信息收集

MySQL

描述 查询语句
版本
SELECT @@version
数据库用户

SELECT user()

SELECT system_user()

查询用户

SELECT user FROM mysql.user

SELECT Super_priv FROM mysql.user WHERE user= 'root' LIMIT 1,1

SELECT table_schema, table_name FROM information_schema.tables
SELECT table_name, column_name FROM information_schema.columns
数据库
SELECT schema_name FROM information_schema.schemata
当前数据库
SELECT database()
查询其它数据库

USE [database_name];

SELECT database();

SELECT [column] FROM [database_name].[table_name]

列数
SELECT count(*) FROM information_schema.columns WHERE table_name = '[table_name]'
数据库管理员账户
SELECT host, user FROM mysql.user WHERE Super_priv = 'Y'
查询密码HASH
SELECT host, user, password FROM mysql.user
Schema
SELECT schema()
数据路径
SELECT @@datadir
读取文件
SELECT LOAD_FILE('/etc/passwd')

Oracle

描述 查询语句
版本

SELECT banner FROM v$version WHERE banner LIKE 'Oracle%';
SELECT banner FROM v$version WHERE banner LIKE 'TNS%';
SELECT version FROM v$instance;

数据库用户
SELECT user FROM dual
用户查询
SELECT username FROM all_users ORDER BY username; SELECT name FROM sys.user$;

SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;

查询列中的表
SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE '%PASS%';

SELECT column_name FROM all_tab_columns WHERE table_name = 'blah';

SELECT column_name FROM all_tab_columns WHERE table_name = 'blah' and owner = 'foo';

当前数据库

SELECT global_name FROM global_name;
SELECT name FROM V$DATABASE;
SELECT instance_name FROM V$INSTANCE;
SELECT SYS.DATABASE_NAME FROM DUAL;

数据库查询
SELECT DISTINCT owner FROM all_tables;
数据库管理员账户
SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES';
特殊权限

SELECT * FROM session_privs;(Retrieves Current Privs)
SELECT * FROM dba_sys_privs WHERE grantee = 'DBSNMP';
SELECT grantee FROM dba_sys_privs WHERE privilege = 'SELECT ANY DICTIONARY';
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;

查看数据库文件位置
SELECT name FROM V$DATAFILE;
查询主机名以及IP地址

SELECT UTL_INADDR.get_host_name FROM dual;
SELECT host_name FROM v$instance;
SELECT UTL_INADDR.get_host_address FROM dual; (Gets IP Address)
SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; (Gets Hostnames)

SQL Server

描述 查询语句
版本
SELECT @@version;
数据库用户

SELECT user;
SELECT system_user;
SELECT user_name();
SELECT loginame from master..sysprocesses where spid = @@SPID

查询用户
SELECT name from master..syslogins
SELECT table_catalog, table_name FROM information_schema.columns
SELECT table_catalog, column_name FROM information_schema.columns
数据库
SELECT name from master..sysdatabases;
数据库名
SELECT db_name();
服务器名
SELECT @@SERVERNAME
查询存储过程
SELECT * from master..sysobjects where name like 'sp%' order by name desc
查询用户名主体ID
SELECT SUSER_ID('sa')
同上
SELECT SUSER_NAME(1)
检查用户是否为管理员

IS_SRVROLEMEMBER(convert(varchar,0x73797361646D696E))

SELECT is_srvrolemember('sysadmin');

检查管理员是否具有本地管理员权限
SELECT is_srvrolemember('sysadmin','SNOWWOLF\Administrators')
  • 策略
SELECT p.policy_id, p.name as [PolicyName], p.condition_id, c.name as [ConditionName], c.facet, c.expression as [ConditionExpression], p.root_condition_id, p.is_enabled, p.date_created, p.date_modified, p.description, p.created_by, p.is_system, t.target_set_id, t.TYPE, t.type_skeleton FROM msdb.dbo.syspolicy_policies p INNER JOIN syspolicy_conditions c ON p.condition_id = c.condition_id INNER JOIN msdb.dbo.syspolicy_target_sets t ON t.object_set_id = p.object_set_id
  • 域查询
-- Script: Get-SQLDomainUser-Example.sql
-- Description: Use OLE DB ADSI connections to grab a list of domain users via SQL Server links (OpenQuery) and adhoc queries (OpenRowSet).
-- Author: Scott Sutherland, NetSPI 2017


--------------------------------------
-- Create SQL Server link to ADSI
--------------------------------------
IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI') = 0
	EXEC master.dbo.sp_addlinkedserver @server = N'ADSI', 
	@srvproduct=N'Active Directory Service Interfaces', 
	@provider=N'ADSDSOObject', 
	@datasrc=N'adsdatasource'
ELSE
	SELECT 'The target SQL Server link already exists.'	
GO

-- Verify the link was created 
SELECT * FROM master..sysservers WHERE providername = 'ADSDSOObject'

-- Configure ADSI link to Authenticate as current user
EXEC sp_addlinkedsrvlogin 
	@rmtsrvname=N'ADSI',
	@useself=N'True',
	@locallogin=NULL,
	@rmtuser=NULL,
	@rmtpassword=NULL
GO


--------------------------------------
-- Create SQL Server link to ADSI2
--------------------------------------
IF (SELECT count(*) FROM master..sysservers WHERE srvname = 'ADSI2') = 0
	EXEC master.dbo.sp_addlinkedserver @server = N'ADSI2', 
	@srvproduct=N'Active Directory Service Interfaces', 
	@provider=N'ADSDSOObject', 
	@datasrc=N'adsdatasource'
ELSE
	SELECT 'The target SQL Server link already exists.'
	-- EXEC master.dbo.sp_dropserver @server=N'ADSI', @droplogins='droplogins'
	
GO

-- Verify the link was created 
SELECT * FROM master..sysservers WHERE providername = 'ADSDSOObject'

-- Configure the ADSI2 link to Authenticate as provided domain user
EXEC sp_addlinkedsrvlogin 
@rmtsrvname=N'ADSI2',
@useself=N'False',
@locallogin=NULL,
@rmtuser=N'Domain\User',
@rmtpassword=N'Password123!'
GO


--------------------------------------
-- Run basic LDAP queries - OpenQuery
--------------------------------------

-- sa as current failed, but sysadmin domain user works
SELECT * FROM OpenQuery(ADSI,'<LDAP://domain>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree')

-- provided domain user works
SELECT * FROM OpenQuery(ADSI2,'<LDAP://domain>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree')

-- sa as current failed, but sysadmin domain user works
SELECT * FROM OpenQuery(ADSI, 'SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath FROM  ''LDAP://domain'' WHERE objectClass =  ''User'' ') AS tblADSI

-- provided domain user works
SELECT * FROM OpenQuery(ADSI2, 'SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath FROM  ''LDAP://domain'' WHERE objectClass =  ''User'' ') AS tblADSI


--------------------------------------
-- Remove links and login mappings
--------------------------------------
EXEC master.dbo.sp_dropserver @server=N'ADSI', @droplogins='droplogins'
EXEC master.dbo.sp_dropserver @server=N'ADSI2', @droplogins='droplogins'


--------------------------------------
-- Enabled adhoc queries on the server
--------------------------------------
EXEC master.sys.sp_configure 'Show Advanced Options',1
reconfigure
go

EXEC master.sys.sp_configure 'Ad Hoc Distributed Queries',1
reconfigure
go


--------------------------------------
-- Run basic LDAP queries - OpenRowSet
--------------------------------------
-- Need to confirm which scenario run as service account.

-- Run without credential in syntax option 1 - works as sa
SELECT *
FROM OPENROWSET('ADSDSOOBJECT','adsdatasource','SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath
FROM ''LDAP://domain''
WHERE objectClass =  ''User'' ')

-- Run with credential in syntax option 1 - works as sa
SELECT *
FROM OPENROWSET('ADSDSOOBJECT','User ID=domain\user; Password=Password123!;','SELECT samaccountname,name,admincount,whencreated,whenchanged,adspath
FROM ''LDAP://domain''
WHERE objectClass =  ''User'' ')

-- Run with credential in synatx option 2 - works as sa login
SELECT * 
FROM OPENROWSET('ADSDSOOBJECT','User ID=domain\user; Password=Password123!;',
'<LDAP://domain>;(&(objectCategory=Person)(objectClass=user));samaccountname,name,admincount,whencreated,whenchanged,adspath;subtree')
  • 数据库审计
SELECT a.audit_id, a.name as audit_name, s.name as database_specification_name, d.audit_action_name, d.major_id, OBJECT_NAME(d.major_id) as object, s.is_state_enabled, d.is_group, s.create_date, s.modify_date, d.audited_result FROM sys.server_audits AS a JOIN sys.database_audit_specifications AS s ON a.audit_guid = s.audit_guid JOIN sys.database_audit_specification_details AS d ON s.database_specification_id = d.database_specification_id
  • 服务器审计
SELECT audit_id, a.name as audit_name, s.name as server_specification_name, d.audit_action_name, s.is_state_enabled, d.is_group, d.audit_action_id, s.create_date, s.modify_date FROM sys.server_audits AS a JOIN sys.server_audit_specifications AS s ON a.audit_guid = s.audit_guid JOIN sys.server_audit_specification_details AS d ON s.server_specification_id = d.server_specification_id
  • 查询历史记录
SELECT * FROM (SELECT COALESCE(OBJECT_NAME(qt.objectid),'Ad-Hoc') AS objectname, qt.objectid as objectid, last_execution_time, execution_count, encrypted,(SELECT TOP 1 SUBSTRING(qt.TEXT,statement_start_offset / 2+1,( (CASE WHEN statement_end_offset = -1 THEN (LEN(CONVERT(NVARCHAR(MAX),qt.TEXT)) * 2)ELSE statement_end_offset END)- statement_start_offset) / 2+1)) AS sql_statement FROM sys.dm_exec_query_stats AS qs CROSS APPLY sys.dm_exec_sql_text(sql_handle) AS qt ) x ORDER BY execution_count DESC
  • 审计规范
-- List enabled server specifications
SELECT		audit_id, 
		a.name as audit_name, 
		s.name as server_specification_name,
		d.audit_action_name,
		s.is_state_enabled,
		d.is_group,
		d.audit_action_id,	
		s.create_date,
		s.modify_date
FROM sys.server_audits AS a
JOIN sys.server_audit_specifications AS s
ON a.audit_guid = s.audit_guid
JOIN sys.server_audit_specification_details AS d
ON s.server_specification_id = d.server_specification_id
WHERE s.is_state_enabled = 1

-- List enabled database specifications
SELECT	a.audit_id,
		a.name as audit_name,
		s.name as database_specification_name,
		d.audit_action_name,
		s.is_state_enabled,
		d.is_group,
		s.create_date,
		s.modify_date,
		d.audited_result
FROM sys.server_audits AS a
JOIN sys.database_audit_specifications AS s
ON a.audit_guid = s.audit_guid
JOIN sys.database_audit_specification_details AS d
ON s.database_specification_id = d.database_specification_id
WHERE s.is_state_enabled = 1

PostgreSQL

描述 查询语句
版本
SELECT version();
数据库用户

SELECT user;

SELECT current_user;

SELECT session_user;

SELECT usename FROM pg_user;

SELECT getpgusername();

用户
SELECT usename FROM pg_user
用户密码HASH
SELECT usename, passwd FROM pg_shadow
权限
SELECT usename, usecreatedb, usesuper, usecatupd FROM pg_user
列出DBA账户
SELECT usename FROM pg_user WHERE usesuper IS TRUE
当前数据库
SELECT current_database()
查询数据库
SELECT datname FROM pg_database
SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN (‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid)
列值表名
SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN (‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid)
列值
SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE ‘public’)
查询存储过程
SELECT proname FROM pg_catalog.pg_namespace n JOIN pg_catalog.pg_proc p ON pronamespace = n.oid WHERE nspname = 'public';
注释

SELECT 1; –comment

SELECT /*comment*/1;

主机名
select inet_server_addr()
列出监听端口
select inet_server_port();
列出设置内容
SELECT * FROM pg_settings;