When using a SQL Server command line tool like sqlcmd, we must submit our SQL statement ending with a semicolon followed by GO on a separate line. However, when running the command remotely, we can omit the GO statement since it's not part of the MSSQL TDS protocol.
list of schema in database:
SELECT*FROMINFORMATION_SCHEMA.SCHEMATA;
list all available database:
master, tempdb, model, and msdb are default databases
To get a list of tables
To get table column names:
To get all the values from the table:
breakdown
Below is an expanded set of notes and useful queries for MSSQL enumeration and usage, including commonly used views, functions, and procedures. This should help fill in the gaps and provide a more comprehensive reference.
Connecting and Running Commands
Using sqlcmd Locally:
-S specifies the server name or IP (e.g., localhost or 192.168.50.18)
-U specifies the username
-P specifies the password
Within sqlcmd, end statements with a semicolon and use GO on a new line to execute.
Example:
Using impacket-mssqlclient (Remote):
No need to use GO when running queries this way, as GO is a sqlcmd batch terminator and not part of the TDS protocol.
Basic Information and System Details
Check the Server Version:
Check Current User / Login:
Check the Current Database:
List All Available Databases:
Default system databases are usually: master, tempdb, model, and msdb.
Switch to a Specific Database:
Enumerating Schemas, Tables, and Columns
List All Schemas in the Current Database:
List All Tables in the Current Database:
List All Tables in Another Database:
List All Columns for a Specific Table:
If you need to qualify with a specific database and schema:
Select All Data From a Table:
Enumerating Users, Logins, and Roles
Enumerating Users, Logins, and Roles
List All Server-Level Principals (Logins):
List All Database Users:
List All Roles in the Current Database:
Check Permissions of the Current User:
System Stored Procedures and Functions
System Stored Procedures and Functions
Show All Databases (System Procedure):
Show Tables in the Current Database:
Get Detailed Info About a Specific Table:
Get Column Details for a Specific Table:
Find the Current Database Name (again, as a function):
Checking Active Connections and Sessions
Checking Active Connections and Sessions
View Current Sessions:
View Currently Running Queries:
Advanced Features
(Might Require Elevated Privileges)
Enable xp_cmdshell (if you have the right permissions):
Use xp_cmdshell to Run OS Commands (If Enabled):
Directory Enumeration Using xp_dirtree:
Other Useful System Views
sys.syslogins (deprecated, but sometimes still accessible) can show logins.
sys.sql_logins can show SQL logins with hashed passwords (in certain conditions).
sys.server_principals and sys.database_principals for detailed user and login info.
Notes on Authentication and Connections
Integrated Authentication / Windows Auth: If you have a valid domain user that can connect with Windows auth:
The -E flag indicates trusted connection using current Windows credentials.
Port Changes: By default, SQL Server uses port 1433. If the instance is listening on a different port, specify it as -S <server>,<port> (e.g., sqlcmd -S 192.168.50.18,1433).
