2

During a routine penetration test I encountered a possibility for SQL injection. The following criteria apply:

  • Microsoft SQL Server (2016);
  • Query has to start with SELECT;
  • The semicolon ; is not allowed to break a statement and to start a new one;
  • Everything else is allowed.

I am wondering what the highest possible impact would be for an SQL injection vulnerability like this one. Obviously information disclosure is possible, but I would like to know if it is also possible to actually 'break out' of the SELECT statement and to DROP a table for example. What would you suggest for this scenario?

Vincent
  • 23
  • 4
  • I don't know if this is possible, but if you can do something like EXEC (@sqlCommand) in the select command, everything else is possible. – Steve Sether Jul 11 '18 at 18:19

1 Answers1

0

I'm not 100% certain on this first detail so I'll defer to anyone who disagrees, but I'm pretty sure that your stipulations mean that it is not possible to break out and execute a DROP, INSERT, UPDATE, or anything other than a simple select.

As a result the worst case scenario is limited to information disclosure, but keep in mind that the worst case scenario is most likely a complete leak of your entire database. With MySQL at least (I'm not familiar with the details of Microsoft SQL Server) the table structure is also stored as tables that can be accessible via a SELECT operation and so SQLi vulnerabilities on a SELECT usually start by first figuring out all column and table names (presuming that you can perform arbitrary SELECT injections - which is what it sounds like). Once you have that it is very easy to join and dump all tables and columns, resulting in a complete copy of your entire database (as well as any other databases that the SQL user has access to).

A quick google leads me to believe that database structure is accessible via SQL select commands in Microsoft SQL just like it is in MySQL - ergo a full database copy is possible in the event of a wide open select vulnerability.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96