GitBook: [master] one page modified

pentesting-web/sql-injection/mssql-injection.md

@@ -1,5 +1,20 @@
 # MSSQL Injection
 
+## Active Directory enumeration
+
+It may be possible to **enumerate domain users via SQL injection inside a MSSQL** server using the following MSSQL functions:
+
+* `master.dbo.fn_varbintohexstr(SUSER_SID('MEGACORP\Administrator'))`: If you know the name of the domain \(_MEGACORP_ in this example\) this function will return the **SID of the user Administrator** in hex format. This will look like `0x01050000000[...]0000f401`, note how the **last 4 bytes** are the number **500** in **big endian** format, which is the **common ID of the user administrator**.  This function will allow you to **know the ID of the domain** \(all the bytes except of the last 4\).
+* `SUSER_SNAME(0x01050000000[...]0000e803)` : This function will return the **username of the ID indicated** \(if any\), in this case **0000e803** in big endian == **1000** \(usually this is the ID of the first regular user ID created\). Then you can imagine that you can bruteforce user IDs from 1000 to 2000 and probably get all the usernames of the users of the domain. For example using a function like the following one:
+
+```python
+def get_sid(n):
+	domain = '0x0105000000000005150000001c00d1bcd181f1492bdfc236'
+	user = struct.pack('<I', int(n))
+	user = user.hex()
+	return f"{domain}{user}" #if n=1000, get SID of the user with ID 1000
+```
+
 ## SSRF
 
 **Information taken from** [**https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/\#MSSQL**](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL)\*\*\*\*