DB2 DIOS (Dump In One Shot)

Context

This article guides you through performing a DB2 DIOS (Dump In One Shot) attack. This technique leverages SQL injection to exfiltrate large volumes of data efficiently from IBM DB2 databases using XML functions. Before attempting this, you should understand SQL query structure, how XML functions operate within SQL, and general data exfiltration methods.

Theory

DB2 DIOS Attack Overview

DB2 DIOS is a sophisticated SQL injection technique that enables attackers to extract significant amounts of information in a single query. The primary advantage of this approach is its efficiency in exfiltrating data by reducing the number of interactions with the database. It operates by crafting a single complex query that can dump entire tables or specific columns by utilizing the XML functions in DB2.

This attack takes advantage of SQL injection vulnerabilities within applications to execute arbitrarily complex queries. By aggregating multiple rows of data into one single response, it minimizes the footprint and overhead typically associated with data extraction processes.

XML Functions in DB2

XML functions are pivotal to the DB2 DIOS technique. Two crucial XML functions used in this process are XMLAGG and XMLROW.

  • XMLAGG: This function aggregates multiple rows of database output into a single XML document. It is particularly useful in scenarios where the attacker wishes to condense extensive data records into one manageable structure for easier exfiltration.

  • XMLROW: This function formats individual rows of data into XML elements. By structuring data rows as XML, attackers can neatly organize and extract data, simplifying the processing and retrieval of sensitive information.

Bulk Data Exfiltration

The core goal of the DB2 DIOS attack is to enable bulk data exfiltration through a singular SQL query injection. By using XMLAGG and XMLROW, attackers can facilitate a streamlined, single-shot data dump, drastically reducing the number of queries and interactions necessary. This efficiency not only speeds up the data exfiltration process but can also lower the risk of detection during an intrusion.

Practice

DB2 DIOS using XMLAGG and XMLROW

To perform a DB2 DIOS attack leveraging XMLAGG and XMLROW, follow these steps:

  1. Identify a SQL injection point within the target application. This will be the entry vector for your attack.

  2. Carefully craft the SQL injection payload using DB2's XML functions to aggregate the desired data. Here is a basic example of such a payload:

    SELECT XMLAGG(XMLROW(column1, column2, ...)) FROM target_table;

    Replace column1, column2, ... with actual column names from the vulnerable database table you aim to exfiltrate.

  3. Inject the payload into the identified SQL injection point. The execution of this query will aggregate and return the data in one comprehensive XML document.

  4. For instance, to extract usernames and passwords from a users table, your payload might look like:

    SELECT XMLAGG(XMLROW(username, password)) FROM users;

    Executing this payload will result in the exfiltration of all usernames and passwords, formatted into a single XML document.

  5. Capture the response, which contains the aggregated data, and parse it for analysis and further action.

Upon successful execution, this technique will yield a complete data dump structured in an XML format in the SQL query's response. This response can then be extracted and processed as required for further use or analysis.

Tools

  • DB2 Client
  • SQL Injection Proxy

These tools facilitate the connection to the DB2 database and the manipulation of SQL injection payloads required for carrying out a DB2 DIOS attack.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.