Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Testing Dynamic SQL Query with sp_executesql and Variable Declaration in sqlmap #5848

Open
JonhSilver opened this issue Jan 23, 2025 · 0 comments
Open

Testing Dynamic SQL Query with sp_executesql and Variable Declaration in sqlmap #5848

JonhSilver opened this issue Jan 23, 2025 · 0 comments
Labels
bug report

Comments

@JonhSilver
Copy link

Description of the Problem

I am trying to test the execution of a dynamic SQL query using sqlmap against a Microsoft SQL Server 2019 database. The query involves declaring and using a variable (@p3) and executing a stored procedure (myprocedurename) dynamically with sp_executesql.

Here is the query I want to test:

-- Declare an integer variable to store the output value of the procedure
DECLARE @p3 INT;
SET @p3 = 0;

-- Execute the stored procedure dynamically using sp_executesql
EXEC sp_executesql 
    -- The dynamic SQL string to execute
    N'EXEC @P0 = myprocedurename @P1, @P2, @P3, @P4, @P5', 
    -- Parameter declarations for the dynamic SQL
    N'@P0 INT OUTPUT, @P1 NVARCHAR(4000), @P2 FLOAT, @P3 NVARCHAR(4000), @P4 INT, @P5 INT', 
    -- Provide parameter values
    @p3 OUTPUT,                                           -- Store the output from the procedure
    N'',                                                  -- Injected WHERE clause, here i know can be injection like 1=1 UNION , and it works directly
    1000,                                                 -- @top parameter
    N'sdasd',                                           -- @user parameter
    1,                                                    -- @PageNumber parameter
    0;                                                    -- @response_type parameter

-- Output the value of @p3 (if the procedure sets it)
SELECT @p3;

Problem Encountered

When using the above query in sqlmap with the --sql-query parameter, I receive the following error:

OperationalError: (pymssql.exceptions.OperationalError) (137, b'Must declare the scalar variable "@p3".DB-Lib error message 20018, severity 15: General SQL Server error: Check messages from the SQL Server')

It seems that the variable @p3 is not recognized or scoped properly in the query execution context.

Question

  1. How can I properly test such a query with sqlmap?
  2. Are there specific steps to ensure the declaration and usage of variables like @p3 work as expected in a dynamic SQL context within sqlmap?
  3. Should the entire query be wrapped in a BEGIN...END block or saved in a .sql file for testing?

Environment Details

  • SQLmap Version: 1.9.1.2-dev
  • SQL Server Version: Microsoft SQL Server 2019
  • Database Connection String: mssql://rpa_test:pass@10.10.1.1:1433/TEST_DB

Any advice on how to resolve this issue and test the query effectively would be greatly appreciated.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JonhSilver