Stacked or compound SQLI
Once you understand the classic and blind SQLI methods, it doesn't take a huge leap to understand how you can make compound statements and stack multiple requests together to not only map our targets' databases, but to also manipulate, corrupt, or destroy stored data and eventually run code on the databases. You can pair data extraction union-based SQLI, for instance, with a command immediately following it to remove the data from the source table. Netsparker (https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) and PenTestMonkey (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet) both offer cheat sheets that do a wonderful job of introducing the many ways Stacked ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access