Navigating Security

Share this post

SQLi is still a thing?

navigatingsecurity.substack.com

SQLi is still a thing?

Manually testing for SQL Injections

Tadi
Mar 01, 2024
Share this post

SQLi is still a thing?

navigatingsecurity.substack.com
Share

Yoo. Welcome to Issue #06 of Navigating Security.

🍃Quote of the week:

SQL injection is one of the least sophisticated yet most dangerous threats to web application security ~ Kevin Mitnick

What To Expect 🫡

  • Finding and exploiting SQLi using manual methods and automated tooling💉

  • A Cloud Security Engineer roadmap to get you from zero to hero ☁️

  • A comprehensive research playbook for Android security 📱

⏱️ Incase you missed the previous issue, here you go:

100 Bug Bounty Tips 💯

100 Bug Bounty Tips 💯

Tadi
·
Feb 23
Read full story

This Week’s YouTube Video:

Is this love or is this SQL Injection?

⚠️ Not sponsored

One of the best SQLi writeups I’ve seen in a minute💉

I haven’t found SQLi in a pentest or during the little bug bounty hunting that I do, but apparently, some people do. This write-up goes into detail about how you could potentially exploit SQLi using both manual methods and automated tooling. Here’s the TLDR:

  • Identify SQL injection vulnerability using error-based SQLi technique.

  • Use SQLMap for automatic detection, leveraging time-based SQLi to confirm.

  • Overcome length filter via manual enumeration by focusing on metadata extraction.

  • Use shorter query payloads, nested queries, and built-in functions for efficiency.

  • Achieve database and table name extraction by bypassing the web application's imposed character limit restrictions - shorter payloads.

https://readme.synack.com/defeating-length-filters-to-dump-the-database-sqli?utm_campaign=READMe&utm_content=282653868&utm_medium=social&utm_source=linkedin&hss_channel=lcp-98517014

Cloud security roadmap 🛣️

Pwnedlabs released a guide to get into cloud security a while ago. This guide covers some of the following areas:

  • Linux and Containers

  • Cloud Security Principles

  • Hacker Mindset

  • Automation and Scripting 06

  • Data Encryption, Keys, and Storage 09

https://pwnedlabs.io/roadmaps/cloud-security-engineer/roadmap.pdf

Android Security Research Playbook 📱

Darkwolf Solutions also recently released something; a playbook for Android research. I haven’t looked at the entire thing, but best believe I will be. I skimmed through the table of contents and bookmarked the thing immediately!

https://github.com/DarkWolf-Labs/playbooks/blob/main/Android-Security-Research-Playbook.pdf

Suggestions

Hit me up on Discord or LinkedIn if you have anything you feel would be cool to include. Thanks, Cheers.

Plz subscribe, thanks!

Share this post

SQLi is still a thing?

navigatingsecurity.substack.com
Share

No posts

Ready for more?

© 2024 Tadi
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture
Share