Resources

The only resource you’ll need to start is Google, learn to use it here.

All of the following can be found with the above technique, nothing here is unique. This is just a collection of some my regularly used resources and is not comprehensive.

Some of the places I look regularly for new research:

• Synack’s Exploits Explained - A blog series written by the Red Team on exploits you’ll see in the wild.
• Intigriti’s Bug Bytes - A weekly newsletter containing new research from a variety of sources.
• PortSwigger Research - A collection from the staff who work on BurpSuite.
• Reading through current writeups shows you how testers are using exploits in real life scenarios.
• Glancing at Exploit Databases’ latest proof of concepts to see the latest publicly available exploits.

Specific Exploit Resouecs

SQL Injections

For a quick reference I use PentestMonkey and PortSwigger’s SQL injection cheat sheets, or the SQL generic guides from W3school.

During active exploitation of injections that require WAF bypasses or other evasive techniques, I go directly to the documentation of the type of databases being exploited (correcting for version number).

• MS Access
• MySQL
• IBM DB2
• Oracle

For exploitation I automate the process with Python to adjust for any unique circumstances.