SQL Injection Tests

postmodern edited this page Nov 11, 2010 · 11 revisions
Clone this wiki locally

SQL Injection Detection

  • Append -- to the query param:
    • If the response does not change, the query param might be used in an SQL Statement.
  • Wrap the query param in the ifnull function as the second argument, and set the first argument to null:
    • If the response does not change, the query param might be used in an SQL Statement.
  • Wrap the query param in the nullif function, and set the other argument to 0:
    • If the response does not change, the query param might be used in an SQL Statement.

SQL Error Detection

  • Append ', " or ` to the query param:
    • If the response lacks data or contains an SQL Error message, the query param is being used in an SQL statement.

Filter Detection

  • Prepend - to the query param:
    • If the response does not change, filtering may be removing - characters.
  • Append 0 to the numeric query param:
    • If the response does not change, filtering may be removing 0 characters.
  • Prepend punctuation characters to the query param:
    • If the response does not change, filtering may be removing punctuation characters.
  • Append non-numeric characters to the query param:
    • If the response does not change, the query param is being sanitized using a String to Integer conversion function.

Numeric Injection Detection

  • Prepend 0 to the query param:
    • If the response does not change, the query param is being treated as an Integer.
  • Prepend - to the query param:
    • If the response does change, the the query param is being treated as an Integer.
  • Prepend + to the query param:
    • If the response does not change, the query param is being treated as an Integer.
  • Divide the query param by 2 and prepend 2*:
    • If the response does not change, the query param is being treated as an Integer.
  • Subtract 1 from the query param and prepend 1+:
    • If the response does not change, the query param is being treated as an Integer.
  • Wrap the query param in the abs function:
    • If the response does not change, the query param is being treated as an Integer.
  • Wrap the query param in the max function, with the additional argument set to 0:
    • If the response does not change, the query param is being treated as an Integer.

Raw String Injection Detection

  • Wrap the query param in the substr function, with the pos argument set to 0, and the len argument set to the length of the query param plus 1:
    • If the response does not change, the query param is being treated as a String.
  • If the query param consists of all lower-case characters, wrap the query param in the lower function:
    • If the response does not change, the query param is being treated as a String.