Re: SQLInjecting DB2

From: Frederic Charpentier (fcharpen@xmcopartners.com)
Date: Fri Feb 18 2005 - 11:35:49 EST

• Next message: Noel Rosenberg: "Re: Cryptocard database"
• Previous message: chris@compucounts.com: "Bypassing NTFS ACL"
• In reply to: Andres Molinetti: "SQLInjecting DB2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

hi,

have you tried a such request :
?param=' union select 1 from SYSCAT.COLUMNS;

maybe you can retrieve better error messages .

also, sometimes the error message becomes more explicit with a request
like : "?param=aaaaaaaaaaaaa'aaa'aaaaaaaaa' OR 1=1 --" instead of
"?param='--". I don't know why, maybe it's due to sql buffer.

I saw you work on websphere, maybe you can have a look to the last
advisories (jsp source code disclosure with unicode in the url) :

http://www-1.ibm.com/support/docview.wss?uid=swg24008814

Fred.

Andres Molinetti wrote:
> Hi, I'm currently testing a Websphere/DB2 Web Application of one of our
> clients.
> I've found that it is vulnerable to SQL Injection.
> I 've also discovered that there is a table named SYSTABLES with a NAME
> column in it.
>
> Using the "GROUP by 1--" trick I've discovered two columns in the table
> over which the query is being executed.
> After doing "GROUP by A, B--", I get no more errors, so I asume that
> only these two columns are taking part on the query..(is that ok?)
>
> Column A is probaby CLOB or VARCHAR and B probably and INTEGER. (any
> whay to confirm this?)
>
> I can say this because I've tried this query: ' AND A=CLOB('A')--
> and it returns no error
> when this one: ' AND A=BIGINT(132123)--
> returns error on type comparison
>
> So then I proceeded to do a: ' UNION ALL SELECT 1 FROM SYSTABLES--
> Then I get "Error 500: java.sql.SQLException: [SQL0415] Operandos UNION
> no compatibles."
>
> I suppose that the column types are different.
>
> Anyway, I submit this query: ' UNION ALL SELECT 1,1 FROM SYSTABLES--
> Then I get "Error 500: java.sql.SQLException: [SQL0421] Número de
> operandos UNION no igual."
> Meaning that the number of columns are not equal...
>
> Here are my questions:
> 1). Is there any way to get the "original" table name (the one where
> the original query executes)?
> 2). I've done a script that checks for different column numbers and it
> have already tested with about 200 columns, and it keep saying that
> number of operands is not equal. What could be happening?
>
> Any ideas would be greatly appreciated!!
>
> Thanks, Andy
>
> _________________________________________________________________
> Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN
> Amor & Amistad. http://match.msn.es/match/mt.cfm?pg=channel&tcid=162349
>
>

-- 
_______________________________________
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com

• Next message: Noel Rosenberg: "Re: Cryptocard database"
• Previous message: chris@compucounts.com: "Bypassing NTFS ACL"
• In reply to: Andres Molinetti: "SQLInjecting DB2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:16 EDT