Before the beginning of this article, I would like to explain: SQL Injection Hacking is a hacking technique that uses SQL language to operate relational databases through scriptless lazy exploits. Many people talk about ASPi when they talk about SQLi. PHP injection, etc., in fact, this is wrong, the impact of SQLi is not a script, but the database used in the background, so the name should be Access injection, MSSQLL injection, Mysql injection…

For everyone, the familiar relational databases are Access, VSSQL, Mysql. These three databases are believed to have been played all over, but I have seen that the article about DB2 database injection is not rare in China, so there are This article, this time is injected into a hospital jsp website, I hope everyone can learn some new knowledge from this article.

Second, the use of tools

The first step in any SQLi is to find the injection point first. We use the classic “and 1=1” and “and 1=2” to judge, and the results after return are different.     

The second step is to determine the background database type, because it is a jsp script, so we first guess whether it is Oracle, submit “and (seiect count (*) from dual) ◇ 0” error, indicating that it is not an Oracle database (because dual Is Oracle’s system table), does not support / * comments, instructions are not MySQL database, and then submit “and exists (select * from sysobjects)” is also wrong, indicating that it is not the Mssql database. So I guess if DB2 or Sybase, test submit “and (select count (versionnumber) from sysibm.sysversions) <> 0”, the result returns a normal page, indicating that the DB2 database (sysibm.sysversions is DB2 system table) .

Pangolin supports DB2 database. Let’s use it to check it. Let’s talk about manual injection. Here, we should choose DB2 and Integer when choosing the database. One can speed up the speed, and the other can prevent the program from judging the database error.

We see that the username and password in the TB_USER table are not encrypted. The next step is not to find the background. Also use Pangolin’s own scan management login page tool Administrator Page Discover (in Tools), and “URL to begin” to fill in the website. The domain name and jsp, then click the “Start” button.

The background directory of the website is “/administrator/”, which is logged in using the user account and password that I just ran out, and successfully entered. Jsp programs generally do not filter uploading. After we go in, click “Add Picture” to upload the jsp Trojan directly.

Here pay attention to the directory information “/home/yt/”, obviously the server of the Linux system, our commonly used jsp Trojan JFolder does not support the Linux system (it can only list the directory), and the Chinese version of the pig head three modified version can operate the Linux directory file . I am not familiar with Linux systems, only know the steps to improve the power is: check the kernel version – find the corresponding version of the overflow vulnerability – compile and execute in the webshell – native listening connection – add rootkit, no longer lift the right here The article is mainly about the injection of the DB2 database, the tool is running, then I will introduce the manual injection.

Third, manual injection

1, view the version: select versionnurober, version_timestamp from sysibm.sysversions;

2, the current user: select user from sysibm.sysdummyl;

3, the column database: select schemaname FROM syscat.scbemata;

4, the list: select name from sysibm.systables;

5, column field: select colname from syscat.columns where in / name = ‘table_name’;

Here I provide you with an injection reference file that includes almost all mainstream relational database statements (including Sybase, Informix, etc.).

Fourth, summary

The idea of ​​this article is relatively simple: inject a background and upload -webshell, but the focus is on the injected database as DB2, which is rare on the Internet, and now it is written to provide a template for everyone to learn.