Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SQLInjecting DB2

From: Frederic Charpentier <fcharpen () xmcopartners com>
Date: Fri, 18 Feb 2005 17:35:49 +0100
hi,

have you tried a such request :
?param=' union select 1 from SYSCAT.COLUMNS;

maybe you can retrieve better error messages .
also, sometimes the error message becomes more explicit with a request like : "?param=aaaaaaaaaaaaa'aaa'aaaaaaaaa' OR 1=1 --" instead of "?param='--". I don't know why, maybe it's due to sql buffer.
I saw you work on websphere, maybe you can have a look to the last advisories (jsp source code disclosure with unicode in the url) : 

http://www-1.ibm.com/support/docview.wss?uid=swg24008814

Fred.

Andres Molinetti wrote:
Hi, I'm currently testing a Websphere/DB2 Web Application of one of our clients. 
I've found that it is vulnerable to SQL Injection.
I 've also discovered that there is a table named SYSTABLES with a NAME column in it.
Using the "GROUP by 1--" trick I've discovered two columns in the table over which the query is being executed. After doing "GROUP by A, B--", I get no more errors, so I asume that only these two columns are taking part on the query..(is that ok?)
Column A is probaby CLOB or VARCHAR and B probably and INTEGER. (any whay to confirm this?) 

I can say this because I've tried this query: ' AND A=CLOB('A')--
and it returns no error
when this one: ' AND A=BIGINT(132123)--
returns error on type comparison

So then I proceeded to do a:  ' UNION ALL SELECT 1 FROM SYSTABLES--
Then I get "Error 500: java.sql.SQLException: [SQL0415] Operandos UNION no compatibles." 

I suppose that the column types are different.

Anyway, I submit this query: ' UNION ALL SELECT 1,1 FROM SYSTABLES--
Then I get "Error 500: java.sql.SQLException: [SQL0421] Número de operandos UNION no igual." 
Meaning that the number of columns are not equal...

Here are my questions:
1). Is there any way to get the "original" table name (the one where the original query executes)? 2). I've done a script that checks for different column numbers and it have already tested with about 200 columns, and it keep saying that number of operands is not equal. What could be happening? 

Any ideas would be greatly appreciated!!

Thanks, Andy

_________________________________________________________________
Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN Amor & Amistad. http://match.msn.es/match/mt.cfm?pg=channel&tcid=162349 




--
_______________________________________
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com
Previous By Date Next
Previous By Thread Next

Current thread: