✨ deeznutz

✨ Master ✨
Staff member
May 15, 2017
The DroidSQLi application is used to check websites for vulnerability to SQL injections of four types:
  • Normal SQL injection is the classic version with passing the UNION ALL SELECT parameter;
  • Error based SQL injection - the use of obviously incorrect syntax in queries for receiving an error message revealing additional database parameters;
  • Blind SQL injection - a series of queries with analysis of true / false responses from the DBMS, which allows to restore the database structure;
Time based SQL injection - the formation of additional queries that cause the suspension of the DBMS for a certain time, which makes it possible to extract character-by-character data.

The DroidSQLi utility automatically selects the injection method, and also uses bypass filtering techniques.
To start testing the site, you must manually find the entry point. Usually this is a web page address containing a query of the form? Id = X or? P = X, where X is a positive integer. In our example, the payload for id parameter looks like this:

id = (SELECT 4777 FROM (SELECT COUNT (*), CONCAT (0x71626b6a71, (SELECT (ELT (4777 = 4777.1))), 0x7170767871, FLOOR (RAND (0) * 2)) x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x) a)

There are a lot of websites vulnerable to SQL injections on the Web. I think you can easily find a few of these just by looking at the history of your browser.
  • Android: 4.2 and up
  • Requires root: no
Top Bottom