During a routine penetration test I encountered a possibility for SQL injection. The following criteria apply:
- Microsoft SQL Server (2016);
- Query has to start with
SELECT
; - The semicolon
;
is not allowed to break a statement and to start a new one; - Everything else is allowed.
I am wondering what the highest possible impact would be for an SQL injection vulnerability like this one. Obviously information disclosure is possible, but I would like to know if it is also possible to actually 'break out' of the SELECT
statement and to DROP
a table for example. What would you suggest for this scenario?