Update: MSSQL Injection Cheat Sheet

I just made some minor additions to the MSSQL Injection Cheat Sheet : Creating Users Deleting Users Assigning Users the DBA privilege

MSSQL Injection Cheat Sheet

Some useful syntax reminders for SQL Injection into MSSQL databases…

Enabling xp_cmdshell for SQL Server 2005

It’s disappointing to exploit a SQL injection, find you’re “sa”, then realise they’ve disabled xp_cmdshell (the default for MSSQL 2005). Fortunately, it’s possible to re-enable it quite easily…

Exfiltrating Data From MS SQL Server Via DNS

Exfiltrating data via Blind SQL Injection vulnerabilities can be slow, or the very least undesirably noisy. DNS may provide a faster alternative if the target system is connected to the Internet.