Information Gathering

It is often valuable to gather information about any testing environment; version numbers, user accounts, and databases all help in escalating vulnerabilities. Below are common methods for this.

* Requires privileged user

Description Query
Version SELECT @@version
User SELECT user()
SELECT system_user()
Users SELECT user FROM mysql.user
* SELECT Super_priv FROM mysql.user WHERE user= 'root' LIMIT 1,1
Tables SELECT table_schema, table_name FROM information_schema.tables
Columns SELECT table_name, column_name FROM information_schema.columns
Databases SELECT schema_name FROM information_schema.schemata
Current Database Name SELECT database()
Query another Database USE [database_name]; SELECT database();
SELECT [column] FROM [database_name].[table_name]
Number of Columns SELECT count(*) FROM information_schema.columns WHERE table_name = '[table_name]'
DBA Accounts SELECT host, user FROM mysql.user WHERE Super_priv = 'Y'
Password Hashes SELECT host, user, password FROM mysql.user
Schema SELECT schema()
Path to Data SELECT @@datadir
Read Files * SELECT LOAD_FILE('/etc/passwd')

Information Gathering

It is often valuable to gather information about any testing environment; version numbers, user accounts, and databases all help in escalating vulnerabilities. Below are common methods for this.

* Requires privileged user

Description Query
Version SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;
User SELECT user FROM dual
Users SELECT username FROM all_users ORDER BY username;
* SELECT name FROM sys.user$;
Tables SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
Tables From Column Name SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';
Columns SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';
SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';
Current Database SELECT global_name FROM global_name;
SELECT name FROM V$DATABASE;
SELECT instance_name FROM V$INSTANCE;
SELECT SYS.DATABASE_NAME FROM DUAL;
Databases SELECT DISTINCT owner FROM all_tables;
DBA Accounts SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES';
Privileges SELECT * FROM session_privs;(Retrieves Current Privs)
* SELECT * FROM dba_sys_privs WHERE grantee = 'DBSNMP';
* SELECT grantee FROM dba_sys_privs WHERE privilege = 'SELECT ANY DICTIONARY';
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
Location of DB Files SELECT name FROM V$DATAFILE;
Hostname, IP Address SELECT UTL_INADDR.get_host_name FROM dual;
SELECT host_name FROM v$instance;
SELECT UTL_INADDR.get_host_address FROM dual; (Gets IP Address)
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; (Gets Hostnames)

Information Gathering

It is often valuable to gather information about any testing environment; version numbers, user accounts, and databases all help in escalating vulnerabilities. Below are common methods for this.

Description Query
Version SELECT @@version;
User SELECT user;
SELECT system_user;
SELECT user_name();
SELECT loginame from master..sysprocesses where spid = @@SPID
Users SELECT name from master..syslogins
Tables SELECT table_catalog, table_name FROM information_schema.columns
Columns SELECT table_catalog, column_name FROM information_schema.columns
Databases SELECT name from master..sysdatabases;
Database Name SELECT db_name();
Server Name SELECT @@SERVERNAME
Find Stored Procedures SELECT * from master..sysobjects where name like 'sp%' order by name desc
Principal Id from username SELECT SUSER_ID('sa')
Username from Principal Id SELECT SUSER_NAME(1)
Check if Account is Admin IS_SRVROLEMEMBER(convert(varchar,0x73797361646D696E))
SELECT is_srvrolemember('sysadmin');
Policies SELECT p.policy_id, p.name as [PolicyName], p.condition_id, c.name as [ConditionName], c.facet, c.expression as [ConditionExpression], p.root_condition_id, p.is_enabled, p.date_created, p.date_modified, p.description, p.created_by, p.is_system, t.target_set_id, t.TYPE, t.type_skeleton FROM msdb.dbo.syspolicy_policies p INNER JOIN syspolicy_conditions c ON p.condition_id = c.condition_id INNER JOIN msdb.dbo.syspolicy_target_sets t ON t.object_set_id = p.object_set_id
Domain User https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/templates/tsql/Get-SQLDomainUser-Example.sql
DB Audits SELECT a.audit_id, a.name as audit_name, s.name as database_specification_name, d.audit_action_name, d.major_id, OBJECT_NAME(d.major_id) as object, s.is_state_enabled, d.is_group, s.create_date, s.modify_date, d.audited_result FROM sys.server_audits AS a JOIN sys.database_audit_specifications AS s ON a.audit_guid = s.audit_guid JOIN sys.database_audit_specification_details AS d ON s.database_specification_id = d.database_specification_id
Server Audits SELECT audit_id, a.name as audit_name, s.name as server_specification_name, d.audit_action_name, s.is_state_enabled, d.is_group, d.audit_action_id, s.create_date, s.modify_date FROM sys.server_audits AS a JOIN sys.server_audit_specifications AS s ON a.audit_guid = s.audit_guid JOIN sys.server_audit_specification_details AS d ON s.server_specification_id = d.server_specification_id
Query history SELECT * FROM (SELECT COALESCE(OBJECT_NAME(qt.objectid),'Ad-Hoc') AS objectname, qt.objectid as objectid, last_execution_time, execution_count, encrypted,
(SELECT TOP 1 SUBSTRING(qt.TEXT,statement_start_offset / 2+1,( (CASE WHEN statement_end_offset = -1 THEN (LEN(CONVERT(NVARCHAR(MAX),qt.TEXT)) * 2)
ELSE statement_end_offset END)- statement_start_offset) / 2+1)) AS sql_statement FROM sys.dm_exec_query_stats AS qs CROSS APPLY sys.dm_exec_sql_text(sql_handle) AS qt ) x ORDER BY execution_count DESC
Enabled audit specifications https://gist.github.com/nullbind/5da8b5113da007ba0111
Local Administrators in Sysadmin Role SELECT is_srvrolemember('sysadmin','BUILTIN\Administrators')
Domain users and LDAP queries via database links and openrowset https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/Get-SQLDomainUser-Example.sql

© 2018 Copyright by NetSPI. All rights reserved.