search

πŸ’‰Union Based MSSQL Injection

hashtag
Some basic errors in MSSQLi

Error

Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][SQL Server Native Client 10.0][SQL Server]Executing SQL directly; no cursor.

Microsoft VBScript runtime error '800a000d' Type mismatch: 'id'

Error Executing Database Query. Line 3: Incorrect syntax near ''.

The text data type cannot be selected as DISTINCT because it is not comparable.

Operand type clash: text is incompatible with int

hashtag
----------------------------------------------------------------

hashtag
Step : 1

hashtag
Putting single quote and then putting double quote checking the Error:


http://aquaservices.co.in/Product.aspx?Id=13'
ERROR

http://aquaservices.co.in/Product.aspx?Id=13"
ERROR

When both Single quote and double Quotes gives error then there are high probablities that the injection type is integer based

hashtag
----------------------------------------------------------------

hashtag
Step : 2

hashtag
Now we need to know the comment type for MSSQL.

Comment
Name

--

Comment Type 1

--+

Comment Type 2

--+-

SQL Comment

/**/

Inline Comment

;%00

Null Byte

hashtag
Now lets try the basic -- comment with our target:

hashtag
Now we continue with order by and in the end we come to know that 8 is the last working column.

hashtag
----------------------------------------------------------------

hashtag
Step : 3

hashtag
Now we need using the union select query:

hashtag
In case of Such Errors on Union select statement we have an option to use null in all columns, so lets try that:

hashtag
Heres one more type of error you can find while MSSQL Injection and the solution for this is just use "Union All Select" in place of "Unoin Select", Lets try:

The Solution for this type of Errors is as here we can see DBNULL to STRING mismatch so we have to convert each column one by one and see if we can get make it to work. To put a string we can use single quotes but i prefer using the db_name() function to avoid some error. Here we have Eight Columns changing each column one by one. So I am generate the payloads which will put db_name() in eight columns one by one:

hashtag
Now you can use Burp Suite intruder to Fuzz the payload on place of columns:

hashtag
----------------------------------------------------------------

hashtag
Step : 4

hashtag
Now we can Put @@version on place of vulnerable column to get the current version from database:

hashtag
----------------------------------------------------------------

hashtag
Step : 5

hashtag
Now and we got the version, now we can get the current database name using db_name()

hashtag
---------------------------------------------------------------

hashtag
There are some other ways also to collect some more information from MSSQL which are given here:

Query/Function
Output

@@version

Current Version

user_name()

Current User

user,system_user,current_user

Current User

db_name()

Current Database

db_name()

Current Database

@@SERVERNAME

Hostname

hashtag
----------------------------------------------------------------

hashtag
Step : 5

hashtag
Now we will extract the table names, here the syntax is a little bit different than MySQL of lack of limit clause in MSSQL.

hashtag
----------------------------------------------------------------

hashtag
Step : 6

hashtag
In the same manner we can get all the tables one by one. Now lets get the columns.

hashtag
I will extract the colums from AdminLogin table:

hashtag
----------------------------------------------------------------

hashtag
Step : 7

hashtag
We got the table names the column names and now lets extrct the data from them.

hashtag
For concatination we can use %2b which is +

hashtag
----------------------------------------------------------------

hashtag
MSSQL DIOS :

hashtag
Now in the end i will like to show you how to make the whole process alot faster by using MSSQL DIOS:

hashtag
It will give error but actually its making the DIOS table so now lets try checking the output under temp_dios_sample:

hashtag
So Here we are finished with MSSQL Union Based Injection

PreviousUNION Based MySQL InjectionNextUnion Based Oracle Injection

Last updated