a different channel to launch

the attack and to gather the results. This requires the database server to make
DNS or HTTP requests to deliver data to an attacker.

How to Hunt

Identification
Probe if SQL injection might be possible with:
• single-quote
• apostrophe
• backtick
• backslash
• some OR payload variations
• etc.

https://jasper-join-7e5.notion.site/SQLi-Cheat-Sheet-b03215933d234f11a8ff16b9d02869fe 3/8
12/26/24, 12:49 PM SQLi Cheat Sheet

Know your Wordlist

I personally like Godfather Orwas SQL wordlists [Github], but there are plenty of
wordlists out there.

Please familiarize yourself well with the contents of your wordlists you are
using, since they can cause a lot of harm to your target. You don’t want to be
responsible for deleting a production db full of user data. Please hack
responsibly!

Injection Points
There are various possibilities to inject the payloads. Equipped with a wordlists you can
use Burp Intruder or Ffuff to fuzz the target. Here are a few ideas on where to inject:
• Value
• Parameter
• Parameter=Value
• Header
• Cookies
• Path

Second-Order SQLi (Stored SQLi)

Second-Order SQLi occurs when the application takes user input and stores it
for future use. This is usually done by storing the input into a database. No
vulnerability occurs at this point. Later, when handling another request, the
application retrieves the stored data and incorporates it into an SQL query in an
unsafe way.

sqlmap
sqlmap is the Swiss army knife for SQL Injection attacks.

https://jasper-join-7e5.notion.site/SQLi-Cheat-Sheet-b03215933d234f11a8ff16b9d02869fe 4/8
12/26/24, 12:49 PM SQLi Cheat Sheet

sqlmap is a powerful tool detecting and exploiting SQL injection flaws and
taking over of database servers.

Scan a url with sqlmap -u https://target.com/id=1 . Alternatively you can copy a

request, for example from Burp, into a file and pass it sqlmap via sqlmap -r req.txt
Here is a more complex sqlmap command:

Please check the wiki which explains each option much better than I could do here.
Bypassing WAF with Tamper scripts:

Please have a look at the table at Payloadallthethings for the specifics of the tamper
scripts.

The Easiest Bug Class

If all of this was a bit too technical for you. Check out this video, where we dive into the
easiest bug class.

Bug Hunting is easy if you KNOW this

https://jasper-join-7e5.notion.site/SQLi-Cheat-Sheet-b03215933d234f11a8ff16b9d02869fe 5/8
12/26/24, 12:49 PM SQLi Cheat Sheet

That’s it for today. Stay curious! Happy Hacking!

Resources
Types of SQL Injection?
Types of SQL injection: SQL injection can be classified into three major categories - In-band SQLi, Inferential
SQLi and Out-of-band SQLi.
https://www.acunetix.com/websitesecurity/sql-injection2/

SQL Injection Cheat Sheet | Invicti

The Invicti SQL Injection Cheat Sheet is the definitive resource for
all the technical details about different variants of the well-known
https://www.invicti.com/blog/web-security/sql-injection-cheat-…

How I Got 4 SQLI Vulnerabilities At One Target Manuall…

Hi everyone, I’m Yousseff, A Junior Computer Science Student,
and Cyber Security Enthusiast, Always hungry for a deep
https://medium.com/@bug4y0u/how-i-got-4-sqli-vulnerabiliti…

owasp.org
https://owasp.org/www-chapter-belgium/assets/2010/2010-06-16/Advanced_SQL_InjectionV2.pdf

SQL Injection Isn't Dead Yet

by Erlend Oftendal and Naane Baars SQL injection was
introduced in an article by Rain Forrest Puppy...
https://dev.to/owasp/sql-injection-isnt-dead-yet-48ic

https://jasper-join-7e5.notion.site/SQLi-Cheat-Sheet-b03215933d234f11a8ff16b9d02869fe 6/8
12/26/24, 12:49 PM SQLi Cheat Sheet

[4] OrwaGodFather Methodology SQL Injection & Tools…

Tools https://github.com/Cyber-Guy1/Subdomainer
https://github.com/Cyber-Guy1/domainCollector
https://www.youtube.com/watch?v=_aST_z_qTYE

What is SQL Injection? Tutorial & Examples | Web Sec…

In this section, we explain: What SQL injection (SQLi) is. How to
find and exploit different types of SQLi vulnerabilities. How to
https://portswigger.net/web-security/sql-injection

SQL injection cheat sheet | Web Security Academy

This SQL injection cheat sheet contains examples of useful syntax
that you can use to perform a variety of tasks that often arise when
https://portswigger.net/web-security/sql-injection/cheat-sheet

GitHub - payloadbox/sql-injection-payload-list: 🎯 SQL …

🎯 SQL Injection Payload List. Contribute to payloadbox/sql-
injection-payload-list development by creating an account on
https://github.com/payloadbox/sql-injection-payload-list?tab…

sqlmap
sqlmapproject

Important SQLMap commands | Infosec

The SQLMap tool can be found in every penetration tester's toolbox. It is one of the most popular and powerful
tools when it comes to exploiting SQL injectio
https://www.infosecinstitute.com/resources/penetration-testing/important-sqlmap-commands/

SQLmap — A Comprehensive Guide For Begineers

SQLmap is a powerful open-source penetration testing tool used to detect and exploit SQL injection
vulnerabilities in web applications. It…
https://medium.com/@Rad1antC0d3/sqlmap-a-comprehensive-guide-for-begineers-f0ecd75f11ad

SQLMap Tamper Scripts (SQL Injection and WAF bypa…

Use and load all tamper scripts to evade filters and WAF :

https://medium.com/@drag0n/sqlmap-tamper-scripts-sql-inje…

https://jasper-join-7e5.notion.site/SQLi-Cheat-Sheet-b03215933d234f11a8ff16b9d02869fe 7/8
12/26/24, 12:49 PM SQLi Cheat Sheet

PayloadsAllTheThings/SQL Injection at master · swissk…

A list of useful payloads and bypass for Web Application Security
and Pentest/CTF - swisskyrepo/PayloadsAllTheThings
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/…

https://jasper-join-7e5.notion.site/SQLi-Cheat-Sheet-b03215933d234f11a8ff16b9d02869fe 8/8