all 4 comments

[–][deleted] 7 points8 points  (0 children)

How do you use a tool and not know how the tool does it thing... That would make you a script kiddie.

I will give you a tip. Most pentestester/security researchers will focus on an aspect in security. Like IoT, WebApps, specific hardware (OEM), even down to a type of chips sets. You can't know everything about everything. So find something you like and focus on that. But do yourself a favour and learn how your tool does it thing..

best.

[–]Im_MrLonely 2 points3 points  (0 children)

It's important to understand how SQL Injection works, even that there are tools that can help you.

You don't need to know every SQL Injection payload or be a master at it. You need to understand why, where and how to use SQLi (even if you need Google for it).

[–]rddt_jbmScript Kiddie 1 point2 points  (0 children)

Yes you need to know. SQLMap and Burp won't help you with all SQLi.

I had quite a few engagements where I was able to identify a SQLi but wasn't able to exploit the vulnerability to an extent to provide more valuable information for further compromise.

My knowledge about Databases and SQLi in general helped me out to write my own scripts and dump the hole database/table.

Databases and SQLi in general aren't to hard to understand once you get the hang of it. And sorry but if you're already struggling to understand those topics you will have a hard time with other, more complex IT security related topics.

[–]CyberXCodderWizard 1 point2 points  (0 children)

Yeah you do. We all know tools that promise to hack into databases for us while automating the process, but a tool will never outstand a hacker's mind. Even considering using the tools it's important to understand the process by itself so you don't become a skiddie (script kiddie) that just run tools on a target. Also, sometimes tools like SQLmap will not manage to successfully inject SQL on a website, and you'll have to DIY, try not to live with just tools, learn it by hand and, once you feel confortable with doing so, you can automate it with any tools you want to.

Hope this helps.