Saturday, February 27, 2016

A Quite Rare MSSQL Injection

Hi,

Going to share a vulnerability that was discovered last year (for bounty program) that for me, quite a rare one and it was the first that I had found since my involvement in pentesting world.

The website was using Microsoft SQL Server and one of the parameter was vulnerable to Blind SQL Injection attack. How did I know? Obviously by triggering the TRUE/FALSE condition.

http://bounty/yadayada.asp?id=8888'+AND+'1'+LIKE+'1 --> page will be loaded normally.
http://bounty/yadayada.asp?id=8888'+AND+'2'+LIKE+'1 --> page will be blank. 

Nothing fancy here. Just a normal/common testing to check on the vulnerability. The problem came after that where:

  1. It is only shows the SQL Injection behaviour in Blind Attack
  2. Scanner/SQLMap was not working
  3. Seems it was using Stored Procedure method (I not sure, I'm noob here)
Few ways tried but none were successful in order for me to provide a working POC to the program. Further analysis I noticed that, the application was actually only able to response integer value with the user's privilege in used.

Had no idea on that until found a post by v1d0q in https://rdot.org/forum/showthread.php?t=826

The last query shown was new to me on that time, but surprisingly it was working!
http://bounty/yadayada.asp?id=8888'+AND+(@@TEXTSIZE>@@LANGID)+AND+'1'+LIKE+'1 --> page will be loaded normally.
http://bounty/yadayada.asp?id=8888'+AND+(@@LANGID>@@TEXTSIZE)+'1'+LIKE+'1 --> page will be 
blank
Further read I found that what I was actually trying to query is an existing Transact-SQL inside a MSSQL where its return types is either integer or smallint. And usually, these return types already have their own value.

Such as an example:
@@LANGID usually will be 0 for default (English language)
@@TEXTSIZE can be bigger than 1000

Didn't stop at there, I tried using another Transact-SQL to ensure my result is not a false-positive. And most of the query did the positive job :)
Submitting this limited POC to the program's owner, luckily they view and confirm the issue at their backend as well. Rewarded and satisfied!


Here are examples performed on a testing server.




Disclaimer: I still don't know the exact explanation behind this issue. Need to locate some times and do some research in future :)

References:
https://rdot.org/forum/showthread.php?t=826
https://msdn.microsoft.com/en-us/library/ms186266.aspx
https://msdn.microsoft.com/en-us/library/ms177687.aspx
http://www.sqlservercurry.com/2010/11/change-default-language-for-sql-server.html


Share: