Bug Bounty - GitBook
Ir al canal en Telegram
Everything 4 bug bounty https://t.me/GiftWay32robot?start=_tgr_HwZ24DI5MWJk
Mostrar más7 429
Suscriptores
+424 horas
+207 días
+16430 días
Archivo de publicaciones
7 431
Don’t forget to try test/demo card credentials on websites that use Stripe or any other payment system.
If you’re lucky, you can get items/subscriptions for free 😀
@GitBook_s
7 431
BugBunty_Hunting_Guide_to_find_Vulnerabilities_by_Mahmoud_Mohamed.pdf2.72 MB
7 431
Active Directory Cheat sheet
https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg
7 431
How to test for SQL injection 👇
1) Select params for testing in:
🔹 URL query
🔹 POST body
🔹 Headers
🔹 Cookies
It can be any parameter. Typically, I test integer parameters first.
2) Perform math if the tested field is an integer:
🔹 user_id=1338-1
If there is a sign of an SQL injection, you will see a result with user_id=1337.
3) Try to add symbols at the end of the parameter:
🔹 ' (single quote)
🔹 " (double quote)
🔹 ; (semicolon)
Observe the response status. If you spot an error response, there might be a chance of SQL injection.
4) Try to add another symbol and see if the error disappears
🔹 login=admin (status: 200)
🔹 login=admin' (status: 500)
🔹 login=admin'' (status: 200)
In SQL the escape character for a single quote is another single quote, and for a double quote is another double quote
5) Perform SQL query functions
Int
🔹 user_id=1337 AND 1=1 ✅
🔹 user_id=1337 AND 2=1 ❌
Text
🔹 login=admin' AND 'A'='A ✅
🔹 login=admin' AND 'A'='B ❌
JSON int
🔹 {"user_id":"1337 AND 1=1"} ✅
6) Combine SQL query functions with comments
Int ✅
🔹 user_id=1337 AND 1=1 --
Text ✅
🔹 login=admin' AND 'A'='A' --
JSON int ✅
🔹 {"user_id":"1337 AND 1=1 --"}
JSON text ✅
🔹 {"login":"admin' AND 'A'='A' --"}
7) Use Tools to test vulnerable params further
🔹 sqlmap
🔹 r0oth3x49/ghauri (github)
Remember that you only need to obtain the database version for the initial Proof of Concept (POC). Further exploitation should be tested only with permission from the program/company
8) You can use the following DB Fiddle to experiment with SQL injection points and behavior.
Edit SQL queries on the right and then click RUN to see how the SQL queries are executed and what results are displayed at the bottom.
https://www.db-fiddle.com/f/mZ2ftcLLzZLbrEELn38hjQ/0
@GitBook_s
¡Ya disponible! Investigación de Telegram 2025 — los principales insights del año 
