Re: SQLInjecting DB2
From: Frederic Charpentier (fcharpen_at_xmcopartners.com)
Date: 02/18/05
- Previous message: chris_at_compucounts.com: "Bypassing NTFS ACL"
- In reply to: Andres Molinetti: "SQLInjecting DB2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Feb 2005 17:35:49 +0100 To: Andres Molinetti <andymolinetti@hotmail.com>
hi,
have you tried a such request :
?param=' union select 1 from SYSCAT.COLUMNS;
maybe you can retrieve better error messages .
also, sometimes the error message becomes more explicit with a request
like : "?param=aaaaaaaaaaaaa'aaa'aaaaaaaaa' OR 1=1 --" instead of
"?param='--". I don't know why, maybe it's due to sql buffer.
I saw you work on websphere, maybe you can have a look to the last
advisories (jsp source code disclosure with unicode in the url) :
http://www-1.ibm.com/support/docview.wss?uid=swg24008814
Fred.
Andres Molinetti wrote:
> Hi, I'm currently testing a Websphere/DB2 Web Application of one of our
> clients.
> I've found that it is vulnerable to SQL Injection.
> I 've also discovered that there is a table named SYSTABLES with a NAME
> column in it.
>
> Using the "GROUP by 1--" trick I've discovered two columns in the table
> over which the query is being executed.
> After doing "GROUP by A, B--", I get no more errors, so I asume that
> only these two columns are taking part on the query..(is that ok?)
>
> Column A is probaby CLOB or VARCHAR and B probably and INTEGER. (any
> whay to confirm this?)
>
> I can say this because I've tried this query: ' AND A=CLOB('A')--
> and it returns no error
> when this one: ' AND A=BIGINT(132123)--
> returns error on type comparison
>
> So then I proceeded to do a: ' UNION ALL SELECT 1 FROM SYSTABLES--
> Then I get "Error 500: java.sql.SQLException: [SQL0415] Operandos UNION
> no compatibles."
>
> I suppose that the column types are different.
>
> Anyway, I submit this query: ' UNION ALL SELECT 1,1 FROM SYSTABLES--
> Then I get "Error 500: java.sql.SQLException: [SQL0421] Número de
> operandos UNION no igual."
> Meaning that the number of columns are not equal...
>
> Here are my questions:
> 1). Is there any way to get the "original" table name (the one where
> the original query executes)?
> 2). I've done a script that checks for different column numbers and it
> have already tested with about 200 columns, and it keep saying that
> number of operands is not equal. What could be happening?
>
> Any ideas would be greatly appreciated!!
>
> Thanks, Andy
>
> _________________________________________________________________
> Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN
> Amor & Amistad. http://match.msn.es/match/mt.cfm?pg=channel&tcid=162349
>
>
-- _______________________________________ Frederic Charpentier - Xmco Partners Security Consulting / Pentest web : http://www.xmcopartners.com
- Previous message: chris_at_compucounts.com: "Bypassing NTFS ACL"
- In reply to: Andres Molinetti: "SQLInjecting DB2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
