Ah, SQL injection. Probably one of the most iconic vulnerabilities in the web appsec sphere. Even given how easy it is to fix (parameterize your queries please, none of this blacklisting garbage), it’s still found in the wild on a regular basis. While there are a million posts out there detailing vanilla exploitation, this post is going to delve into more advanced attacks. Specifically, I’m going to discuss enumerating the schema of a database in a single payload, greatly reducing the number of queries required to exfiltrate data via bit shifting, and viable attacks in a blind and asynchronous situation. The focus will revolve around a SQL Server context, but most if not all of these techniques should transfer to exploitation of other databases.