SQLInjecting DB2

["Andres Molinetti" <andymolinetti () hotmail com>]

Hi, I'm currently testing a Websphere/DB2 Web Application of one of our 
clients.
I've found that it is vulnerable to SQL Injection.
I 've also discovered that there is a table named SYSTABLES with a NAME 
column in it.

Using the "GROUP by 1--" trick I've discovered two columns in the table over 
which the query is being executed.
After doing "GROUP by A, B--", I get no more errors, so I asume that only 
these two columns are taking part on the query..(is that ok?)

Column A is probaby CLOB or VARCHAR and B probably and INTEGER. (any whay to 
confirm this?)

I can say this because I've tried this query: ' AND A=CLOB('A')--
and it returns no error
when this one: ' AND A=BIGINT(132123)--
returns error on type comparison

So then I proceeded to do a:  ' UNION ALL SELECT 1 FROM SYSTABLES--
Then I get "Error 500: java.sql.SQLException: [SQL0415] Operandos UNION no 
compatibles."

I suppose that the column types are different.

Anyway, I submit this query: ' UNION ALL SELECT 1,1 FROM SYSTABLES--
Then I get "Error 500: java.sql.SQLException: [SQL0421] Número de operandos 
UNION no igual."
Meaning that the number of columns are not equal...

Here are my questions:
1). Is there any way to get the "original" table name (the one  where the 
original query executes)?
2). I've done a script that checks for different column numbers and it have 
already tested with about 200 columns, and it keep saying that number of 
operands is not equal. What could be happening?

Any ideas would be greatly appreciated!!

Thanks, Andy

_________________________________________________________________
Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN Amor 
& Amistad. http://match.msn.es/match/mt.cfm?pg=channel&tcid=162349