Skip to content

SQL Injection Tests

Jump to bottom
postmodern edited this page Sep 14, 2010 · 11 revisions

SQL Detection

  • Append -- to the query param:
    • If the response does not change, the query param might be used in an SQL statement.

SQL Error Detection

  • Append ', " or ` to the query param:
    • If the response lacks data or contains an SQL Error message, the query param is being used in an SQL statement.

Filter Detection

  • Pre-append -- to the query param:
    • If the response does not change, filtering may be removing - characters.
  • Append 0 to the numeric query param:
    • If the response does not change, filtering may be removing 0 characters.
  • Pre-append punctuation characters to the query param:
    • If the response does not change, filtering may be removing punctuation characters.
  • Append non-numeric characters to the query param:
    • If the response does not change, the query param is being sanitized using a String to Integer conversion function.

Numeric Detection

  • Pre-append 0 to the query param:
    • If the response does not change, the query param is being treated as an Integer.
  • Pre-append - to the query param:
    • If the response does change, the the query param is being treated as an Integer.
  • Pre-append + to the query param:
    • If the response does not change, the query param is being treated as an Integer.
  • Divide the query param by 2 and pre-append 2*:
    • If the response does not change, the query param is being treated as an Integer.
  • Subtract 1 from the query param and pre-append 1+:
    • If the response does not change, the query param is being treated as an Integer.
  • Wrap the query param in the abs function:
    • If the response does not change, the query param is being treated as an Integer.
  • Wrap the query param in the max function, with the additional argument set to 0:
    • If the response does not change, the query param is being treated as an Integer.

String Detection

  • Wrap the query param in the substr function, with the pos argument set to 0, and the len argument set to the length of the query param plus 1:
    • If the response does not change, the query param is being treated as a String.
  • If the query param consists of all lower-case characters, wrap the query param in the lower function:
    • If the response does not change, the query param is being treated as a String.
Clone this wiki locally