Case study of a rare MSSQL Injection Vulnerability
The author is going to share a fairly rare vulnerability found in last year's Google rewards program, the only one that the author has encountered throughout his penetration testing career.
The target website uses the Microsoft SQL Server database and one of them has SQL blind injection. How do you know this? Of course, it is determined by triggering true/false conditions.
Http: // bounty/yadayada. asp? Id = 8888 '+ AND + '1' + LIKE + '1 --> http: // bounty/yadayada. asp? Id = 8888 '+ AND + '2' + LIKE + '1 --> the page is blank.
There is nothing special here, it is a common SQL injection test, but then the problem comes:
1. Manual testing indicates that the SQL blind injection vulnerability exists
2. the scanner/SQLMap does not work.
3. It seems that the Stored Procedure method is used (uncertain)
I tried multiple methods to provide POC, but none of them succeeded. After further research, I found that the application only submitsInteger.
I didn't have any way to do this until I found a method https://rdot.org/forum/showthread.php provided by v1d0q? T = 826 (ps: Russian. I cannot understand it (strong =)
At that time, this was a brand new method for me, but it was surprising that it really worked!
Http: // bounty/yadayada. asp? Id = 8888 '+ AND + (@ TEXTSIZE> @ LANGID) + AND + '1' + LIKE + '1 --> the http: // bounty/yadayada page is loaded normally. asp? Id = 8888 '+ AND + (@ LANGID> @ TEXTSIZE) + '1' + LIKE + '1 --> the page is blank.
After further reading, I found that I was actually trying to query whether there is a Transact-SQL statement in MSSQL. Its return type isIntOrSmallint. Generally, the return type has its own value. For example:
@ LANGID the default value is usually 0 (English) @ TEXTSIZE may be larger than 1000
Continue the test. I tried to use other Transact-SQL statements to ensure that the results are not false. It is true that most of the query statements finally return true :)
After submitting this limited POC to the website owner, they are very lucky to confirm the vulnerability and reward it!
The following is an experiment on a test Server:
Statement: I still don't understand why, but I still need to spend some time studying it later to find the reason :)