Information Gathering
It is often valuable to gather information about any testing environment; version numbers, user accounts, and databases all help in escalating vulnerabilities. Below are common methods for this.
* Requires privileged user
| Description | Query |
|---|---|
| Version | SELECT @@version |
| User | SELECT user() SELECT system_user() |
| Users | SELECT user FROM mysql.user * SELECT Super_priv FROM mysql.user WHERE user= 'root' LIMIT 1,1 |
| Tables | SELECT table_schema, table_name FROM information_schema.tables |
| Columns | SELECT table_name, column_name FROM information_schema.columns |
| Databases | SELECT schema_name FROM information_schema.schemata |
| Current Database Name | SELECT database() |
| Query another Database | USE [database_name]; SELECT database(); SELECT [column] FROM [database_name].[table_name] |
| Number of Columns | SELECT count(*) FROM information_schema.columns WHERE table_name = '[table_name]' |
| DBA Accounts | SELECT host, user FROM mysql.user WHERE Super_priv = 'Y' |
| Password Hashes | SELECT host, user, password FROM mysql.user |
| Schema | SELECT schema() |
| Path to Data | SELECT @@datadir |
| Read Files | * SELECT LOAD_FILE('/etc/passwd') |
Information Gathering
It is often valuable to gather information about any testing environment; version numbers, user accounts, and databases all help in escalating vulnerabilities. Below are common methods for this.
* Requires privileged user
| Description | Query |
|---|---|
| Version | SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'; SELECT banner FROM v$version WHERE banner LIKE 'TNS%'; SELECT version FROM v$instance; |
| User | SELECT user FROM dual |
| Users | SELECT username FROM all_users ORDER BY username; * SELECT name FROM sys.user$; |
| Tables | SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; |
| Tables From Column Name | SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%'; |
| Columns | SELECT column_name FROM all_tab_columns WHERE table_name = 'blah'; SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo'; |
| Current Database | SELECT global_name FROM global_name; SELECT name FROM V$DATABASE; SELECT instance_name FROM V$INSTANCE; SELECT SYS.DATABASE_NAME FROM DUAL; |
| Databases | SELECT DISTINCT owner FROM all_tables; |
| DBA Accounts | SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES'; |
| Privileges | SELECT * FROM session_privs;(Retrieves Current Privs) * SELECT * FROM dba_sys_privs WHERE grantee = 'DBSNMP'; * SELECT grantee FROM dba_sys_privs WHERE privilege = 'SELECT ANY DICTIONARY'; SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS; |
| Location of DB Files | SELECT name FROM V$DATAFILE; |
| Hostname, IP Address | SELECT UTL_INADDR.get_host_name FROM dual; SELECT host_name FROM v$instance; SELECT UTL_INADDR.get_host_address FROM dual; (Gets IP Address) SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; (Gets Hostnames) |
Information Gathering
It is often valuable to gather information about any testing environment; version numbers, user accounts, and databases all help in escalating vulnerabilities. Below are common methods for this.
| Description | Query |
|---|---|
| Version | SELECT @@version; |
| User | SELECT user; SELECT system_user; SELECT user_name(); SELECT loginame from master..sysprocesses where spid = @@SPID |
| Users | SELECT name from master..syslogins |
| Tables | SELECT table_catalog, table_name FROM information_schema.columns |
| Columns | SELECT table_catalog, column_name FROM information_schema.columns |
| Databases | SELECT name from master..sysdatabases; |
| Database Name | SELECT db_name(); |
| Server Name | SELECT @@SERVERNAME |
| Find Stored Procedures | SELECT * from master..sysobjects where name like 'sp%' order by name desc |
| Principal Id from username | SELECT SUSER_ID('sa') |
| Username from Principal Id | SELECT SUSER_NAME(1) |
| Check if Account is Admin | IS_SRVROLEMEMBER(convert(varchar,0x73797361646D696E)) SELECT is_srvrolemember('sysadmin'); |
| Policies | SELECT p.policy_id, p.name as [PolicyName], p.condition_id, c.name as [ConditionName], c.facet, c.expression as [ConditionExpression], p.root_condition_id, p.is_enabled, p.date_created, p.date_modified, p.description, p.created_by, p.is_system, t.target_set_id, t.TYPE, t.type_skeleton FROM msdb.dbo.syspolicy_policies p INNER JOIN syspolicy_conditions c ON p.condition_id = c.condition_id INNER JOIN msdb.dbo.syspolicy_target_sets t ON t.object_set_id = p.object_set_id |
| Domain User | https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/templates/tsql/Get-SQLDomainUser-Example.sql |
| DB Audits | SELECT a.audit_id, a.name as audit_name, s.name as database_specification_name, d.audit_action_name, d.major_id, OBJECT_NAME(d.major_id) as object, s.is_state_enabled, d.is_group, s.create_date, s.modify_date, d.audited_result FROM sys.server_audits AS a JOIN sys.database_audit_specifications AS s ON a.audit_guid = s.audit_guid JOIN sys.database_audit_specification_details AS d ON s.database_specification_id = d.database_specification_id |
| Server Audits | SELECT audit_id, a.name as audit_name, s.name as server_specification_name, d.audit_action_name, s.is_state_enabled, d.is_group, d.audit_action_id, s.create_date, s.modify_date FROM sys.server_audits AS a JOIN sys.server_audit_specifications AS s ON a.audit_guid = s.audit_guid JOIN sys.server_audit_specification_details AS d ON s.server_specification_id = d.server_specification_id |
| Query history | SELECT * FROM (SELECT COALESCE(OBJECT_NAME(qt.objectid),'Ad-Hoc') AS objectname, qt.objectid as objectid, last_execution_time, execution_count, encrypted, (SELECT TOP 1 SUBSTRING(qt.TEXT,statement_start_offset / 2+1,( (CASE WHEN statement_end_offset = -1 THEN (LEN(CONVERT(NVARCHAR(MAX),qt.TEXT)) * 2) ELSE statement_end_offset END)- statement_start_offset) / 2+1)) AS sql_statement FROM sys.dm_exec_query_stats AS qs CROSS APPLY sys.dm_exec_sql_text(sql_handle) AS qt ) x ORDER BY execution_count DESC |
| Enabled audit specifications | https://gist.github.com/nullbind/5da8b5113da007ba0111 |
| Local Administrators in Sysadmin Role | SELECT is_srvrolemember('sysadmin','BUILTIN\Administrators') |
| Domain users and LDAP queries via database links and openrowset | https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/Get-SQLDomainUser-Example.sql |
Information Gathering
It is often valuable to gather information about any testing environment; version numbers, user accounts, and databases all help in escalating vulnerabilities. Below are common methods for this.
| Description | Query |
|---|---|
| Version | SELECT version(); |
| User |
SELECT user; SELECT current_user; SELECT session_user; SELECT usename FROM pg_user; SELECT getpgusername(); |
| Users | SELECT usename FROM pg_user |
| User Password Hashes | SELECT usename, passwd FROM pg_shadow |
| Privileges | SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user |
| List DBA Accounts | SELECT usename FROM pg_user WHERE usesuper IS TRUE |
| Current Database | SELECT current_database() |
| Databases | SELECT datname FROM pg_database |
| Tables | SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN (‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid) |
| Tables from Column Names | SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN (‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid) |
| Columns | SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE ‘public’) |
| Find Stored Procedures |
SELECT proname FROM pg_catalog.pg_namespace n JOIN pg_catalog.pg_proc p ON pronamespace = n.oid WHERE nspname = 'public'; |
| Comments |
SELECT 1; –comment SELECT /*comment*/1; |
| Server Name | |
| Host Name | select inet_server_addr() |
| Listening Port | select inet_server_port(); |
| List Settings | SELECT * FROM pg_settings; |
© 2024 Copyright by NetSPI. All rights reserved.