SQL Injection
SQL injection (SQLi) is the insertion of malicious SQL queries via input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify or delete records, execute administrative operations, and in some cases issue commands to the operating system.
Despite being one of the oldest web vulnerability classes, SQL injection continues to appear in modern applications — particularly in legacy codebases, custom query builders, and applications that construct SQL through string concatenation rather than parameterized queries. Second-order SQLi, where the payload is stored first and executed later in a different context, is especially difficult to detect with automated scanners.
SQLi techniques have evolved well beyond simple UNION SELECT attacks. Blind SQLi uses boolean conditions or time delays to extract data one bit at a time. Error-based injection leverages database error messages to leak information. Out-of-band SQLi exfiltrates data through DNS or HTTP requests initiated by the database. Each database engine — MySQL, PostgreSQL, MSSQL, Oracle, SQLite — has its own syntax quirks and exploitation techniques.
Modern WAFs and prepared statements have reduced the attack surface, but bypasses are regularly discovered through encoding tricks, comment injection, and parser differentials between the WAF and the database.
This page collects SQLi techniques, cheat sheets, bypass methods, and real-world exploitation writeups across all major database platforms.
From OWASP
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-06-02 NEW 2026 | AnonymousPostgreSQL Injection in Drupal Core (CVE-2026-9082) news | Drupal Core is vulnerable to an anonymous PostgreSQL injection (CVE-2026-9082). This flaw allows unauthenticated users to inject arbitrary PostgreSQL code into a database. The vulnerability arises from insufficient sanitization of user-supplied data. Successful exploitation could lead to data manipulation, disclosure, or even remote code execution. Users are advised to update Drupal Core to the latest patched version as soon as possible to mitigate this critical security risk. → securityboulevard.com |
| 2026-06-01 NEW 2026 | Exploitation of Critical SQL Injection Vulnerability in Drupal (CVE-2026-9082) news | Writeup detailing the exploitation of CVE-2026-9082, a critical SQL injection vulnerability in Drupal affecting PostgreSQL databases. This unauthenticated flaw, rated 9.8 (CVSS), allows arbitrary SQL execution via crafted requests. CISA has added it to their KEV catalogue, with over 15,000 exploitation attempts detected across various sectors, primarily in the United States. Drupal recommends upgrading to the latest supported release or applying backported fixes. |
| 2026-05-30 NEW 2026 | 700 education and tech websites hijacked in huge ClickFix malware campaign news | Analysis of CVE‑2026‑26980, a critical SQL injection vulnerability affecting Ghost CMS versions 3.24.0 through 6.19.0, details how attackers exploited this flaw to hijack over 700 websites. The vulnerability allowed for the theft of administrative API keys, enabling attackers to inject JavaScript that presented fake Cloudflare or CAPTCHA verification dialogs, tricking visitors into running Windows commands to install malware through ClickFix attacks. |
| 2026-05-29 NEW 2026 | Critical Roundcube Flaw Allows Attackers to Inject SQL Queries news | Writeup detailing critical vulnerabilities in Roundcube Webmail, including a pre-authentication SQL injection flaw in the `virtuser_query` plugin via `preg_replace` backslash escape bypass, allowing arbitrary database queries. The update also addresses code injection via the LDAP `autovalues` option and other issues like stored XSS, CSS injection, SSRF bypass, and session poisoning. These vulnerabilities are patched in versions 1.6.16 and 1.7.1. → cyberpress.org |
| 2026-05-28 NEW 2026 | Roundcube Webmail Vulnerability Allows Hackers to Execute Malicious SQL Queries news | Library update addressing critical Roundcube Webmail vulnerabilities, including a pre-authentication SQL injection in the virtuser_query plugin via `preg_replace` backslash escape bypass, code injection via unsafe LDAP autovalues evaluation, stored XSS in draft restore, CSS injection bypass with SVG animate, SSRF and remote resource fetch bypasses, remote image blocking bypass, and pre-authentication arbitrary file deletion through Redis/Memcache session poisoning. Versions 1.6.16 and 1.7.1 contain the fixes. → gbhackers.com |
| 2026-05-28 NEW 2026 | Critical Roundcube Webmail Vulnerability Let Attackers Inject SQL Queries news | Writeup of critical Roundcube Webmail SQL injection vulnerability impacting versions 1.6.x and 1.7.x. The flaw, present in the virtuser_query plugin due to improper input sanitization in `preg_replace`, allows pre-authentication SQL injection, potentially exposing sensitive data. Additional fixes address stored XSS, HTML/CSS injection via SVG, SSRF bypasses, remote image blocking issues, arbitrary file deletion via session poisoning, and code-evaluation vulnerabilities in LDAP autovalues. Patched versions 1.6.16 and 1.7.1 are available. → cybersecuritynews.com |
| 2026-05-26 2026 | Ghost CMS Vulnerability Exploited to Hack Over 700 Websites news | Writeup of CVE-2026-26980, an SQL injection vulnerability in Ghost CMS, details how threat actors exploited it for mass attacks. Unauthenticated attackers can extract sensitive data, including authentication tokens and user credentials. The vulnerability was leveraged to obtain Admin API Keys, allowing malicious JavaScript loaders for ClickFix attacks to be injected into articles. Over 700 websites, including those of DuckDuckGo, Harvard University, and Oxford University, were compromised by at least two active threat groups. → securityweek.com |
| 2026-05-26 2026 | Drupal bug added to CISA list of known exploited vulnerabilities news | Library → scworld.com |
| 2026-05-26 2026 | Ghost CMS Vulnerability Exploited to Hack Over 700 Websites news | Library for identifying and mitigating SQL injection vulnerabilities, specifically addressing the Ghost CMS flaw exploited in mass attacks. This vulnerability, when unpatched, allowed threat actors to steal Admin API keys, inject malicious JavaScript into articles, and execute large-scale ClickFix attacks. The exploit impacted over 700 websites, including those of Harvard, Oxford, and DuckDuckGo, with competing attacker groups actively overwriting each other's malicious code. |
| 2026-05-26 2026 | CVE-2026-9082: Critical Drupal SQL Injection Vulnerability Affects PostgreSQL Deployments news | A critical SQL injection vulnerability, CVE-2026-9082, has been identified in Drupal, specifically impacting deployments using PostgreSQL. This flaw allows attackers to inject malicious SQL code into database queries, potentially leading to unauthorized data access, modification, or deletion. Users are strongly advised to update their Drupal installations to patch this vulnerability and secure their PostgreSQL databases. Further details and mitigation steps are available at the provided link. → securityboulevard.com |
| 2026-05-26 2026 | CISA orders feds to patch actively exploited Drupal vulnerability news | Vulnerability writeup detailing CVE-2026-9082, an actively exploited SQL injection flaw in Drupal's database abstraction API. Discovered by Michael Maturi and flagged as highly critical, this unauthenticated vulnerability allows attackers to target PostgreSQL-powered sites, potentially leading to information disclosure, privilege escalation, and remote code execution. CISA mandated U.S. federal agencies to patch by May 27th, citing its inclusion in the Known Exploited Vulnerabilities catalog and its frequent use as an attack vector. → bleepingcomputer.com |
| 2026-05-26 2026 | Active Exploitation Alert: Ghost CMS CVE-2026-26980 Mass Attack Hijacks 700 Sites for ClickFix Malware Campaigns news | Library for detecting and mitigating CVE-2026-26980, a critical unauthenticated blind SQL injection vulnerability in Ghost CMS. This flaw allows attackers to steal Admin API Keys, inject malicious JavaScript for social engineering, and deploy stealer malware. The exploit chain involves automated reconnaissance, exploitation of the Content API, and redirection to fake Cloudflare CAPTCHA pages to trick users into downloading malware. Mitigation requires immediate patching to version 6.19.1+, rotating credentials, and scanning content for injected scripts. → rescana.com |
| 2026-05-25 2026 | CISA Warns Drupal Core SQL Injection Vulnerability Is Being Exploited in Attacks news | Writeup of CVE-2026-9082, an actively exploited SQL injection vulnerability in Drupal Core. This CWE-89 flaw allows unauthenticated attackers to execute malicious SQL queries, potentially leading to privilege escalation, data exposure, and remote code execution. CISA has added it to its Known Exploited Vulnerabilities catalog, mandating remediation for federal agencies. Organizations should apply patches, harden database access, and update WAF rules to mitigate risks. → gbhackers.com |
| 2026-05-25 2026 | Drupal warns of active exploitation attempts targeting critical SQL injection flaw news | Analysis of CVE-2026-9082, a critical SQL injection vulnerability affecting Drupal sites using PostgreSQL, details active exploitation attempts observed by Imperva. This flaw in Drupal's database abstraction API allows unauthenticated attackers to execute arbitrary SQL, leading to potential information disclosure, privilege escalation, and remote code execution. CISA has added it to the KEV catalog, and agencies must secure systems by May 27. Patches are available for supported Drupal versions, and immediate updates are advised. |
| 2026-05-25 2026 | Ghost CMS SQL Injection Hits 700 Sites: Harvard DuckDuckGo Serve Fake Cloudflare Malware news | Library for detecting and remediating CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS versions 3.24.0 through 6.19.0. This flaw allows unauthenticated attackers to steal Admin API Keys, enabling them to inject malicious JavaScript into published articles. The compromised sites are then used to serve fake Cloudflare verification pages, tricking visitors into executing PowerShell scripts that download stealer trojans and other malware. The exploitation targets the Content API's slug-filter-order.js serializer and has impacted hundreds of websites, including those of Harvard University and DuckDuckGo. |
| 2026-05-25 2026 | Ghost CMS CVE-2026-26980 Exploited to Hijack 700 Sites for ClickFix Attacks news | Writeup of CVE-2026-26980 in Ghost CMS, an SQL injection vulnerability allowing unauthenticated attackers to hijack admin API keys and poison over 700 sites. Threat actors injected malicious JavaScript loaders, often powered by Adspect, to facilitate ClickFix attacks through fake CAPTCHA pages and ultimately deliver malware like a modified Grape desktop client or a PuTTY client. The vulnerability was addressed in Ghost CMS version 6.19.1. → thehackernews.com |
| 2026-05-25 2026 | CISA Warns of Drupal Core SQL Injection Vulnerability Exploited in Attacks news | Alert regarding CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core, actively exploited and listed on CISA's Known Exploited Vulnerabilities catalog. This CWE-89 flaw, impacting the database abstraction API, enables attackers to execute malicious SQL queries, leading to potential privilege escalation and remote code execution. CISA mandates remediation by May 27, 2026, for federal agencies under BOD 22-01, urging immediate patching, log monitoring, WAF implementation, and consideration of service shutdowns if patching isn't feasible. → cybersecuritynews.com |
| 2026-05-25 2026 | Ghost CMS Users Under Attack: Why Developers Must Act Fast news | Writeup on CVE-2026-26980, an actively exploited SQL injection vulnerability in Ghost CMS, impacting over 700 domains. Attackers leverage this flaw, combined with ClickFix social engineering tactics, to steal admin API keys and inject JavaScript. Mitigation involves upgrading to Ghost 6.19.1, rotating keys, auditing admin access, monitoring server logs, and training teams against suspicious prompts. |
| 2026-05-24 2026 | Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign news | Writeup of CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, details its exploitation in large-scale ClickFix campaigns. Threat actors leverage the flaw to steal admin API keys, injecting malicious JavaScript into articles to deploy payloads like the UtilifySetup.exe malware. Vulnerable versions range from 3.24.0 to 6.19.0, with attacks impacting numerous domains, including prominent universities and tech companies. Mitigation involves upgrading to Ghost CMS 6.19.1 or later, rotating API keys, and reviewing logs for indicators of compromise. → bleepingcomputer.com |
| 2026-05-24 2026 | U.S. CISA adds a flaw in Drupal Core to its Known Exploited Vulnerabilities catalog news | Vulnerability report detailing CVE-2026-9082, a critical SQL injection flaw in Drupal Core affecting PostgreSQL databases. This unauthenticated vulnerability allows attackers to compromise sites, leading to information disclosure, privilege escalation, and remote code execution. CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to address it by May 27, 2026, following widespread exploitation observed by firms like Imperva. → securityaffairs.com |
| 2026-05-23 2026 | CVE-2026-9082: Drupal's Highly Critical SQL Injection Flaw Is Already Under Active Attack news | Writeup of CVE-2026-9082, a critical SQL injection vulnerability in Drupal affecting PostgreSQL installations. Exploitation attempts began immediately after the patch, with Imperva observing over 15,000 attacks in two days targeting sites globally. The vulnerability allows unauthenticated attackers to inject arbitrary SQL, leading to information disclosure, privilege escalation, or remote code execution. Administrators are urged to apply the security patch immediately. → securityaffairs.com |
| 2026-05-23 2026 | Drupal Core SQL Injection Bug Actively Exploited Added to CISA KEV news | Writeup of CVE-2026-9082, an actively exploited SQL injection vulnerability in Drupal Core, now listed on CISA's KEV catalog. The flaw, with a CVSS score of 6.5, allows privilege escalation and remote code execution via crafted requests to the database abstraction API. Patches are available for supported Drupal versions, and Imperva has observed widespread attack attempts, primarily targeting gaming and financial services sites, suggesting reconnaissance and validation are the initial stages of exploitation. → thehackernews.com |
| 2026-05-22 2026 | Drupal Vulnerability in Hacker Crosshairs Shortly After Disclosure news | Writeup of CVE-2026-9082, a critical SQL injection vulnerability in Drupal's API that allows unauthenticated attackers to extract information, escalate privileges, or achieve remote code execution. Exploitation attempts are actively detected in the wild, with thousands of targeting attempts observed against PostgreSQL-backed Drupal sites, impacting sectors like gaming and financial services. This vulnerability follows a history of heavily exploited Drupal flaws, such as Drupalgeddon and Drupalgeddon2. → securityweek.com |
| 2026-05-22 2026 | Drupal Core SQL Injection Vulnerability (CVE-2026-9082) news | A critical SQL injection vulnerability has been discovered in Drupal Core, identified as CVE-2026-9082. This flaw allows attackers to execute arbitrary SQL queries, potentially leading to data breaches or system compromise. The vulnerability affects specific versions of Drupal Core. Users are strongly advised to update their Drupal installations to the latest secure version to mitigate this risk. Further details and mitigation steps can be found at the provided link. No specific bounty payout amount is mentioned in the content. → securityboulevard.com |
| 2026-05-22 2026 | CVE-2026-9082: Critical Drupal Core SQLi Flaw news | Analysis of CVE-2026-9082 reveals a critical SQL injection vulnerability in Drupal Core affecting PostgreSQL databases. Exploitable by anonymous attackers, this flaw in the database abstraction API allows specially crafted requests to bypass sanitization, leading to information disclosure, privilege escalation, or remote code execution. Remediation involves updating to fixed Drupal versions (e.g., 11.3.10, 10.6.9) or applying best-effort patches for unsupported branches, prioritizing internet-facing sites. The update also includes critical upstream fixes for Symfony and Twig. → socprime.com |
| 2026-05-22 2026 | Drupal: Critical SQL injection flaw now targeted in attacks news | Writeup of CVE-2026-9082, a critical SQL injection vulnerability in Drupal's database abstraction API, discovered by Michael Maturi. This flaw allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to remote code execution, privilege escalation, and information disclosure, particularly when using PostgreSQL. Exploitation attempts are actively being detected in the wild. Administrators are urged to update to patched versions of Drupal immediately, as older unsupported versions pose significant risks. → bleepingcomputer.com |
| 2026-05-22 2026 | Drupal Emergency Patch Issued As Critical SQL Injection Bug Hits Open Source Stack - Open Source For You news | Library of emergency patches addressing CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core's database abstraction API. This flaw, exploitable remotely by unauthenticated attackers, can lead to data theft, RCE, and database compromise. The vulnerability also necessitated upstream security updates for Symfony and Twig, with Twig version 3.26.0 released. While primarily impacting Drupal sites using PostgreSQL, all administrators are urged to patch due to broader ecosystem implications. → opensourceforu.com |
| 2026-05-22 2026 | Ghost CMS Mass Compromised via CVE-2026-26980 Now Fueling ClickFix Attacks news | Ghost CMS instances are being massively compromised through a vulnerability identified as CVE-2026-26980. This exploit is now being leveraged to fuel "ClickFix" attacks. The content does not specify any bug bounty payout amounts. |
| 2026-05-21 2026 | Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking news | Library update addresses CVE-2026-9082, a highly critical SQL injection vulnerability in Drupal's database query sanitization API, specifically affecting PostgreSQL databases. This flaw allows unauthenticated attackers to obtain information, escalate privileges, or achieve remote code execution. The patch also resolves important vulnerabilities in Symfony and Twig dependencies. Updates are available for Drupal versions 11.3, 11.2, 10.6, and 10.5.x. → securityweek.com |
| 2026-05-21 2026 | CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004) news | A highly critical SQL injection vulnerability, identified as CVE-2026-9082, has been discovered in Drupal Core. This vulnerability, detailed in SA-CORE-2026-004, allows attackers to execute arbitrary SQL commands, potentially leading to data breaches or system compromise. Users are strongly advised to update their Drupal installations immediately to patch this severe security flaw. → securityboulevard.com |
| 2026-05-21 2026 | Critical Drupal Core Vulnerability Exposes Websites to Attacks news | Advisory SA-CORE-2026-004 details CVE-2026-9082, a critical SQL injection vulnerability in Drupal core's database abstraction API affecting PostgreSQL users. This unauthenticated flaw, rated 20/25 on Drupal's scale, allows attackers to bypass sanitization and execute malicious SQL, potentially leading to data disclosure, privilege escalation, or RCE. Supported versions 11.3.x, 11.2.x, 10.6.x, and 10.5.x require immediate updates. Legacy branches and Drupal 8/9 versions have specific patching instructions or manual file applications. → cyberpress.org |
| 2026-05-21 2026 | Drupal admins rushing to patch maximum severity SQL injection vulnerability news | Library updates address CVE-2026-9082, a critical SQL injection vulnerability in Drupal's core database abstraction API, particularly affecting PostgreSQL users. This flaw allows anonymous users to perform information disclosure, privilege escalation, or remote code execution. The patch also includes crucial upstream security fixes for Symfony and Twig dependencies, necessitating updates for all Drupal environments. Administrators are strongly advised to patch immediately and consider auditing access permissions for Twig template updates. → csoonline.com |
| 2026-05-19 2026 | Critical PostgreSQL Vulnerabilities Enables Code Execution and SQL Injections news | Reference detailing 11 critical PostgreSQL vulnerabilities, including CVE‑2026‑6637 enabling arbitrary code execution via the refint module, and SQL injection flaws in logical replication (CVE‑2026‑6476, CVE‑2026‑6638). Also addresses memory corruption (CVE‑2026‑6473), client-side risks with libpq (CVE‑2026‑6477), and file overwrite issues in backup utilities (CVE‑2026‑6475), affecting PostgreSQL 14 through 18. → cybersecuritynews.com |
| 2026-05-19 2026 | Critical PostgreSQL Flaws Enable Code Execution and SQL Injection news | Library updates for PostgreSQL address 11 CVEs, including stack buffer overflows (CVE-2026-6637), SQL injection, memory disclosure, and denial-of-service vulnerabilities across supported versions 14 through 18. Exploitable flaws allow arbitrary code execution as the OS user running the database server, SQL injection via cascade primary keys, and out-of-bounds writes. Additional issues include data overwrites in client tools like `psql` and `pg_dump` via libpq large-object functions (CVE-2026-6477), and path traversal with symlink following in `pg_basebackup` and `pg_rewind` (CVE-2026-6475). Legacy MD5 authentication is also vulnerable to timing attacks (CVE-2026-6478). → cyberpress.org |
| 2026-05-19 2026 | PostgreSQL Flaws Expose Databases to Remote Code Execution and SQL Injection news | Analysis of critical PostgreSQL security updates addressing 11 vulnerabilities, including remote code execution (RCE) via stack buffer overflows in the refint module (CVE-2026-6637) and SQL injection flaws in replication features (CVE-2026-6472, CVE-2026-6476, CVE-2026-6638). Versions 14 through 18 are affected, with patched releases including 18.4, 17.10, 16.14, 15.18, and 14.23. Other identified issues encompass memory corruption, privilege escalation, symlink attacks (CVE-2026-6475), and timing attacks on authentication (CVE-2026-6478). → gbhackers.com |
| 2026-05-18 2026 | 1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws news | Writeup detailing CVE-2026-4782 and CVE-2026-4798, impacting over one million WordPress sites via the Avada Builder plugin. The arbitrary file read vulnerability allows low-privileged users to access sensitive server files, including wp-config.php, while the SQL injection flaw enables unauthenticated attackers to extract user credentials and password hashes. Patches are available in Avada Builder versions 3.15.2 and 3.15.3. → cybersecuritynews.com |
| 2026-05-18 2026 | 1 Million WordPress Websites Exposed by Avada Builder Security Vulnerabilities news | Library update addressing CVE-2026-4782 and CVE-2026-4798 in Avada Builder, a WordPress plugin used by over a million sites. The arbitrary file read vulnerability (CVSS 6.5) allows authenticated users to extract sensitive files like wp-config.php. The SQL injection vulnerability (CVSS 7.5) enables unauthenticated attackers to perform time-based blind SQL injection attacks. Updates to version 3.15.3 are recommended to mitigate these risks. → gbhackers.com |
| 2026-05-18 2026 | SQL Injection File Read Vulnerability Affect 1M Avada WordPress Sites news | Writeup of CVE-2026-4798 and CVE-2026-4782, two critical vulnerabilities in the Avada Builder WordPress plugin. CVE-2026-4798 is a SQL injection flaw allowing unauthenticated attackers to extract database records via time-based blind attacks when WooCommerce is deactivated. CVE-2026-4782 is a file read vulnerability enabling authenticated users with Subscriber-level access to read arbitrary server files, including wp-config.php, by exploiting the fusion_get_svg_from_file() function. Both vulnerabilities affect millions of sites and require immediate updates to Avada Builder version 3.15.3. → cyberpress.org |
| 2026-05-15 2026 | Two vulnerabilities found in popular WordPress plugin Avada Builder news | Writeup detailing two vulnerabilities in the Avada Builder WordPress plugin, affecting over a million installations. CVE-2026-4782, an arbitrary file read, requires subscriber-level access, while CVE-2026-4798, a high-severity SQL injection, is exploitable without authentication, potentially leading to password hash exfiltration. Patches were released in April/May 2026, with users urged to update to version 3.15.3+. → scworld.com |
| 2026-05-14 2026 | Avada Builder Flaws Expose One Million WordPress Sites news | Analysis of CVE-2026-4782 and CVE-2026-4798 in Avada Builder, two vulnerabilities affecting nearly one million WordPress sites. The arbitrary file read flaw, CVSS 6.5, allows authenticated subscribers to read sensitive files like wp-config.php via the fusion_section_separator shortcode. The time-based SQL injection, CVSS 7.5, impacts sites with deactivated WooCommerce, exploiting an unescaped product_order parameter. Patches were released in versions 3.15.2 and 3.15.3. → infosecurity-magazine.com |
| 2026-05-13 2026 | Bug hunter tracks down three serious MCP database flaws one left unpatched news | Writeup detailing three critical vulnerabilities discovered in MCP databases by a security researcher. One of these flaws, impacting Apache and Alibaba databases, remains unpatched by the vendor, highlighting ongoing supply chain security risks within open-source software. The article emphasizes how AI-driven tools are increasing vulnerability discovery rates, leading to a surge in patches and a growing "vulnpocalypse." → theregister.com |
| 2026-05-12 2026 | SAP Patches Critical SQL injection Vulnerability in SAP S/4HANA news | Writeup on SAP S/4HANA vulnerabilities, detailing CVE-2026-34260, a critical SQL injection flaw with a CVSS of 9.6. This vulnerability, patched via SAP Security Note 3724838, allows attackers to manipulate sensitive corporate financial data. The entry also covers CVE-2026-34263 in SAP Commerce Cloud, CVE-2026-34259 in SAP Forecasting and Replenishment, and CVE-2026-40135 in SAP NetWeaver, highlighting the urgency of applying SAP's May 2026 security patches. → cybersecuritynews.com |
| 2026-05-12 2026 | SAP Releases Patch for Critical SQL Injection Flaw in S/4HANA news | Reference of SAP's May 2026 security patches addresses critical SQL injection (CVE-2026-34260) in S/4HANA ABAP enterprise search, a missing authentication check vulnerability (CVE-2026-34263) in Commerce Cloud, and an OS command injection flaw (CVE-2026-34259) in forecasting and replenishment software. These patches also mitigate medium-severity issues including XSS and DoS across Business Objects and NetWeaver. → gbhackers.com |
| 2026-05-12 2026 | SAP Patches Critical SQL Injection Flaw in SAP S/4HANA news | Patching SAP S/4HANA is critical due to CVE-2026-34260, a SQL injection vulnerability allowing attackers to steal, modify, or delete sensitive business records. Another critical flaw, CVE-2026-34263, in SAP Commerce Cloud permits unauthorized access and remote compromise. The May 2026 update also addresses OS command injection (CVE-2026-34259) and other vulnerabilities across SAP Business Objects, NetWeaver, and SAPUI5, emphasizing the need for prompt mitigation to protect enterprise landscapes. → cyberpress.org |
| 2026-05-11 2026 | U.S. CISA adds a flaw in BerriAI LiteLLM to its Known Exploited Vulnerabilities catalog news | CVE-2026-42208 is a critical SQL injection vulnerability in BerriAI LiteLLM versions 1.81.16 to 1.83.6, allowing unauthenticated attackers to access and potentially modify database data via a crafted Authorization header. This flaw was added to CISA's Known Exploited Vulnerabilities catalog due to rapid real-world exploitation observed shortly after disclosure, with attackers targeting sensitive information like virtual API keys and credentials. A fix is available in LiteLLM version 1.83.7. → securityaffairs.com |
| 2026-05-01 2026 | CVE-2026-42208: Pre-Authentication SQL Injection in LiteLLM Exposes API Credentials news API Sec | A critical SQL injection vulnerability, CVE-2026-42208, has been discovered in LiteLLM. This pre-authentication flaw allows attackers to execute arbitrary SQL queries without needing to log in. The exploitation of this vulnerability can lead to the exposure of sensitive API credentials, posing a significant security risk. This allows unauthorized access and potential compromise of services integrated with LiteLLM. → securityboulevard.com |
| 2026-04-30 2026 | CVE-2026-42208: Critical Pre-Auth SQL Injection in LiteLLM Actively Exploited Within 36 Hours of Disclosure news | Writeup of CVE-2026-42208, a critical pre-authentication SQL injection in LiteLLM, which was actively exploited within 36 hours of disclosure. Attackers leveraged improper handling of the HTTP Authorization header to inject SQL into PostgreSQL databases, targeting sensitive data like API keys and provider credentials. Exploitation involved schema enumeration and targeted UNION SELECT payloads, originating from IP addresses associated with 3xK Tech GmbH. Mitigation requires upgrading LiteLLM, rotating credentials, and auditing logs for suspicious activity. → rescana.com |
| 2026-04-30 2026 | ProFTPDs SQL Injection Vulnerability Enables Remote Code Execution Attacks intermediate RCE | Writeup of CVE-2026-42167, a critical SQL injection vulnerability in ProFTPD's mod_sql extension. This flaw, with a CVSS score of 8.1, can lead to authentication bypass, data theft via blind SQL injection, or remote code execution by leveraging PostgreSQL's COPY TO PROGRAM feature. Exploitation occurs when crafted usernames bypass sanitization in the is_escaped_text() function, allowing attackers to execute unauthorized SQL commands. Immediate patching to ProFTPD 1.3.9a or disabling SQL logging via mod_sql is recommended. → cybersecuritynews.com |
| 2026-04-30 2026 | ProFTPD SQL Injection Flaw Opens Door To Remote Code Execution Attacks intermediate RCE | Writeup of CVE-2026-42167, a critical SQL injection flaw in ProFTPD's mod_sql extension. This vulnerability, with a CVSS score of 8.1, allows remote attackers to bypass authentication, escalate privileges, and potentially achieve remote code execution by injecting malicious SQL commands into usernames or other input fields. The impact ranges from data theft and credential compromise to full system control when ProFTPD is configured with PostgreSQL and elevated privileges. Versions prior to ProFTPD 1.3.9a are affected. → gbhackers.com |
| 2026-04-30 2026 | CVE-2026-42208: LiteLLM SQL Injection Leaks Upstream API Keys news AI | Writeup on CVE-2026-42208 detailing a pre-authentication SQL injection vulnerability in the LiteLLM AI gateway. This critical flaw, with a CVSS score of 9.3, allows attackers to extract all upstream API keys stored by LiteLLM, including those for OpenAI, Anthropic, and Google. Exploitation occurred rapidly after disclosure, underscoring the need to upgrade to LiteLLM version 1.83.7-stable immediately and rotate all exposed API keys. |
| 2026-04-30 2026 | ProFTPD SQL Injection Flaw Enables Remote Code Execution intermediate RCE | Writeup of CVE-2026-42167, a critical SQL injection flaw in ProFTPD's mod_sql extension enabling remote code execution, authentication bypass, and privilege escalation before authentication. This vulnerability, exploitable via crafted usernames in the USER command by manipulating % expansions in SQL logging, affects numerous internet-exposed ProFTPD instances, many bundled with web hosting control panels like cPanel and Plesk. A patch is available in ProFTPD version 1.3.9a. → cyberpress.org |
| 2026-04-29 2026 | CVE-2026-42208: LiteLLM bug exploited 36 hours after its disclosure news AI | Writeup of CVE-2026-42208 in LiteLLM, an SQL injection vulnerability in the proxy API key verification. Attackers exploited this flaw rapidly, within 36 hours of its disclosure, targeting sensitive data like virtual API keys and provider credentials by crafting malicious Authorization headers. The vulnerability affected LiteLLM versions 1.81.16 to 1.83.6 and was patched in 1.83.7. → securityaffairs.com |
| 2026-04-29 2026 | LiteLLM exploited within 36 hours of disclosure via SQL injection bug news AI | Library vulnerability: CVE-2026-42208 in LiteLLM, an LLM proxy, allowed attackers to read and modify database data, accessing provider credentials like those from OpenAI and Anthropic, and exposing sensitive IP and employee data. Exploitation occurred within 36 hours of disclosure, highlighting the accelerating trend of rapid weaponization enabled by AI, outpacing previous vulnerability disclosure timelines. → scworld.com |
| 2026-04-29 2026 | Fresh LiteLLM Vulnerability Exploited Shortly After Disclosure news AI | Library for securing AI gateways; a critical-severity SQL injection vulnerability (CVE-2026-42208, CVSS 9.3) in LiteLLM allowed unauthenticated attackers to exfiltrate database credentials and API keys by exploiting the proxy API key verification process. Attacks were observed shortly after disclosure, targeting database tables containing sensitive information. LiteLLM version 1.83.7 resolves this by properly parameterizing database queries. → securityweek.com |
| 2026-04-29 2026 | 38 Vulnerabilities Found in OpenEMR Medical Software news Mobile | Analysis of OpenEMR reveals 38 CVE-assigned vulnerabilities, including critical SQL injection flaws (CVE-2026-24908, CVE-2026-23627) allowing database compromise and PHI exfiltration, and an authorization bypass (CVE-2026-24487) exposing patient data. These issues, primarily stemming from authorization flaws, were identified by Aisle and have since been patched by OpenEMR developers. → securityweek.com |
| 2026-04-29 2026 | LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure news | Writeup of CVE-2026-42208, a critical SQL injection vulnerability in BerriAI's LiteLLM Python package, actively exploited within 36 hours of disclosure. The flaw, affecting versions between 1.81.16 and 1.83.7, allowed unauthenticated attackers to modify the LiteLLM proxy database, potentially accessing and altering credentials for LLM providers like OpenAI, Anthropic, and AWS. Exploitation attempts targeted tables such as `litellm_credentials.credential_values`, suggesting attackers sought to compromise cloud-grade credentials managed by the AI gateway. → thehackernews.com |
| 2026-04-28 2026 | Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw news | Library for securing LiteLLM, an open-source LLM gateway, against the CVE-2026-42208 pre-authentication SQL injection vulnerability. Attackers exploit this flaw in the API key verification step to access and modify sensitive data, including API keys, credentials, and environment secrets. The vulnerability allows unauthorized access to the proxy and managed credentials, with active exploitation observed targeting specific tables containing secrets from providers like OpenAI and Anthropic. A fix is available in LiteLLM version 1.83.7. → bleepingcomputer.com |
| 2026-04-28 2026 | Critical LiteLLM SQL Injection Vulnerability Exploited in the Wild news | Writeup detailing CVE-2026-42208, a critical pre-authentication SQL injection vulnerability in the LiteLLM AI gateway. This flaw, actively exploited in the wild, allows attackers to extract sensitive cloud and AI provider credentials from the PostgreSQL database by targeting tables like `litellm_credentials`. The exploit targets the unprotected Authorization Bearer header and has been observed in coordinated, data-extraction efforts. Immediate patching to version 1.83.7 and credential rotation are strongly advised, along with auditing logs for suspicious activity. → cybersecuritynews.com |
| 2026-04-28 2026 | Critical LiteLLM SQL Injection Vulnerability Exploited in the Wild news | Writeup on CVE-2026-42208, a critical pre-authentication SQL injection vulnerability in the LiteLLM gateway. Threat actors are actively exploiting this flaw to steal API keys and provider credentials by injecting malicious SQL commands due to improper handling of the Authorization header and a failure to use parameterized queries. Exploitation attempts, observed within 36 hours of disclosure, involved column enumeration and IP rotation, targeting tables like LiteLLM_VerificationToken and litellm_credentials to gain access to AI services. Administrators must upgrade to LiteLLM version 1.83.7 and rotate all compromised credentials. → cyberpress.org |
| 2026-04-28 2026 | Critical LiteLLM Flaw Enables Database Attacks Through SQL Injection news | Writeup on CVE-2026-42208, a critical pre-authentication SQL injection vulnerability in LiteLLM. This flaw allows unauthenticated attackers to execute arbitrary SQL queries against the database due to improper header parameterization. Attackers have been observed exploiting this to steal API keys and provider credentials, demonstrating targeted extraction techniques like column-count enumeration. Updating to LiteLLM version 1.83.7 is crucial, and internet-facing instances should be considered compromised, necessitating immediate secret rotation. → gbhackers.com |
| 2026-04-28 2026 | LiteLLM Contains Critical SQL Injection Vulnerability news API Sec | LiteLLM, a popular open-source library for interacting with large language models, has a critical SQL injection vulnerability. This flaw could allow attackers to execute arbitrary SQL commands, potentially leading to data theft or unauthorized modifications. The vulnerability is found in the library's handling of user inputs. Further details can be found at the provided link. → letsdatascience.com |
| 2026-04-23 2026 | LangChain framework hit by several worrying security issues here's what we know news | LangChain framework hit by several worrying security issues — here's what we know https://ift.tt/XaO0IvB → msn.com |
| 2026-04-22 2026 | CVE-2025-1094: PostgreSQL SQL Injection Vulnerability news | Writeup of CVE-2025-1094, a critical SQL injection vulnerability in PostgreSQL affecting PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() functions, as well as the psql terminal. Exploitation is possible through improper neutralization of quoting syntax and invalid multibyte characters, potentially leading to arbitrary code execution. Versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19 are affected. |
| 2026-04-22 2026 | SQLMap Tamper Collection: Modern WAF Bypass Scripts (Cloudflare, AWS, Azure) intermediate | Library for context-aware SQL transformation and WAF bypass, supporting Cloudflare, AWS, and Azure. It features a full SQL lexer with UUID tracking, multi-character operator support, and deterministic output preserving SQL validity. Transformations include keyword wrapping, space replacement, value encoding, and case alternation, with advanced options like homoglyphs and numeric obfuscation. The framework maintains SQL structure, handles nested subqueries, and offers reapplication protection, designed primarily for MySQL syntax. |
| 2026-04-22 2026 | SQL Injection and Postgres: An Adventure to Eventual RCE intermediate | Library for leveraging PostgreSQL functions to achieve Remote Code Execution (RCE) via SQL Injection. This resource details exploiting an ORDER BY clause injection in a Flask application, demonstrating techniques for data exfiltration using error messages and the `query_to_xml` function to bypass row limitations and achieve command execution as the database user. |
| 2026-04-22 2026 | Pentesting PostgreSQL with SQL Injections intermediate | Library for analyzing and exploiting SQL injection vulnerabilities specifically targeting PostgreSQL. It details bypass methods for web application firewalls, techniques for data exfiltration across various query clauses including SELECT, WHERE, FROM, and ORDER BY, and demonstrates how to exploit nested queries. The resource covers bypassing spaces, trailing data, quotation marks using dollar quoting or `CHR()` function, and utilizes time-based blind SQL injection with concatenation and conditional logic for data leakage. → onsecurity.io |
| 2026-04-22 2026 | NoSQL Injection: Advanced Exploitation Guide advanced | Guide to exploiting NoSQL injection vulnerabilities, detailing how improper input sanitization allows attackers to bypass authentication on MongoDB and other databases. It covers identifying injections by manipulating syntax and using operators like `$gt` and `$ne`, and demonstrates advanced techniques such as extracting data through time delays using the `$where` operator. → intigriti.com |
| 2026-04-22 2026 | Exploits Explained: NoSQL Injection Returns Private Information beginner | Writeup detailing a NoSQL injection vulnerability discovered in an application's `/api/[CLIENT_NAME]/Customers` and `/api/[CLIENT_NAME]/CustomerLogins` endpoints. The author leveraged MongoDB query operators, specifically `gt`, to bypass filters and extract sensitive PII, including email addresses, usernames, password hashes, and phone numbers, from the administrator user. The exploit involved manipulating the `$filter` parameter to retrieve data beyond the intended scope. |
| 2026-04-22 2026 | CVE-2025-52694 PoC: Critical SQL Injection in Advantech IoTSuite/SaaS-Composer news | Toolchain for CVE-2025-52694, a critical unauthenticated SQL Injection vulnerability impacting Advantech IoTSuite/SaaS-Composer products prior to specific versions. The PoC offers a standalone Python script for time-based SQL injection tests and a nuclei template utilizing a clusterbomb attack to discover vulnerable `org_id` values. Exploitation allows for database dumping, data modification, and potential RCE by unsafely concatenating the `filename` parameter into PostgreSQL queries. |
| 2026-04-22 2026 | MCP Vulnerability Case Study: SQL Injection in the Postgres MCP Server intermediate | Writeup on a SQL injection vulnerability in Anthropic's reference Postgres MCP server, allowing arbitrary SQL execution by terminating the read-only transaction with a `COMMIT;` statement. Though deprecated, the `@modelcontextprotocol/server-postgres` NPM package and `mcp/postgres` Docker image see significant weekly downloads. The vulnerability is patched in the Zed Industries fork (`@zeddotdev/postgres-context-server` v0.1.4) and an unreleased reference implementation. Users should avoid the deprecated server for sensitive data and consider the Zed Industries fork for mitigation. → securitylabs.datadoghq.com |
| 2026-04-22 2026 | BWAFSQLi: Bypassing Web Application Firewall with Adversarial SQL Injections advanced | BWAFSQLi: Bypassing Web Application Firewall with Adversarial SQL Injections → dl.acm.org |
| 2026-04-19 2026 | Unauthenticated SQL Injection in GUI — Fortinet PSIRT intermediate | Analysis of unauthenticated SQL injection in FortiWeb's GUI, allowing code execution via crafted HTTP/HTTPS requests. This vulnerability (CWE-89) has been observed exploited in the wild, with a workaround involving disabling the administrative interface. The report originates from Fortinet PSIRT, with credit to Kentaro Kawane. |
| 2026-04-19 2026 | CVE-2025-1094 WebSocket and SQL Injection Exploit Script news | Exploit script for CVE-2025-1094, a PostgreSQL vulnerability enabling SQL Injection to achieve Remote Code Execution. This proof of concept demonstrates hijacking WebSocket connections after injecting malicious SQL using `lo_export` to read sensitive files, ultimately establishing a reverse shell. The script requires configuration of attacker IP/port, target URL, and WebSocket URL. |
| 2026-04-19 2026 | CVE-2025-1094: PostgreSQL psql SQL Injection (Fixed) — Rapid7 news | Analysis of CVE-2025-1094, a high-severity SQL injection vulnerability in PostgreSQL's psql tool, impacting versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19. Discovered by Rapid7, this flaw, with a CVSS 3.1 score of 8.1, arises from improper handling of escaped untrusted input containing invalid UTF-8 characters. Exploitation can lead to arbitrary code execution via meta-commands or arbitrary SQL statement execution. This vulnerability was found to be a prerequisite for exploiting CVE-2024-12356 against BeyondTrust products, though both are now patched. → rapid7.com |
| 2026-04-19 2026 | PostgreSQL CVE-2025-1094: Quoting APIs SQL Injection intermediate | Library detailing SQL injection vulnerabilities in PostgreSQL's quoting APIs, specifically PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn(). The vulnerability, identified as CVE-2025-1094, allows attackers to inject SQL when application inputs are constructed into psql commands. It also affects command-line utilities under specific client and server encoding conditions (BIG5, EUC_TW, MULE_INTERNAL). Versions prior to PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected. |
| 2026-04-19 2026 | CVE-2025-26794: Blind SQL Injection in Exim 4.98 — Writeup intermediate | Writeup detailing CVE-2025-26794, a blind SQL injection vulnerability in Exim 4.98 when SQLite is used as the DBM. The vulnerability arises from unsanitized SQL parameters within the ETRN command's semaphore handling in `hintsdb.h`, allowing remote users to craft malicious SQLite queries. This writeup covers the exploitation vector via the ETRN command to manipulate Exim's internal SQLite database, potential impacts including DoS and hypothetical RCE, and provides a Docker lab for reproduction. |
| 2026-04-17 2026 | April 2026 Patch Tuesday: Critical Vulnerabilities in SAP Adobe Microsoft SharePoint Fortinet and ColdFusion Threaten Enterprise Security news | Advisory detailing critical vulnerabilities patched in April 2026 across SAP Business Planning and Consolidation (CVE-2026-27681, SQL injection), Adobe Acrobat Reader (CVE-2026-34621, RCE, actively exploited), Adobe ColdFusion (CVE-2026-34619, CVE-2026-27304, CVE-2026-27305, CVE-2026-27282, CVE-2026-27306, path traversal, ACE), Fortinet FortiSandbox (CVE-2026-39813, CVE-2026-39808, path traversal, command injection), and Microsoft SharePoint Server (CVE-2026-32201, spoofing, data exposure, actively exploited), posing risks of data exfiltration and system compromise. → rescana.com |
| 2026-04-16 2026 | SQLMap Cheat Sheet: Commands, Options, and Advanced Features intermediate | Cheatsheet detailing sqlmap commands, options, and advanced features for automating SQL injection detection and exploitation. It covers system requirements, installation, various SQLi attack techniques including in-band (error-based, union-based, stacked queries, inline queries), out-of-band, inferential (boolean, time-based), and compound attacks, alongside essential options for reconnaissance, enumeration, and vulnerability scanning. |
| 2026-04-16 2026 | Identifying SQL Injections in a GraphQL API intermediate | Writeup detailing a time-based SQL injection vulnerability discovered in a GraphQL API backed by a PostgreSQL database. The technique involves intercepting requests via Burp Suite, altering client-generated search terms with SQL payloads, and analyzing response times to confirm command execution and enumerate database schema. The writeup also touches on potential for privilege escalation and RCE via CVE-2019–9193, and reiterates parameterized queries as a key mitigation. |
| 2026-04-16 2026 | SQL Injection Cheat Sheet - Invicti beginner | Library of SQL injection payloads and techniques for MySQL, Microsoft SQL Server, Oracle, PostgreSQL, and SQLite, offering detailed technical information and attack vectors. This resource is useful for penetration testers and developers interested in web application security, covering exploitation methods like UNION attacks, blind SQL injection with IF statements and CASE expressions, hex value usage, string concatenation, and error-based injection, also noting the role of DAST tools like Invicti for automated detection. → invicti.com |
| 2026-04-16 2026 | Exploiting Time-Based SQL Injections: Data Exfiltration intermediate | Exploiting Time-Based SQL Injections: Data Exfiltration |
| 2026-04-16 2026 | Second-Order SQL Injection with Stored Procedures and DNS-Based Egress advanced | Writeup detailing the detection and exploitation of a second-order SQL injection vulnerability, leveraging Out-of-Band (OOB) techniques via DNS exfiltration. The technique involves exploiting a Microsoft Excel report export feature where a crafted payload in the date parameter, when processed by the `xp_dirtree` stored procedure, triggers DNS requests to an attacker-controlled server. This allows for the disclosure of sensitive database information, including usernames and tables, by chaining SQL Server UNC Path Injection with DNS-based data exfiltration. |
| 2026-04-16 2026 | When the Database Won't Talk: A Deep Dive into Blind SQLi intermediate | Reference detailing Blind SQL Injection techniques, including Boolean-based, Time-based with SQL variants like `SLEEP()` and `pg_sleep()`, and Out-of-Band (OOB) methods involving DNS or HTTP callbacks. It highlights attacker exploitation methods and defense strategies such as parameterized queries, input sanitization, and monitoring for inconsistent behavior, response time variations, or external service interactions. The entry also mentions the Hadrian platform for detecting these vulnerabilities. |
| 2026-04-16 2026 | Advanced Boolean-Based SQLi Filter Bypass Techniques advanced | Technique for bypassing libinjection filters in Web Application Firewalls using advanced boolean-based SQL injection. This method leverages MySQL string functions like `INSERT`, `REPEAT`, `REPLACE`, `RIGHT`, `WEIGHT_STRING`, conditional constructs such as `IF` statements, and the `RLIKE` operator for bruteforcing hashed passwords. It also incorporates comments and assignment operators (`:=`) within SQL syntax to evade detection by security tools. |
| 2026-04-16 2026 | WAF Bypass Techniques for SQL Injection intermediate | WAF Bypass Techniques for SQL Injection |
| 2026-04-16 2026 | Exploiting Second-Order SQL Injection to Retrieve the Flag intermediate | Exploiting Second-Order SQL Injection to Retrieve the Flag |
| 2026-04-16 2026 | Exploiting SQL Injection Vulnerability - Bug Bounty Writeup intermediate | Exploiting SQL Injection Vulnerability - Bug Bounty Writeup |
| 2026-04-16 2026 | LangChain framework hit by several worrying security issues here's what we know news | LangChain framework hit by several worrying security issues — here's what we know https://ift.tt/ENiUzLF → msn.com |
| 2026-04-15 2026 | SAP Security Patch Day April 2026: Critical Vulnerabilities CVSS 9.9 SQL Injection and Authorization Risks news | Analysis of SAP Security Patch Day April 2026 highlights critical vulnerabilities, including a CVSS 9.9 SQL injection in SAP Business Planning and Consolidation and SAP Business Warehouse, allowing authenticated users to execute arbitrary SQL. A high-severity authorization flaw in SAP ERP and SAP S/4HANA, with a CVSS of 7.1, permits authenticated users to overwrite existing executable reports. Medium-priority issues affect SAP BusinessObjects BI Platform with denial-of-service and SAP Human Capital Management for SAP S/4HANA with information disclosure. Practitioners like SecurityBridge, Pathlock, and Layer Seven Security detail exploitation paths, internal authorization risks, and cross-layer exposure across SAP environments. |
| 2026-04-15 2026 | FortiClient Hit by Severe SQL Injection Vulnerability Enabling Database Intrusion news | Writeup of CVE-2026-21643, a critical SQL injection vulnerability in FortiClient Enterprise Management Server (EMS) version 7.4.4. This pre-authentication flaw allows unauthenticated attackers to execute arbitrary SQL commands via crafted HTTP requests to the `/api/v1/init_consts` endpoint. Exploitation enables total database control, including stealing credentials, certificates, and potentially achieving full network takeover. Fortinet patched the issue in version 7.4.5 by properly sanitizing HTTP header input. → gbhackers.com |
| 2026-04-14 2026 | CISA Warns of Fortinet SQL Injection Vulnerability Actively Exploited in Attacks news | Vulnerability writeup detailing CVE-2026-21643, an unauthenticated SQL injection in Fortinet FortiClient Enterprise Management Server (EMS). This CWE-89 flaw allows remote attackers to execute unauthorized code by sending crafted HTTP requests, posing a significant risk to corporate networks. CISA has added this to its Known Exploited Vulnerabilities catalog, mandating a rapid patching timeline for federal agencies and recommending similar urgency for private sector organizations. Immediate application of Fortinet patches, monitoring for unusual traffic, and securing cloud deployments are crucial mitigation steps. → cybersecuritynews.com |
| 2026-04-14 2026 | SAP Patch Day Fixes Critical SQL Injection DoS and Code Injection Flaws news | Analysis of SAP's monthly patch day, addressing 19 new security notes and one update, details critical vulnerabilities including SQL injection (CVE-2026-27681) in Business Planning and Consolidation and Business Warehouse, a Denial of Service in BusinessObjects (CVE-2025-64775), and code injection in NetWeaver (CVE-2026-27674). It also highlights a missing authorization check in ERP and S/4 HANA (CVE-2026-34256) and a cross-site scripting flaw in Supplier Relationship Management (CVE-2026-0512), emphasizing the need for immediate remediation. → gbhackers.com |
| 2026-04-14 2026 | SAP Patch Day Fixes Critical SQL Injection DoS and Code Injection Flaws news | Notes detail critical SQL injection (CVE-2026-27681, CVSS 9.9) in SAP Business Planning and Consolidation and SAP Business Warehouse, along with missing authorization (CVE-2026-34256) in SAP ERP and S/4HANA. Medium-severity flaws include denial of service (CVE-2025-64775) in SAP BusinessObjects and code injection (CVE-2026-27674) in SAP NetWeaver AS Java. Administrators must apply Security Note 3719353 and other patches to mitigate these risks. → cyberpress.org |
| 2026-04-14 2026 | CISA Warns of Fortinet SQL Injection Flaw Actively Exploited in Attacks news | Advisory on CVE-2026-21643, a critical unauthenticated SQL injection (CWE-89) vulnerability affecting Fortinet's FortiClient Enterprise Management Server, is actively exploited in real-world attacks. CISA has added this flaw to its Known Exploited Vulnerabilities catalog, mandating immediate patching or mitigation for organizations to prevent unauthorized code execution and system compromise. → cyberpress.org |
| 2026-04-14 2026 | CISA Warns Fortinet SQL Injection Flaw Is Being Actively Exploited news | Alert regarding CVE-2026-21643, an unauthenticated SQL injection vulnerability in Fortinet FortiClient Enterprise Management Server (EMS). This critical flaw (CWE-89) allows remote code execution via crafted HTTP requests, is actively exploited, and requires immediate patching or mitigation by April 16, 2026, according to CISA. → gbhackers.com |
| 2026-04-14 2026 | SAP Patch Day Fixes Critical SQL Injection DoS and Code Injection Flaws news | Library of SAP security notes addressing critical flaws including CVE-2026-27681, a SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse, and CVE-2026-34256, an authorization bypass in SAP ERP and SAP S/4HANA. Further patches mitigate denial of service via CVE-2025-64775 in SAP BusinessObjects, code injection in SAP NetWeaver Application Server Java (CVE-2026-27674) and SAP Landscape Transformation (CVE-2026-27675), and cross-site scripting in SAP Supplier Relationship Management (CVE-2026-0512). → cyberpress.org |
| 2026-04-11 2026 | 400K WordPress Sites Exposed by Elementor Ally Plugin SQL Flaw news | Library vulnerability in Elementor's Ally plugin, tracked as CVE-2026-2413, exposes over 400,000 WordPress sites to SQL injection attacks. Exploitable without authentication when the Remediation module is active, the flaw allows attackers to steal sensitive data like password hashes by manipulating database queries through crafted URL parameters. Elementor has released a patch, and users are advised to update the plugin, disable unused features, deploy a WAF, and enforce least privilege for database accounts. → esecurityplanet.com |
| 2026-04-10 2026 | SQL Injection in 2026: It Took One Apostrophe intermediate | SQL Injection in 2026: It Took One Apostrophe |
| 2026-04-10 2026 | Advanced SQL Injection Techniques in Modern Web Apps advanced | Writeup detailing advanced SQL injection techniques like second-order, time-based blind, and WAF bypasses through encoding and case variation. It emphasizes prevention strategies such as parameterized queries, strict input validation, and least privilege for database users, and mentions tools like SQLi Detector for automated testing, highlighting real-world applications in e-commerce platforms, CMS systems, and API endpoints. |
| 2026-04-10 2026 | Bypassing WAF with Adversarial SQL intermediate | Bypassing WAF with Adversarial SQL → dl.acm.org |
| 2026-04-10 2026 | WAF Bypass Using JSON-Based SQL Injection Attacks intermediate | Library entry detailing a WAF bypass technique using JSON-based SQL injection, building on research that found major vendors like Palo Alto Network, AWS, Cloudflare, F5, and Imperva failed to properly inspect JSON payloads. This method exploits the compatibility of databases such as PostgreSQL and MySQL with JSON, allowing malicious SQL commands to evade detection by many Web Application Firewalls. → picussecurity.com |
| 2026-04-10 2026 | SQL Injection Security Vulnerabilities beginner | SQL Injection Security Vulnerabilities |
| 2026-04-10 2026 | CVE Search: SQL Injection news | CVE Search: SQL Injection |
| 2026-04-10 2026 | SQL Injection - OWASP beginner | Reference on SQL Injection attacks, detailing how attackers insert malicious SQL queries into application inputs to access, modify, or delete sensitive database data. It covers common attack vectors, the high severity risk associated with these vulnerabilities, and provides examples of exploitation in PHP, ASP, J2EE, and ASP.NET applications. The OWASP resource also points to prevention strategies like parameterized SQL statements and code review guides. → owasp.org |
| 2026-04-10 2026 | SQL Injection Tutorial & Examples - PortSwigger beginner | Tutorial on SQL injection covers its definition, methods for finding and exploiting vulnerabilities such as retrieving hidden data, subverting application logic with UNION attacks, and blind SQL injection. It details manual detection techniques like using single quotes, SQL syntax, boolean conditions, and time delays, and mentions Burp Scanner for automated detection. The resource also addresses injection in different parts of SQL queries, including WHERE, UPDATE, INSERT, SELECT, and ORDER BY clauses, and provides practical examples. → portswigger.net |
| 2026-04-10 2026 | CVE-2026-26116: SQL Server SQL Injection news | Writeup of CVE-2026-26116, a SQL Injection vulnerability affecting Microsoft SQL Server. Exploiting CWE-89, an authenticated attacker can elevate privileges over a network by manipulating SQL commands. Attackers with low-privilege accounts can craft malicious SQL statements to bypass authorization, access sensitive data, or gain administrative control. Mitigation involves applying Microsoft security updates, implementing parameterized queries, restricting network access, and enabling comprehensive auditing. → sentinelone.com |
| 2026-04-10 2026 | SQL Injection 2025 Advanced Exploitation & Defense Guide advanced | Guide to advanced SQL injection exploitation and defense, detailing techniques like error-based, union-based, boolean-based, time-based blind, and out-of-band methods. It covers database-specific exploitation for MySQL and MSSQL, including file I/O, User-Defined Functions, and `xp_cmdshell`. The guide emphasizes the critical need for proper data sanitization and robust database security measures to prevent vulnerabilities such as CVE-2025-57423. |
| 2026-04-10 2026 | CVE-2025-25257: Critical SQLi in Fortinet FortiWeb news | Library of detection rules and threat intelligence for CVE-2025-25257, a critical SQL injection vulnerability in Fortinet FortiWeb. This unauthenticated flaw, rated 9.6 CVSS, allows arbitrary SQL command execution and potential remote code execution via crafted HTTP/HTTPS requests. The library offers curated detection algorithms compatible with SIEM, EDR, and Data Lake formats, mapped to MITRE ATT&CK, and enriched with CTI, attack timelines, and triage recommendations. It also features Uncoder AI for automated IOC conversion and detection rule generation from threat reports. → socprime.com |
| 2026-04-09 2026 | Claude Code Executes SQL Injection via CLAUDE.md news | Claude Code Executes SQL Injection via CLAUDE.md https://ift.tt/4pAwbMP → letsdatascience.com |
| 2026-04-09 2026 | Multiple SonicWall Vulnerabilities Enable SQL Injection and Privilege Escalation Attacks news | Advisory on multiple SonicWall vulnerabilities affecting SMA 1000 series appliances, including CVE-2026-4112 enabling SQL injection and privilege escalation, CVE-2026-4113 for user credential enumeration, CVE-2026-4114 and CVE-2026-4116 allowing TOTP bypass. Immediate hotfix application is required due to the severity of these flaws and lack of workarounds. → cybersecuritynews.com |
| 2026-04-09 2026 | Multiple SonicWall Vulnerabilities Enable SQL Injection and Privilege Escalation news | Writeup detailing multiple SonicWall vulnerabilities, including SQL injection (CVE-2026-4112) enabling privilege escalation for authenticated users, credential enumeration (CVE-2026-4113), and Unicode encoding flaws (CVE-2026-4114, CVE-2026-4116) permitting Time-based One-Time Password bypass. These issues affect SMA1000 series appliances and require immediate patching by upgrading to platform-hotfix 12.4.3-03387 or 12.5.0-02624 and later releases. → cyberpress.org |
| 2026-04-09 2026 | Multiple SonicWall Flaws Enable SQL Injection and Privilege Escalation Attacks news | Advisory detailing four SonicWall SMA1000 series vulnerabilities: CVE-2026-4112, a SQL injection allowing privilege escalation from read-only to primary administrator; CVE-2026-4113, an observable response discrepancy enabling credential enumeration; CVE-2026-4114 and CVE-2026-4116, both stemming from improper Unicode handling that bypasses Time-based One-Time Password (TOTP) authentication. → gbhackers.com |
| 2026-04-06 2026 | SQL Injection (SQLi) Guide - SecPortal beginner | SQL Injection (SQLi) Guide - SecPortal |
| 2026-04-06 2026 | CVE-2026-27697: Basercms SQLi Vulnerability news | Writeup of CVE-2026-27697, an unauthenticated SQL injection vulnerability affecting baserCMS versions prior to 5.2.3. Exploitation allows attackers to manipulate database queries through the blog posts functionality, potentially leading to unauthorized data access, modification, or deletion. The vulnerability stems from improper input validation and can be mitigated by upgrading to baserCMS 5.2.3 or later, implementing WAF rules, or temporarily disabling the blog posts feature. → sentinelone.com |
| 2026-04-06 2026 | CVE-2026-5197: Student Membership System SQLi Vulnerability news | Writeup of CVE-2026-5197, a SQL injection vulnerability in code-projects Student Membership System 1.0. The flaw in `/delete_user.php` allows remote authenticated attackers to inject malicious SQL commands via the ID parameter, potentially leading to unauthorized data access, modification, or deletion. Exploitation involves manipulating database queries using techniques like UNION-based or boolean-based blind injection. Mitigation includes implementing prepared statements, strict input validation, or WAF rules. → sentinelone.com |
| 2026-04-06 2026 | WAF Testing Guide: How to Validate Web Application Firewalls intermediate | Guide to validating Web Application Firewalls (WAFs) using Breach and Attack Simulation (BAS). This approach continuously tests WAF efficacy against real-world attack payloads, including obfuscated SQL injection, XSS, RCE, and SSRF variants, as well as protocol-level vulnerabilities like HTTP vs. HTTPS inspection gaps. Agent-based BAS offers deterministic validation by isolating WAF behavior, providing accurate metrics on prevention rates, detection rates, and mitigation gaps without risking production environments. → picussecurity.com |
| 2026-04-06 2026 | Bug Bounty Bootcamp #29: Boolean Blind SQL Injection Part 2 intermediate | Bug Bounty Bootcamp #29: Boolean Blind SQL Injection Part 2 → infosecwriteups.com |
| 2026-04-03 2026 | What is SQL Injection? How to Prevent SQL Injection | Fortinet beginner | What is SQL Injection? How to Prevent SQL Injection | Fortinet |
| 2026-04-03 2026 | Bypassing WAFs in 2025: New Techniques and Evasion Tactics advanced | Bypassing WAFs in 2025: New Techniques and Evasion Tactics |
| 2026-04-03 2026 | 7 Types of SQL Injection Attacks & How to Prevent Them beginner | Library detailing seven types of SQL injection attacks, including classic and blind SQLi. It explains how these attacks exploit un-sanitized user inputs to manipulate databases, leading to unauthorized access and data breaches. Prevention methods discussed include input sanitization, parameterized queries, least privilege access, and the use of Web Application Firewalls (WAFs). → sentinelone.com |
| 2026-04-03 2026 | SQLi Payloads - Classic, Blind, Error-Based, Time-Based, WAF Bypass intermediate | Library of SQL injection payloads and techniques, covering classic, blind, error-based, and time-based methods. Includes bypass strategies for Web Application Firewalls (WAFs) and showcases tools like SQLMap, jSQL Injection, BBQSQL, and NoSQLMap for exploitation and scanning. Techniques range from simple character injections and comments to advanced blind SQL-bitshifting and server-time-based attacks, with examples for MySQL, MariaDB, and more. |
| 2026-04-03 2026 | SQL Injection for Bug Bounty Hunters | YesWeHack beginner | Guide on SQL injection techniques for bug bounty hunters, covering blind SQLi, time-based attacks, and out-of-band callbacks. It details how to tailor payloads to SQL statements, integrate detection into bug bounty workflows, and exploit SQLi even in hardened systems, referencing vulnerabilities like CVE-2022-21661 in WordPress. → yeswehack.com |
| 2026-04-03 2026 | Exploiting an SQL Injection with WAF Bypass intermediate | Tool for bypassing Web Application Firewalls (WAFs) to exploit SQL injection vulnerabilities. The process involves identifying a potential SQL injection using Burp Suite, confirming it manually via Burp Repeater, and then configuring sqlmap with specific techniques (`--technique=B`), exclusion strings (`--not-string`), proxy settings (`--proxy`), and modifying the User-Agent header to evade WAF detection. This enables successful exploitation of boolean-based blind SQL injection flaws. → vaadata.com |
| 2026-04-03 2026 | SQL Injection Bypassing WAF | OWASP intermediate | Guide on bypassing Web Application Firewalls (WAFs) for SQL Injection attacks, detailing techniques like normalization vulnerabilities, HTTP Parameter Pollution (HPP), HTTP Parameter Fragmentation (HPF), and blind SQL injection exploitation. It covers various WAF bypassing strings and payload variations for common database functions and operators, illustrating how to evade signature-based detection and exploit application logic flaws. → owasp.org |
| 2026-04-03 2026 | PayloadsAllTheThings - SQL Injection beginner | Reference detailing SQL Injection (SQLi) techniques, including entry point detection, DBMS identification, authentication bypass using tautologies and UNION queries, blind injection, error-based and timing attacks, and specific vulnerabilities like those affecting PDO prepared statements and WAF bypasses. It features tools such as sqlmap and ghauri, and discusses the impact of password hashing and salts on modern authentication bypass methods. |
| 2026-04-02 2026 | New "LeakyLooker" Flaws in Google Looker Studio Could Enable Cross-Tenant SQL Queries news | Writeup detailing nine "LeakyLooker" vulnerabilities in Google Looker Studio, including cross-tenant unauthorized access, zero-click SQL injection on database connectors and stored credentials, SQL injection on BigQuery and Spanner through native functions and custom queries, data source leaks via hyperlinks and image rendering, XS leaks with timing oracles, and denial of wallet. These flaws could allow attackers to exfiltrate, insert, and delete data across various Google Cloud Platform services, impacting databases like BigQuery, Spanner, PostgreSQL, and MySQL. → thehackernews.com |
| 2025-08-14 2025 | NucleiFuzzer - Powerful Automation Tool For Detecting XSS, SQLi, SSRF, Open intermediate Fuzzing SSRF XSS | "NucleiFuzzer is an automation tool designed for detecting vulnerabilities like XSS, SQLi, SSRF, and Open. It offers powerful capabilities for automated security testing." → kitploit.com |
| 2025-08-14 2025 | https://weekly.infosecwriteups.com/iw-weekly-39-10-000-bounty-zero-click-account-takeover-stored-xss-open-redirection-vulnerability-sql-injection-rce-reconnaissance-techniques-and-much-more/ news RCE XSS | Writeup detailing a $10,000 bounty for a Facebook Reels crop/trim feature flaw, Zoom stored XSS, Facebook zero-click account takeover, io_uring Use-After-Free (CVE-2022-2602), Apple subdomain open redirection, and GraphQL pentesting. It also covers insecure CORS configurations, bug bounty automation, smart contract vulnerabilities, HTTP Basic Auth, SQL injection to RCE (CVE-2022-44015), RFC analysis, CTF challenges, CodeQL for GraphQL, reconnaissance techniques, SSRF, and EVM chain vulnerability analysis. |
| 2025-08-14 2025 | https://github.com/yeswehack/vulnerable-code-snippets beginner SSRF XSS | Library of vulnerable code snippets for practicing application security analysis. This collection includes examples of Broken access control (CWE-284), SQL injection (CWE-89), Cross-Site Scripting (CWE-79), Server-Side Template Injection (CWE-1336), and many other common vulnerabilities, all runnable within an isolated Docker environment. New snippets are released weekly, and users can suggest additions via GitHub issues. |
| 2025-08-14 2025 | SQL Injection Wiki beginner | Library for identifying, exploiting, and escalating SQL injection vulnerabilities across various Database Management Systems. This comprehensive resource is structured to follow a typical escalation path, offering detailed information on techniques applicable to different versions of SQL databases. Contributions are welcomed via GitHub. |
| 2025-08-14 2025 | http://www.darknet.org.uk/2017/09/bsqlinjector-blind-sql-injection-tool-download-ruby/ intermediate | Tool written in Ruby for performing blind SQL injection. BSQLinjector identifies vulnerabilities by posing true/false questions to the database and analyzing application responses, a technique useful when generic error messages obscure traditional SQLi. Users can employ the `--test` switch to preview payloads before execution. This tool offers an alternative to automated solutions like sqlmap for blind SQL injection scenarios. |
| 2025-08-14 2025 | SQL Attack (Constraint-based) - Dhaval Kapil intermediate | Library for exploiting SQL constraint-based vulnerabilities, similar to SQL injection but distinct. This technique leverages trailing whitespace trimming and `VARCHAR` length constraints in databases like MySQL and SQLite. An attacker can register a username with trailing spaces followed by a different character, tricking the application into inserting it and allowing them to authenticate as an existing user. Defense strategies include implementing `UNIQUE` constraints on relevant columns, using `id` as primary keys, and manually trimming input parameters. |
| 2025-08-14 2025 | SQL Injection Cheat Sheet by Netsparker beginner | Library for SQL injection techniques, this cheat sheet details payloads and technical information for exploiting variants against MySQL, Microsoft SQL Server, Oracle, PostgreSQL, and SQLite. It covers UNION-based attacks, conditional statements like IF and CASE, hexadecimal encoding, and string manipulation methods to bypass filters. The resource also highlights the utility of Dynamic Application Security Testing (DAST) tools, such as Invicti and Acunetix, for automating the discovery and exploitation of SQL injection vulnerabilities. |
| 2025-08-14 2025 | Vulnerability analysis, Security Papers, Exploit Tutorials - Part 12975 beginner | Library detailing MSSQL injection techniques, including basic SQL injection, blind SQL injection, and advanced methods utilizing extended stored procedures. It covers testing for vulnerabilities, bypassing authentication, evading audit logs, and includes a cheat sheet for MSSQL queries and countermeasures, as well as a Perl script for finding vulnerable sites. → exploit-db.com |
| 2025-08-14 2025 | SQL Injection Cheatsheet 2021 beginner | Library containing SQL injection payloads and techniques, detailing in-band (Error-based, Union-based), inferential (Boolean-based, Time-based), and out-of-band methods. It includes best practices for prevention such as parameterized queries, input validation, stored procedures, least privilege, and WAFs, alongside specific payloads for authentication bypass and error-based extraction. |
| 2025-08-14 2025 | https://medium.com/bugbountywriteup/sql-injection-time-and-boolean-based-27239b6a55e8?source=twitterShare-1764222123d3-1576594710&_referrer=twitter&_branch_match_id=732557985002302401 intermediate | The content discusses SQL injection vulnerabilities, specifically focusing on time-based and boolean-based techniques. It explains how these methods can be exploited to manipulate database queries and extract sensitive information. The article likely provides examples, demonstrations, and insights on how to identify and mitigate SQL injection vulnerabilities in web applications. It is a valuable resource for bug bounty hunters, security researchers, and developers looking to enhance their understanding of SQL injection attacks. |
| 2025-08-14 2025 | https://vavkamil.cz/2019/10/09/understanding-the-full-potential-of-sqlmap-during-bug-bounty-hunting/ intermediate Bug Bounty | The content discusses maximizing the capabilities of SQLmap for bug bounty hunting. It covers understanding SQL injection vulnerabilities, using SQLmap to automate the process of exploiting these vulnerabilities, and tips for effective bug bounty hunting. The article emphasizes the importance of thorough testing and proper understanding of SQLmap's features to achieve successful results in identifying and exploiting vulnerabilities. It provides insights into leveraging SQLmap effectively to enhance bug bounty hunting efforts and improve the overall security posture of web applications. |
| 2025-08-14 2025 | https://portswigger.net/web-security/sql-injection/cheat-sheet beginner | Cheatsheet of SQL injection syntax for common attack tasks, including string concatenation, substring extraction, query truncation with comments, database version and content enumeration, conditional errors, batched queries, time delays, DNS lookups, and DNS lookup with data exfiltration, useful for formulating complex attacks and exfiltrating sensitive information. → portswigger.net |
| 2025-08-14 2025 | SQL Injection 101: Common Defense Methods Hackers Should Be Aware Of beginner | Reference detailing common SQL injection defense methods including user input escaping, whitelisting, stored procedures, and prepared statements. It emphasizes the principle of least privilege for database accounts and outlines techniques such as parameterized queries to distinguish between code and data, thereby mitigating risks associated with SQL injection vulnerabilities. → null-byte.wonderhowto.com |
| 2024-12-31 2024 | GitHub - danialhalo/SqliSniper: Advanced Time-based Blind SQL Injection fuzzer for HTTP Headers intermediate Fuzzing Python | Tool for advanced time-based blind SQL injection fuzzing in HTTP headers. SqliSniper leverages multi-threading for rapid scanning and incorporates response time analysis to reduce false positives. It offers configurable payloads, custom headers, and direct Discord notifications for detected vulnerabilities, making it an efficient solution for security assessments. |
| 2024-11-13 2024 | SQLMap Command Generator beginner | SQLMap Command Generator |
| 2024-08-22 2024 | BChecks/vulnerability-classes/injection at main · PortSwigger/BChecks · GitHub intermediate Burp RCE XSS | BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition - PortSwigger/BChecks |
| 2023-11-07 2023 | 9 SQLi Detection Tools You Need to Know in 2023 beginner | Library of 9 SQLi detection tools for 2024, including SQLMap, Invicti, Burp Suite, jSQL Injection, Appsider, Acunetix, Qualys WAS, HCL AppScan, and Imperva. These tools automate the identification and remediation of SQL injection vulnerabilities in web applications and APIs, mitigating risks such as data theft and unauthorized access. |
| 2023-10-05 2023 | Writeups for Damn Vulnerable Web Application (DVWA) beginner XSS | Writeups for Damn Vulnerable Web Application (DVWA) https://ift.tt/b6djesM |
| 2023-09-22 2023 | How to turn SQL injection into an RCE or a file read? Case study of 128 bug bounty reports intermediate Bug Bounty RCE Talks | The content discusses techniques for leveraging SQL injection vulnerabilities to achieve Remote Code Execution (RCE) or unauthorized file reads. It presents a case study based on 128 bug bounty reports, likely demonstrating real-world examples of such exploits. Viewers can gain insights into the process of escalating SQL injection vulnerabilities into more severe security breaches. The content is likely to provide practical examples and strategies for security researchers or professionals interested in understanding and mitigating these types of cyber threats. |
| 2023-09-03 2023 | TryHackMe | SQHell beginner | Try and find all the flags in the SQL Injections |
| 2023-06-08 2023 | Test website for SQL injection vulnerabilities using Python intermediate Python | Test website for SQL injection vulnerabilities using Python https://ift.tt/msKlYeM |
| 2023-06-01 2023 | Demystifying SQL Injection: A Comprehensive Guide to Understanding SQL Injection Risks beginner | Guide to understanding SQL injection risks, detailing in-band, out-of-band, error-based, union-based, time-based, and boolean-based attack techniques. It includes practical examples, like injecting malicious code into search bars and exploiting vulnerabilities such as the Heartland Payment Systems breach, alongside prevention strategies. |
| 2023-05-27 2023 | open-appsec ML-based WAF protects against modern SQLi AutoSpear evasion techniques news API Sec | Library protecting against advanced SQL injection evasion techniques, including those from the AutoSpear project. It utilizes machine learning to identify non-legitimate payloads rather than relying solely on traditional parsing and rule sets. This approach effectively counters evolving evasion methods like case swapping, whitespace substitution, comment injection, and various encoding combinations that bypass other WAF solutions such as AWS, Fortinet, F5, CloudFlare, and ModSecurity. |
| 2023-04-18 2023 | Tag Archives: SQL Injection beginner | Library for securing Open Data Protocol (OData) connections, building on techniques used to mitigate SQL injection. It acts as an intermediate security layer, applying fine-grained constraints to OData API calls and masking query results based on user entitlements. This is demonstrated with a policy controlling access to the Netflix OData API, restricting minors to G or PG-13 rated movies, and includes authentication, authorization, and auditing of connections. |
| 2023-04-18 2023 | [ODATA-1110] Provide guidance for sql-injection type attacks beginner | [ODATA-1110] Provide guidance for sql-injection type attacks https://ift.tt/9J5LIQb |
| 2023-04-02 2023 | How I Found Multiple SQL Injections in 5 Minutes in Bug Bounty intermediate Bug Bounty | How I Found Multiple SQL Injections in 5 Minutes in Bug Bounty https://ift.tt/8yQVgw5 |
| 2022-11-03 2022 | SQL Injection in GraphQL intermediate | The content discusses the vulnerability of SQL injection in GraphQL, a query language for APIs. This security risk can occur when user input is not properly sanitized, allowing malicious actors to manipulate queries and potentially access or modify sensitive data in the database. It emphasizes the importance of input validation and sanitization to prevent SQL injection attacks in GraphQL applications. |
| 2022-04-11 2022 | Favorite tweet by @harshbothra_ beginner | Favorite tweet: 12 Free Practice Labs to Master SQL Injection 🧵 — Harsh Bothra (@harshbothra_) Apr 11, 2022 |
| 2022-01-16 2022 | How I Found multiple SQL Injection with FFUF and Sqlmap in a few minutes intermediate Fuzzing Recon | How I Found multiple SQL Injection with FFUF and Sqlmap in a few minutes |
| 2022-01-07 2022 | Advanced SQL Injection Cheatsheet advanced | Cheatsheet detailing advanced SQL injection techniques. It covers finding injection points, understanding website behavior, enumerating data, bypassing Web Application Firewalls (WAFs), and dumping databases. Methodologies include Error- or UNION-based, Boolean-based (content-based) Blind SQLi, and Time-based SQLi, along with stabilizing injections and bypassing whitespace filters. Privilege escalation and Local File Inclusion (LFI) are also addressed. |
| 2021-11-13 2021 | Web Attack Cheat Sheet beginner API Sec Bug Bounty XSS | Cheatsheet detailing web attack techniques and tools, covering discovery, enumeration, scanning, monitoring, and attack methods. It includes specific vulnerabilities such as SSRF, XXE, OAuth, DNS Rebinding, HTTP/SMTP Header Injection, Web Shell, Reverse Shell, SQLi, XSS, XPath Injection, Path Traversal, LFI, SSTI, Information Disclosure, and WebDAV. The resource also lists generic tools for reconnaissance and attack surface mapping, including those for identifying Cloudflare origin IPs and mapping CIDR ranges. |
| 2021-10-04 2021 | 10 Types of Web Vulnerabilities that are Often Missed beginner Bug Bounty IDOR SSRF XSS | Library detailing overlooked web vulnerabilities, including HTTP/2 Smuggling exploiting frontend/backend parsing differences, XXE via Office Open XML parsers by crafting malicious OOXML files, SSRF via XSS in PDF generators leveraging headless browser execution for internal resource access, and XSS via SVG files where image upload functionality is present. The resource highlights these as being a step beyond common OWASP Top 10 issues due to obscure delivery methods or common misunderstandings. → labs.detectify.com |
| 2021-04-16 2021 | DVWA 1.9+: Blind SQL Injection with SQLMap intermediate | The content discusses performing Blind SQL Injection on DVWA 1.9+ using SQLMap. It follows a previous article on manual SQL Injection with OWASP ZAP. The focus is on hacking DVWA through Blind SQL Injection techniques. |
| 2021-01-24 2021 | Exploiting Error Based SQL Injections & Bypassing Restrictions intermediate | The article discusses advancing attacks when encountering Error Based SQL Injections. It aims to provide insights on bypassing restrictions in such scenarios. The content likely includes strategies for exploiting vulnerabilities and overcoming limitations in SQL injection attacks. |
| 2021-01-24 2021 | Exploiting second order blind SQL injection intermediate | Hackerone hosted an online Capture The Flag (CTF) event named "12 days of hacky holiday CTF." |
| 2021-01-23 2021 | https://secnhack.in/website-penetration-testing-and-database-hacking-with-sqlmap/ intermediate | Tutorial on website penetration testing and database hacking using the open-source tool sqlmap. This guide details how to detect and exploit SQL injection vulnerabilities, a critical flaw identified in the OWASP Top 10. It covers installation on various operating systems, upgrading the tool, and advanced techniques like using Google Dorks for reconnaissance to identify vulnerable parameters. The tutorial walks through commands to dump database names, tables, columns, and ultimately sensitive user credentials from compromised web applications. |
| 2021-01-20 2021 | Identifying & Exploiting SQL Injection: Manual & Automated intermediate | The article discusses identifying and exploiting SQL Injection vulnerabilities in applications. It covers methods for recognizing these vulnerabilities and exploiting them. The content likely includes manual and automated approaches for detecting and taking advantage of SQL Injection weaknesses in software systems. |
| 2020-04-17 2020 | SQL Injection Cheat Sheet by Netsparker beginner | Library: Invicti SQL Injection Cheat Sheet, this resource offers detailed technical information and attack payloads for testing various SQL injection vulnerabilities across MySQL, Microsoft SQL Server, Oracle, PostgreSQL, and SQLite. It covers techniques such as UNION attacks, stacked queries, boolean-based blind SQL injection using IF and CASE statements, and bypassing filters with hex encoding and string concatenation. The cheat sheet also highlights the utility of DAST tools like Invicti and Acunetix for automating SQLi detection. |
| 2019-12-29 2019 | https://medium.com/bugbountywriteup/sql-injection-time-and-boolean-based-27239b6a55e8?source=twitterShare-1764222123d3-1576594710&_referrer=twitter&_branch_match_id=732557985002302401 intermediate | The content discusses SQL injection vulnerabilities, specifically focusing on time-based and boolean-based techniques. It explains how attackers can exploit these vulnerabilities to manipulate database queries and gain unauthorized access to sensitive information. The article likely provides examples, explanations, and possibly mitigation strategies for preventing SQL injection attacks. |
| 2019-11-17 2019 | Understanding the full potential of sqlmap during bug bounty hunting intermediate Bug Bounty | The content discusses utilizing sqlmap, a tool for detecting and exploiting SQL injection vulnerabilities, in bug bounty hunting and ethical hacking for offensive website security. It emphasizes understanding the full potential of sqlmap to effectively identify and exploit vulnerabilities. The focus is on leveraging this tool to enhance security testing efforts and maximize the outcomes of bug bounty programs. |
| 2019-10-05 2019 | SQL injection to RCE advanced RCE | The content discusses a case of SQL injection leading to Remote Code Execution (RCE) discovered during a recent customer penetration testing exercise. The author will detail the scenario in the following lines. |
| 2018-07-29 2018 | Making a Blind SQL Injection a Little Less Blind intermediate | The content discusses the author's experience finding a SQL Injection bug despite the belief that manual SQL Injections are no longer common. The author aims to shed light on this issue and shares insights on how to make a Blind SQL Injection less challenging. |
| 2018-07-19 2018 | Comprehensive Guide to Sqlmap (Target Options) intermediate | The article discusses the "target commands" in sqlmap, a tool for SQL injection attacks. These commands are used to specify the target website or application for the attack. Understanding and utilizing these commands effectively is crucial for successful SQL injection testing. |
| 2018-06-26 2018 | SQL Injection 101: Common Defense Methods Hackers Should Be Aware Of beginner | Library on SQL injection defense methods, discussing user input escaping with MySQL examples, whitelisting versus blacklisting, stored procedures, and the superiority of prepared statements using parameterized queries. It also emphasizes the principle of least privilege for database accounts and separate users for different applications to minimize attack impact. → null-byte.wonderhowto.com |
| 2018-05-10 2018 | Barebones Application Security — SQL Injection (SQLi) beginner | The content discusses basic security measures for startups, focusing on SQL Injection (SQLi) vulnerabilities. It is part of a series on application security, highlighting the importance of safeguarding against SQL injection attacks. The series aims to provide startups with essential steps to enhance their security posture. |
| 2018-01-11 2018 | SQL Injection Wiki beginner | Library: SQL Injection Wiki, a comprehensive resource for identifying, exploiting, and escalating SQL injection vulnerabilities across various Database Management Systems. This wiki follows a typical escalation path, assuming basic SQL injection knowledge, and includes version-specific query information. Contributions are welcomed via GitHub. |
| 2017-09-22 2017 | BSQLinjector – Blind SQL Injection Tool Download in Ruby intermediate | Library for performing Blind SQL Injection attacks in Ruby, BSQLinjector utilizes true/false queries to extract data from SQL databases when direct error messages are suppressed. Similar in function to sqlmap, it offers a `--test` switch to preview payloads before execution. |
| 2016-12-28 2016 | SQL Attack (Constraint-based) - Dhaval Kapil advanced | Writeup on SQL constraint-based attacks, demonstrating how trailing whitespace padding in SQL string comparisons and truncation of long strings in INSERT statements can be exploited. The attack allows an attacker to register a username with trailing spaces that is then effectively treated as an existing username due to SQL's whitespace handling. Subsequent logins can then be hijacked, as shown on MySQL and SQLite. Defenses include applying UNIQUE constraints to username columns and preferring IDs for data tracking. |
| 2016-04-20 2016 | Vulnerability analysis, Security Papers, Exploit Tutorials - Part 12975 news | Paper detailing advanced MSSQL injection techniques, including ODBC error message attacks, UNION attacks, and exploiting extended stored procedures. It covers blind SQL injection enumeration, explains common vulnerabilities in applications like Joomla, Mambo, and WordPress, and provides methods for testing for SQL injection flaws using single quotes and OR/AND operations. The document also touches upon audit log evasion and the creation of mass MSSQL injection worms, concluding with countermeasures against these attacks. → exploit-db.com |
Frequently Asked Questions
- What is SQL injection?
- SQL injection is a code injection technique where an attacker inserts malicious SQL statements into input fields or parameters that are incorporated into database queries. Successful exploitation can read, modify, or delete database data, and in some cases execute operating system commands.
- What is the difference between blind and error-based SQLi?
- Error-based SQLi extracts data through database error messages visible in the application response. Blind SQLi works when errors are suppressed — it infers data using boolean conditions (true/false responses) or time delays (e.g., IF condition THEN SLEEP(5)). Blind SQLi is slower but works in more restrictive environments.
- Are prepared statements enough to prevent SQLi?
- Prepared statements (parameterized queries) prevent classic SQLi in most cases. However, they cannot parameterize table names, column names, or ORDER BY clauses. Dynamic SQL built from these elements still requires allowlist validation. ORMs reduce risk but can be bypassed through raw query methods.
Weekly AppSec Digest
Get new resources delivered every Monday.