Exploiting a Rare MSSQL Blind Injection via @@LANGID and @@TEXTSIZE

Background

The author encountered an unusual vulnerability while participating in a Google bounty program. The target site ran Microsoft SQL Server and contained a blind SQL injection that could be triggered by manipulating integer parameters.

Initial Observation

Typical manual testing showed the injection: http://bounty/yadayada.asp?id=8888'+AND+'1'+LIKE+'1 – page loads normally http://bounty/yadayada.asp?id=8888'+AND+'2'+LIKE+'1 – page returns blank

Although a blind injection was evident, automated tools like SQLMap failed to exploit it, possibly due to the use of stored procedures.

Discovery of a Working Technique

After researching, the author found a method described by user v1d0q on a Russian forum (https://rdot.org/forum/showthread.php?t=826). The technique leverages system variables @@LANGID and @@TEXTSIZE to force a true condition.

Working payloads:

http://bounty/yadayada.asp?id=8888'+AND+(@@TEXTSIZE>@@LANGID)+AND+'1'+LIKE+'1

– page loads

http://bounty/yadayada.asp?id=8888'+AND+(@@LANGID>@@TEXTSIZE)+'1'+LIKE+'1

– page blank

Understanding the Variables

@@LANGID

defaults to 0 for English, while @@TEXTSIZE is typically larger than 1000. By comparing these values, the injection forces a true evaluation that bypasses the filter.

Further Testing

The author experimented with additional Transact‑SQL statements to confirm that most queries returned true, reinforcing the reliability of the approach.

After submitting the limited proof‑of‑concept to the site owner, the vulnerability was confirmed and a bounty awarded.

Conclusion

This case demonstrates that unconventional use of system variables can uncover blind SQL injection paths that evade automated scanners, highlighting the importance of manual ingenuity in security research.

Note: The exact reason why this technique works remains under investigation.