DB2 - SQL Injection
From: Andres Molinetti (andymolinetti_at_hotmail.com)
Date: 02/21/05
- Previous message: Vicente Feito: "Re: TR: Mapping Class A network ( any easy trick?)"
- Next in thread: cris_dewitt_at_hotmail.com: "Re: DB2 - SQL Injection"
- Maybe reply: cris_dewitt_at_hotmail.com: "Re: DB2 - SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: pen-test@securityfocus.com Date: Mon, 21 Feb 2005 19:17:45 +0000
I have already posted this a few days ago, but this time I have gattered
more information and I think this would be a bit less fuzzy than the
previous one:
I'm pen-testing an web app with a DB2 database.
I have found it is vulnerable to SQL Injection, but I'm having some problems
in performing an UNION query to get data from other tables.
I suppouse the original query is like this: SELECT Cod,Desc FROM TB1 WHERE
Desc='
(if I append: ' OR 1=1-- I get all rows returned)
so I have appended this string: ' UNION ALL SELECT 'A', 'A' FROM SYSTABLES
-- Table TB1 has the following structure: . Cod (char) . Desc (char) . FH (timestmp) . Upd (char) so...selecting 'A','A' should match column types.... anyway I still getting " UNION operands are not compatible" any ideas? Thanks in advance, Andy _________________________________________________________________ Descarga gratis la Barra de Herramientas de MSN http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH
- Previous message: Vicente Feito: "Re: TR: Mapping Class A network ( any easy trick?)"
- Next in thread: cris_dewitt_at_hotmail.com: "Re: DB2 - SQL Injection"
- Maybe reply: cris_dewitt_at_hotmail.com: "Re: DB2 - SQL Injection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
