![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKgNiU0kfeFPn1W5qVB-miel7ETV36HJIQwYtkqU2Bf4yMox9E_RA2ZaNRlfMlSq3IW0QwKTKT5-s5K8v9Nb2wCg7aYoiEbpYXYCgt_tTPWibPNXwFU2CzK58LixXIJyUnndb4U3gawpzc/s200/SQLi.gif)
El autor Roberto Salgado (@LightOS) agrega nuevos ataques y métodos de evasión diariamente.
Es una guía muy extensa, clara y está organizada muy ordenadamente por temas:
-
MySQL
- Default Databases
- Testing Injection
- Comment Out Query
- Testing Version
- Database Credentials
- Database Names
- Server Hostname
- Tables and Columns
- Avoiding quotations
- String concatenation
- Conditional Statements
- Timing
- Privileges
- Reading Files
- Writing Files
- Out of band channeling
- Stacked Queries with PDO
- MySQL-specific code
- Fuzzing and Obfuscation
- Operators
- Constants
- Password Hashing
- Password Cracker
-
MSSQL
- Default Databases
- Comment Out Query
- Testing Version
- Database Credentials
- Database Names
- Server Hostname
- Tables and Columns
- Avoiding quotations
- String concatenation
- Conditional Statements
- Timing
- OPENROWSET Attacks
- System Command Execution
- SP_PASSWORD (Hiding Query)
- Stacked Queries
- Fuzzing and Obfuscation
- Password Hashing
- Password Cracker
-
ORACLE
-
Extras
Visto en: http://www.hakim.ws/