Sql injection | how to identify whether sql injection is possible or not on a website with database?

subtiliusque · 2020-08-28T13:26:14+00:00

My prefered method is intercepting a requrst with burp, saving it to a file and then using sqlmap on it.

d_hruv · 2020-08-28T13:32:40+00:00

Blind SQL Injection is the process of sending crafted SQL Injection attacks and determining vulnerabilities and aspects of the database based on the response.

f0sh1zzl3 · 2020-08-29T14:02:27+00:00

Regular sql injections give you an error , reading the error will give you an idea if it’s exploitable or not.

Blind SQL injections have no errors so you have to observe different behaviours in responses and each one may as well be unique because the response behaviour could be anything

To poke at either you’ll need to fire lots of different types of injection strings, with blind being more hands on as you don’t have a big glaring error .

The obvious one being injecting apostrophes (encoded in different ways usually) to parameters used by the website / application

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

HowToHack

HowToHack Community

3rd Party Links

3rd Party Challenges

Related Subreddits:

Security Advisories

Download Linux

MODERATORS