Penetration Testing mailing list archives
SQL Injection with DB2 and ASP
From: Frederic Charpentier <fcharpen () xmcopartners com>
Date: Fri, 07 Jan 2005 15:38:07 +0100
Hi list !I'm wondering if someone have experiences to share about SQL Injection specificaly with DB2 and ASP.
the sql flaws found : Microsoft OLE DB Provider for ODBC Drivers error '80004005' [IBM][CLI Driver][DB2/NT]I've already test common Sql tricks, like "having or group by" to obtains infos. The problem here is that the underneath SQL command is a SELECT which returns a blob field ( a binary file).
So, my question is : is there specific DB2 commands (like xpcmdshell with MSSQL) to perform stuffs like that : script.asp?p=3'; db2.specific.cmd ; .....
Thanks in advance. -- _______________________________________ Frederic Charpentier - Xmco Partners Security Consulting / Pentest web : http://www.xmcopartners.com
Current thread:
- SQL injection from within a table - is it possible? Peter Bair (Jan 06)
- RE: SQL injection from within a table - is it possible? Eyal Udassin (Jan 07)
- Re: SQL injection from within a table - is it possible? Kevin Conaway (Jan 07)
- SQL Injection with DB2 and ASP Frederic Charpentier (Jan 07)
- <Possible follow-ups>
- RE: SQL injection from within a table - is it possible? Kelley, Brian (Jan 07)
- RE: SQL injection from within a table - is it possible? Burnett, Robert (Jan 07)
- RE: SQL injection from within a table - is it possible? Scovetta, Michael V (Jan 07)
- RE: SQL injection from within a table - is it possible? Ofer Shezaf (Jan 07)