MSSQL Injection in Cookies

TL;DR

This guide shows how to exploit a Blind MSSQL Injection vulnerability where input is passed via cookies and used in a stacked query. We’ll use time-based injection to extract data.

Understanding the Problem

Blind MSSQL Injection means you can’t directly see the results of your SQL queries. Instead, you infer information based on the server’s response – usually whether a request takes longer than expected (time-based) or produces an error.

Stacked queries allow you to execute multiple SQL statements in one go. This is dangerous because it lets you extract data even if the original query doesn’t return results directly.

Steps to Exploit

1. Identify the Vulnerable Cookie: Use your browser’s developer tools (usually F12) to inspect cookies sent to the server. Look for a cookie that seems related to user data or session information.
2. Confirm Injection Point: Modify the value of the suspected cookie slightly and observe the server’s response. A simple test is adding a single quote (`’`) to see if it causes an error. If it does, you likely have an injection point.
3. Determine Database Name: Use time-based injection to find out the database name.
   • The core idea is to use WAITFOR DELAY in your injected query. If the condition is true, the request will be delayed; otherwise, it won’t.
   • Example payload (replace COOKIE_NAME with the actual cookie name and TARGET_URL with the URL):

   WAITFOR DELAY '0:0:5' --

   If this causes a 5-second delay, you’ve confirmed injection. Now try to guess database names.

   '; WAITFOR DELAY '0:0:5' IF DB_NAME() = 'your_database_name' --

   Replace your_database_name with potential database names. Repeat until you find the correct one.

4. Determine Table Names: Once you know the database name, use a similar technique to discover table names.
   • The query to list tables is more complex and requires iterating through system views.
   • Example payload (replace COOKIE_NAME, TARGET_URL, and DATABASE_NAME):

   '; WAITFOR DELAY '0:0:5' IF EXISTS(SELECT * FROM sys.tables WHERE name = 'your_table_name') --

   Replace your_table_name with potential table names.

5. Determine Column Names: After identifying a table, find its column names.
   • Use the following payload (replace values as before):

   '; WAITFOR DELAY '0:0:5' IF EXISTS(SELECT * FROM sys.columns WHERE object_id = OBJECT_ID('your_table_name') AND name = 'your_column_name') --

   Replace your_column_name with potential column names.

6. Extract Data: Finally, extract the data you need.
   • Use a stacked query to select data from the table.
   • Example payload (replace values as before):

   '; SELECT column1, column2 FROM your_table_name WHERE 1=1 --

   This will attempt to retrieve all rows and columns from the table. You may need to refine this query based on specific conditions.

Important Considerations

• Encoding: Cookies might be URL-encoded or otherwise encoded. Decode them before injecting, and encode your payloads appropriately.
• Rate Limiting: Excessive requests can trigger rate limiting or other security measures. Slow down your attacks to avoid detection.
• Error Handling: Pay attention to any error messages the server returns. They can provide valuable clues about the database structure and injection point.