To test for SQL Injections, different wordlists can be used. This is a merged wordlist, which contains generic SQLi payloads for MySQL, NoSQL, MSSQL, Oracle, etc. It has all sort of SQLi payload types (time-based, error-based, generic payloads, etc.). Instead of using multiple wordlists, you can quickly identify vulnerable endpoints with one wordlist. Depending on the result, further analysis can be done.
wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/hugeSQL.txt "http://127.0.0.1/index.php?id=FUZZ"
wfuzz -c -z file,/usr/share/wfuzz/wordlist/Injections/hugeSQL.txt -d "username=admin\&password=FUZZ" http://127.0.0.1/admin
By using wfuzz's own filter, you can define a baseline and filter out unnecassary responses.
After your first wfuzz scan, you should get multiple responses with X chars. For example, X = 0
chars. To filter these out, specify the option:
--hh 0
In a same manner, you can filter out responses with X words. For example, for X = 1
word. Use the wfuzz flag:
--hw 1
You can also use --hl 1
or --hc 1
to filter out results with 1 line or 1 specified code, respectively.