1.SQL injection參考資源

各式login繞穿與sqli步驟
https://sushant747.gitbooks.io/total-oscp-guide/content/sql-injections.html

基礎
https://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet

中階
https://github.com/ihack4falafel/OSCP/blob/master/Documents/SQL%20Injection%20Cheatsheet.md

進階
https://github.com/OlivierLaflamme/Cheatsheet-God/blob/master/Cheatsheet_SQLInjection.txt
https://www.invicti.com/blog/web-security/sql-injection-cheat-sheet/#StringwithoutQuotes

portswigger各式網路攻擊中文翻譯
https://hackmd.io/@linus870529/rkpVYwTWs

portswigger之sqli中文翻譯、sqli bypass waf、sqli to RCE
https://feifei.tw/sql-injection/

VM練習資源
https://research.cs.wisc.edu/mist/SoftwareSecurityCourse/Exercises/3.8.1_SQL_Injection_Exercise.html

SQL注入由简入精
https://edu.51cto.com/course/21928.html
第2章get型注入讲解(3小时8分钟9节)
2-12.1 mysql注入基础讲解[24:59]
2-22.2 mysql字符型union联合注入[25:15]
2-32.3 mysql数字型union联合注入[17:27]
2-42.4 extractvalue报错注入讲解[25:57]
2-52.5 updatexml报错注入讲解[13:23]
2-62.6 floor报错注入讲解[31:43]
2-72.7 mysql布尔盲注[25:27]
2-82.8 mysql时间盲注[15:43]
2-92.9 mysql注入文件上传[08:56]
第3章post提交注入(1小时32分钟5节)
3-13.1 post提交联合注入报错注入[23:15]
3-23.2 post提交盲注[08:58]
3-33.3 user-agent报头注入[30:25]
3-43.4 Referer报头注入[11:43]
3-53.5 Cookie报头注入[18:21]
第4章waf绕过的解析(3小时3分钟8节)
4-14.1 注释符过滤绕过[15:36]
4-24.2 and和or绕过[08:38]
4-34.3 空格过滤绕过[18:50]
4-44.4 select及union过滤绕过[22:22]
4-54.5 宽字节注入[14:14]
4-64.6 waf绕过指令介绍[27:53]
4-74.7 云锁web防火墙fuzz测试绕过[42:41]
4-84.8 安全狗web防火墙fuzz测试绕过[33:13]

SQL注入进阶
https://edu.51cto.com/course/22513.html
第1章SQL ACCESS 注入(35分钟2节)
1-11.1 access基础及union注入[19:09]
1-21.2 access 布尔盲注[16:01]
第2章MSSQL SQL SERVER 注入(2小时11分钟7节)
2-12.1 MSSQL sql server基础知识讲解[17:44]
2-22.2 MSSQL union for xml path注入[23:44]
2-32.3 MSSQL and 报错法注入[14:45]
2-42.4 MSSQL union 排除法注入[17:53]
2-52.5 MSSQL convert和cast报错注入[14:54]
2-62.6 MSSQL 布尔盲注[18:52]
2-72.7 MSSQL 时间盲注[23:56]
第3章SQL ORACLE 注入(1小时34分钟5节)
3-13.1 oracle 联合注入[27:26]
3-23.2 oracle 报错注入[13:04]
3-33.3 oracle 布尔盲注[18:07]
3-43.4 oracle case when 时间盲注[21:52]
3-53.5 oracle decode时间盲注[14:16]

SQL注入篇——SqlServer的报错注入
https://blog.51cto.com/u_15274949/2922536

Web安全——基于POST提交的报头注入 (less-18,less-19)
https://blog.csdn.net/qq_35733751/article/details/106402960

SQL注入篇——sqli-labs最详细1-40闯关指南
https://blog.51cto.com/u_15274949/5260279

全网最全sqli-labs通关攻略
https://cloud.tencent.com/developer/article/1906116

less題解
https://www.zhihu.com/people/shiyan.vip/posts?page=5

显错型SQL注入
https://c4y345.com/cybersecurity/%E6%8C%96%E6%B4%9E%E5%85%A5%E9%97%A8_%E6%98%BE%E9%94%99%E5%9E%8Bsql%E6%B3%A8%E5%85%A5/

深入浅出带你学习报错注入
https://juejin.cn/post/7156744293988696095

Sql注入学习笔记——MySQL显错注入
https://blog.csdn.net/qq_44720214/article/details/125998826

谈一谈|SQL注入之显错注入
https://blog.51cto.com/where2go/5060175

十种MYSQL显错注入原理讲解（一）
https://www.cnblogs.com/MiWhite/p/6241265.html

MySQL手注之报错注入详解
https://cloud.tencent.com/developer/article/1630134

Sql注入入门 之 Mssql常规显错注入
https://apt404.github.io/2016/05/17/mssql-error-injection/

SQL注入实战之报错注入篇（updatexml extractvalue floor）
https://www.cnblogs.com/c1047509362/p/12806297.html

二. sql语法记录、waf绕过方法、注入方法总结
判断包裹的方式：
1.单引号'
2.单引号+单括号')
3.单引号+单括号+单括号'))
4.双引号"
5.双引号+单括号")
6.双引号+单括号+单括号"))
7.无包裹

sql注释方式：
--+ 用于url中
--空格 用于url中
;%00 应对于对输入有过滤的情况
/**/ 用于提交大数据包，waf绕过
/*!1,2,3*/ mysql内联注释，只能用于mysql，waf绕过
#用于POST表单中
或其他可用于替换的编码

2.XSS參考資源

基礎
https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting
cheat sheet
https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

3.SSTI參考資源

介紹
https://err0r.top/article/ssti/
https://cloud.tencent.com/developer/article/2130787
https://www.k0rz3n.com/2018/11/12/%E4%B8%80%E7%AF%87%E6%96%87%E7%AB%A0%E5%B8%A6%E4%BD%A0%E7%90%86%E8%A7%A3%E6%BC%8F%E6%B4%9E%E4%B9%8BSSTI%E6%BC%8F%E6%B4%9E/
https://houbb.github.io/2020/08/09/web-safe-12-ssti

Django
https://github.com/Lifars/davdts

大全
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#tornado-python
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker