MS SQL Injection: Manual Enumeration

Thursday, August 22, 2013

The following post is meant to serve as a quick reference for basic database enumeration through SQL Injection (SQLi). This syntax is
for MS SQL but with some modifications it can also be applied to MySQL.

Please remember, this is solely for educational purposes. None of the techniques mentioned should be used for malicious purposes outside of a controlled research environment. 

Most of the snippets below use provide a false query followed by the OR keyword and a true statement. The true statement will contain the SQLi. Note: One may also accomplish the same by providing two truth statements.

Database Version



Database Name



Database Username

The snippet below depicts how to obtain the username that the database is being run under.


Database Table Names 

The snippet below will provide an error message showing the first table name.


One can then use the NOT IN keyword in subsequent requests to view the rest of the tables within the database.


Database Column Names 

The snippet below will provide an error message showing the first column name.


One can then use the NOT IN keyword in subsequent requests to view the rest of the columns within the database.


Column Information

The above snippets provide one with the column names for a table and while that's great what one really wants is the information inside these columns. The following snippets depict how to obtain the information within the database. Note: The userID variable is the column name.


Go Mitigation!


The snippets above show how to successfully inject sql statements into a query. This is due to the application not implementing sufficient security checks before sending it off to the database for processing. Let us explore some ways to protect against these sort of attacks.
  • Implement a check for any SQL keywords  (e.g. SELECT, UNION, NOT IN) and bad characters (e.g. !#$%&'*+-/=?^_`{|}~@[]). If the request contains any bad keywords/characters then do not proceed with the request. Note: This is to be done on the application side before the requests get to the database.
  • Use stored procedures or prepared statements. This will ensure the attacker will not modify the intention of the query. 
  • Disable features and services which are unnecessary for operations.
  • Run the database and any applications querying the database with the lowest possible privileges.
  • Stay up to date with vendor patches after they have been thoroughly tested within your environment.

Additional Reading

  • SQLi Prevention Cheat Sheet https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
  • Hidden Bonus: Congrats! You found a hidden bonus. As a pentester sometimes you won't often find machines showing error messages so one would have to perform Blind SQLi. One can use the substring method to assist with this. Here's a quick example: substring(user_name(),1,5) = 'admin'.
Special thanks to uSploit on Top Hat Sec forums for a great tutorial. Be sure to check it out his blog at http://freedomofwisdom.blog.com/

No comments :

Post a Comment