[Pentest] SQL injection with MSSQL

Hello guys, I'm back, again :D. I have moved to another company since January, so I must work so hard to pass probation and prove my skill to bigboss. It worked! 

So, after 4 month no time to write, I tried my best to take time for delivery a blog post. This time, I have an intersting article about sql injection. The framework is MSSQL which I'm not familiar with ! Let's explore!

I. MSSQL cheatsheet

Surfing around internet, I have seen lot lot of payloads and cheatsheet which could be used for fuzzing the target. When play CTF, I have rarely faced to the challenge that used this framework. Usually MySQL, but I think context is the same. We must fuzzing it to find out whether the SQLinjection or not, Error Based or Time Based or both, Blind or not, .. etc.

The methodology is about finding information of server, dbms, include current user, version, permissiong of users, and try to dump the entire database :D. That is the reason why it's always a critical vulnerable.

https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

https://portswigger.net/web-security/sql-injection/cheat-sheet

This is the cheatsheet could give us some clues to kick off.

II. Case Study

This case is about an internal application project that I have joined to pentest. Like many apps, it have the search bar at UI and allow users to query information.

When I put my keyword to search, it call the api /search at backend and query to database, fetch the data and load it for user.

When I try 4rth4s, at UI, no result found, below is response from BE

Success what? Give it a quote ( ' ) as usual we try fuzzing sql injection, and the error comes

That's enough for us to continue fuzzing. We all know the framwork.

After trying and fuzzing, I realize the query that give us expected result

'); waitfor delay '00:00:10' --

10:26 PM

Exactly 10 seconds
 

 

So we must custom out payload to know the numbers of columns in current table, table_name, column_name and of course the database name , database version. 

After fuzzing and find out It has 20 columns, we should recognize which column that data is printed out. And limit the response so that we can see exactly result

') union select NULL,NULL,NULL,db_name(),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL order by 1 OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY --

Query db_name()

database version

and all we need is time, to dump the entire database. :) . And we should try whether we got  RCE or not. In this case, the current user have not permission to do anything to change the database. Cheers for dev XD

NOTE: sqlmap did not help so much with this case, after I tried this with post request. So, manual is magic. 👍

However, it's not hard to dump database in this case. But I could learn so much with it. 

Happy Pentesting!