search

☣️DIOS MSSQL

hashtag
USAGE FOR Simple DIOS: Just put the code in place of vulnerable column and see the magic

hashtag
MSSQL DIOS

hashtag
Gives us all the Tables:

(select+table_name%2b'::' as t+from+information_schema.tables FOR XML PATH(''))

hashtag
Gives us all the Columns:

(select+column_name%2b'::' as t+from+information_schema.columns FOR XML PATH(''))

hashtag
Gives us all the Tables and Columns:

(select+table_name%2b'::'%2bcolumn_name as t+from+information_schema.columns FOR XML PATH(''))

hashtag
----------------------------------------------------------------

hashtag
DIOS with STACKED QUERY

hashtag
"With Stacked Queries we can Execute multiple statements in the same query to extend the possibilities of SQL injections"

hashtag
And in some cases where System.Web.HttpException is enabled there HTML tags will be parsed as dangerous requests so this will work in almost every scenario:

hashtag
HOW TO SEE THE OUTPUT ON WEBPAGE:

hashtag
So dont forget to drop (Delete) that table after running the query:

hashtag
----------------------------------------------------------------

hashtag
----------------------------------------------------------------

hashtag
THE BASIC QUERY: Get all tables In one Query

hashtag
Get all Tables and columns In one Query

hashtag
A little Modifications

hashtag
And in the end here is our Final Query:

Well This Query looks horible but it actually is not. Lets go deep into this Query. with BEGIN and END we declare a Batch/Group of statements to be executed together. Next step is declaring supporting variables for holding table_name, column_name, a counter, one variable that can hold all table_names and column_names and one table with one column which will be acting as a collection which will be used to hold all the tables names.. will explain its use later. Next step is initializing declared variables.. we cannot use these un-initialized variables in SELECT statement.. thats why these are initialized with empty strings.. and @data with database version and database for further display in output.. Next step is WHILE Loop

Above statement will bound this loop to run through all tables. At next step @colNames is re initialized with empty string everytime to hold the coloums of Only One table at a time. The Next step is getting a table_name into @tblName and getting column_name for that table into @colNames and adding values of both @tblName and @colNames into @data Now this part

With the above Query SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME only one table will be fetched. To get next table in next iteration we used NOT IN Clause. But NOT IN Clause need a collection for which we declared a TABLE @tmpTbl with a COLUMN named name. For first time @tmpTbl will b empty so first table_name will b retrieved in @tblName. Then the part INSERT @tmpTbl VALUES(@tblName) each time @tblName value will be inserted in @tmpTbl and when it will goto this line again SELECT @tblName = table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN (select name from @tmpTbl) Next table will b retrieved from this statement and so on. As @tmpTbl have first table_name now and so on. when the loop will end all tables and columns will be added in @data, and then with the below statement

we can store all @data into new table Challenge Here is the complete Query:

Remember to change with %2b becuase is taken as space when sent from URL

For the Challenge site our final query will be like:

PreviousDIOS MYSQLNextDIOS Oracle

Last updated