In the Name of ALLAH the Most Beneficent and the Merciful
This is just an addup to our collection on different injection points in SQLi, In this tutorial we are going to learn injecting in MSSQL insert Query.
Same as MySQL Insert query injection this too can be done in two way:
1. Error based.
2. Second Order Exploitation
Lets first start with Error Based SQLi, if you read my tutorial on MSSQL Error Based Injection You must already be comfirtable with Error based Injection in MSSQL so we are going to use the same syntax.
Insert Query Example:
How to confirm an Insert based query, well thats pretty simple if you can see the erorr else trial and error method thats what we always do.
1. Error Based
Here too remember the three basic rules of Injecting Close, Inject and then Balance, Let us assume we have an injection in one of the input values in the above query now heres the Error Based Injection Syntax:
Here is a video which Shows practical Error based MSSQLi in Insert Query.
2. Second Order Exploitation
If you know + is used to concatenate two string in MSSQL so we can also use this to concatenate the output of our injection to a field which we can see later somewhere in the application.
For example lets say we have such injection in register form of a site and this is the final Query which it makes to insert our user.
I hope you enjoyed reading the tutorial, will soon be up with more tutorials keep reading and learning.
This is just an addup to our collection on different injection points in SQLi, In this tutorial we are going to learn injecting in MSSQL insert Query.
Same as MySQL Insert query injection this too can be done in two way:
1. Error based.
2. Second Order Exploitation
Lets first start with Error Based SQLi, if you read my tutorial on MSSQL Error Based Injection You must already be comfirtable with Error based Injection in MSSQL so we are going to use the same syntax.
Insert Query Example:
insert into tablename (column1,column2,column3,column4)values(1,'value2','value3','value4');
How to confirm an Insert based query, well thats pretty simple if you can see the erorr else trial and error method thats what we always do.
1. Error Based
Here too remember the three basic rules of Injecting Close, Inject and then Balance, Let us assume we have an injection in one of the input values in the above query now heres the Error Based Injection Syntax:
If input is Integer Based
(select 1 from dual where @@version=1)
If Input is Between Single Quote
'*(select 1 from dual where @@version=1)*'
If Input is Between Double Quotes
'*(select 1 from dual where @@version=1)*'
insert into tablename (column1,column2,column3,column4)values(1,'value2',''*(select 1 from dual where @@version=1)*'','value4');
Here is a video which Shows practical Error based MSSQLi in Insert Query.
2. Second Order Exploitation
If you know + is used to concatenate two string in MSSQL so we can also use this to concatenate the output of our injection to a field which we can see later somewhere in the application.
For example lets say we have such injection in register form of a site and this is the final Query which it makes to insert our user.
Insert into users (name,username,password,address,status)value('your_input_name','your_input_username','your_input_password','your_input_address',1);
Insert into users (name,username,password,address,status)value('your_input_name','your_input_username','your_input_password',''+db_name()+0x3a3a+@@version+0x3a3a+user+'',1);
I hope you enjoyed reading the tutorial, will soon be up with more tutorials keep reading and learning.
