IT Security Lab The Playground for IT Security Specialists and Pentesters

SQL Injection And Tough Integers

We all know that it's so nice when we are dealing with SQL injection in MS SQL and see error messages enabled. Typical example:

vulnerableweb.com?id=1' or 1=(SELECT @@version)--

...which obviously in this case would bring us the info about MS SQL version. But this is happening when we are able to raise an error by comparing a string (SELECT @@version) with integer (1). But what if the output of a query we want to execute is also integer? E.g. we are trying to execute something like this:

vulnerableweb.com?id=1' or 1=(SELECT TOP 1 id FROM users)--

ID is integer so our old trick will not work this time. So how to raise a verbose error message in this case? Surprisingly it is not so trivial. You may quickly notice that using CONVERT and CAST does not help because MS SQL later casts types automatically to something with can be compared, so unfortunately this is not raising an error. But here comes the solution! Take a look at the following query:

select cast(cast((select 1) as decimal(10,2)) as varchar(10))

This will convert int to the varchar but one step earlier the integer is converted to a decimal with fixed number of chars before and after the decimal separator (10 before and 2 after). So the output of the query is this:

1.00

And this is the kind of varchar, which may be happily used in SQL injection exploitation. See this example:

vulnerableweb.com?id=1' or 1=(cast(cast((SELECT TOP 1 id FROM users) as decimal(10,2)) as varchar(10)))--

This is it, folks. Happy exploitation! :)