Hi, I'm currently testing a Websphere/DB2 Web Application of one of our
clients.
I've found that it is vulnerable to SQL Injection.
I 've also discovered that there is a table named SYSTABLES with a NAME
column in it.
Using the "GROUP by 1--" trick I've discovered two columns in the table over
which the query is being executed.
After doing "GROUP by A, B--", I get no more errors, so I asume that only
these two columns are taking part on the query..(is that ok?)
Column A is probaby CLOB or VARCHAR and B probably and INTEGER. (any whay to
confirm this?)
I can say this because I've tried this query: ' AND A=CLOB('A')--
and it returns no error
when this one: ' AND A=BIGINT(132123)--
returns error on type comparison
So then I proceeded to do a: ' UNION ALL SELECT 1 FROM SYSTABLES--
Then I get "Error 500: java.sql.SQLException: [SQL0415] Operandos UNION no
compatibles."
I suppose that the column types are different.
Anyway, I submit this query: ' UNION ALL SELECT 1,1 FROM SYSTABLES--
Then I get "Error 500: java.sql.SQLException: [SQL0421] Número de operandos
UNION no igual."
Meaning that the number of columns are not equal...
Here are my questions:
1). Is there any way to get the "original" table name (the one where the
original query executes)?
2). I've done a script that checks for different column numbers and it have
already tested with about 200 columns, and it keep saying that number of
operands is not equal. What could be happening?
Any ideas would be greatly appreciated!!
Thanks, Andy
_________________________________________________________________
Un amor, una aventura, compañía para un viaje. Regístrate gratis en MSN Amor
& Amistad. http://match.msn.es/match/mt.cfm?pg=channel&tcid=162349
