I am currently working on a bug bounty program and in one subdomain of my target there is a Blind SQL flaw in a cookie. The back-end is MSSQL/ASP.net however, since cookies are separated by semicolons ";" I can't find a way to try stacked queries.
I know the database instance is running as "sysadmin" user, so stacked queries would allow me to achieve RCE. Is it possible to stack queries in this scenario? If not, is it still possible to achieve RCE (error messages are not displayed)?
I may be a bit too late but, in my case, URL-encoding the entire payload usually works out all right.
For example, when injecting a on cookie value like TrackingCookie=ASDFAJKLMNOP:
**ORIGINAL PAYLOAD** => '; SELECT CASE WHEN (1=1) THEN pg_sleep(10) ELSE pg_sleep(0) END -- c
**BECOMES** => %27%3B%20SELECT%20CASE%20WHEN%20%281%3D1%29%20THEN%20pg_sleep%2810%29%20ELSE%20pg_sleep%280%29%20END%20--%20c
It may be worth checking out whether the target's server understands URL-encoded payloads beforehand, if possible. It hasn't happened to me, but it may save you from potentially wasting time during any trial-and-error processes attempted while testing with this method.
The payload was taken directly from PortSwigger's SQL injection cheat sheet and is meant for PostgreSQL databases.
Hope this will prove helpful to you or anyone else attempting (blind) stacked SQLi.
Stay vigilant and stay ethical!
