Microsoft SQL Server is a relational database management system developed by Microsoft. Microsoft markets a dozen different editions of Microsoft SQL Server with various functionalities and aims. A list of the versions is available :

MSSQL supports stacked queries.

Vulnerable parameters detection

Injection locations

In a HTTP request there are a few possible injection points :

  • URL parameters

  • POST parameters

  • Cookie names and values

  • Host header and any custom headers

Note that while the entry points above are the most common, any content in an HTTP request can be prone to SQL injection.

Injection detection

Detecting vulnerable parameters is most easily done by triggering errors and boolean logic within the application. Supplying malformed queries will trigger errors and sending valid queries with various boolean logic statements may trigger different responses from the web server. Time based payload can also be used to detect SQL injection in MSSQL.


Error A direct message can be returned or the page may act differently

x=' x='' x=" x="" x=\ x=\\ x=\' ...

Boolean Testing Page can react differently if true or false

x=1 or 1=1 -- true x=1' or 1=1 -- true x=1" or 1=1 -- true x=1 or 1=2 -- false ...

Time Based A delay can be induced by the query execution

x=1 WAITFOR DELAY '0:0:5' -- Wait 5 seconds x=1; WAITFOR DELAY '0:0:5' -- Wait 5 seconds x=1 WAITFOR TIME '22:42' -- Wait until 22:42 ...

Automated detection

The detection of vulnerable parameters can be automated, using the BurpSuite Pro scanner or sqlmap for example.

Note that second order SQL injection, which arises when user-supplied data is first stored by the application and then later incorporated into SQL queries in an unsafe manners, may not be properly detected by automatic tools.

Databases dumping



Encoding queries

Obfuscating queries

Disable logging mechanisms

MSSQL version

Current user


Users and privileges

Users' passwords

Using sqlmap: sqlmap -D master -T sys.sql_logins --dump [...]


Current database






Last updated