DB2 Error Based
Context
This article focuses on exploiting IBM DB2 databases through error-based SQL injection techniques. The goal is to extract sensitive information by manipulating error messages generated by the database. This technique assumes familiarity with SQL error handling and database schema concepts, as it involves crafting SQL queries that deliberately trigger errors to reveal underlying database structure and data.
Theory
DB2 Error Handling Mechanisms
DB2 databases use SQLSTATE and SQLCODE for error reporting. These mechanisms provide standardized codes and messages whenever an error occurs within the database. Understanding these codes and messages is critical when leveraging error-based SQL injection, as they can inadvertently disclose sensitive information about the database.
When an error is triggered, useful information about the database's internal workings, such as table names or column types, can be gleaned from the error messages. By manipulating and observing these errors, attackers can learn more about the database and plan further exploitation.
DB2 Specific Error Codes
DB2 employs specific error codes and states that deliver detailed information about errors. For instance, errors like division by zero or an invalid type cast are commonplace vulnerabilities.
- Division by Zero: This error occurs when a division operation's denominator is zero. It's an easily triggered error that helps test the database’s error handling responses.
- Invalid Cast: When a type mismatch occurs, such as casting a character to an integer, DB2 throws an invalid cast error. This is another vector for eliciting errors from the database.
Exploiting Error Messages
The essence of error-based SQL injection in DB2 revolves around triggering informative errors intentionally. The attacker injects specific SQL payloads to prompt these errors, allowing them to bypass filters and extract data.
Functions such as CAST and division operations are instrumental, as they can induce errors leading to revealing error messages. This exploitation takes advantage of poorly handled errors that expose valuable insights into the database's architecture.
DB2 Error-Based SQL Injection Techniques
Certain SQL functions and commands can be used to induce and exploit error messages in DB2. Techniques include:
-
XML Functions: Utilizing functions like
XMLAGGandXMLELEMENTallows attackers to aggregate and format database metadata into XML, which can be extracted through error messages. -
RAISE_ERROR Function: This function generates custom error messages. By carefully crafting these errors, attackers can control the error output to contain useful information.
Practice
DB2 Error-Based SQL Injection
To apply DB2 error-based SQL injection techniques, follow the steps outlined below. These steps assume you have access to execute SQL queries on a DB2 database.
-
Division by Zero Error:
Inject the following SQL command to trigger a division by zero error:
SELECT 1/0 FROM SYSIBM.SYSDUMMY1;This query forces the database to evaluate an impossible division, resulting in an informative error message.
-
Invalid Cast Error:
Execute this SQL command to induce an invalid cast error:
SELECT CAST('a' AS INT) FROM SYSIBM.SYSDUMMY1;By attempting to cast a character ('a') into an integer, you trigger a type mismatch, revealing useful error details.
-
Exploiting XML Functions:
Use the following command to extract table names using XML functions:
SELECT XMLAGG(XMLELEMENT(NAME E, TABNAME)) FROM SYSIBM.SYSTABLES;This query constructs XML data from table names, which can then be leaked through error handling.
-
Custom Error Generation:
Trigger a custom error with this command:
SELECT RAISE_ERROR('70001', 'Custom error message') FROM SYSIBM.SYSDUMMY1;Custom error messages can be leveraged to test and refine error-based information extraction techniques.
Tools
- DB2 Client
- SQLMap
These tools facilitate the execution of SQL queries and automate the SQL injection process, greatly aiding in information extraction from DB2 databases through error-based techniques.