As a penetration tester interacting with a Microsoft SQL Server (MSSQL), it's important to know certain SQL commands and techniques to help with your assessment. Here are some key commands:
To list all databases on the SQL Server instance:
SELECT name FROM sys.databases;
To check which database you are currently connected to:
SELECT DB_NAME() AS CurrentDatabase;
To list tables in the current database:
SELECT table_name FROM information_schema.tables WHERE table_type = 'BASE TABLE';
To list the columns in a specific table (replace your_table_name with the actual table name):
SELECT column_name FROM information_schema.columns WHERE table_name = 'your_table_name';
To retrieve data from a table (replace your_table_name with the actual table name):
SELECT * FROM your_table_name;
To list users in the current database:
SELECT name FROM sys.database_principals WHERE type IN ('S', 'U', 'G', 'C');