It's pretty rare for me to find MSSQL injections and when I do, I have to dig through my notes to find the differences between MSSQL and MySQL.  If you search for MSSQL vulnerable applications, you don't really find anything.  On the flip side, do the same for MySQL and you'll find all the Damn Vulnerable stuff plus a bunch of others.  Not to mention the numerous legitimate applications with vulnerabilities. 

Anyway, so I was playing around and in my typical enumeration, I start off with Nmap:

According to the documentation:  "str_replace — Replace all occurrences of the search string with the replacement string"

I seem to recall bypassing this some time ago or maybe something similar.  If I recall you could double up on parts, get the replacement to remove parts and end up with what you want.  What you see below came from something else but I pulled it over to my machine because I was trying to figure out if I could get code execution.

If your background is development, it's natural to look at pages, code, errors, etc., with a different eye than those of us who come from another avenue.  When I see a url that looks something like: 

/id=1

I just automatically assume it's SQL.  The first thing we'll do is insert a single quote to break the SQL statement in hopes that it will throw an error.