Penetration Testing mailing list archives

SQL Injection with DB2 and ASP

From: Frederic Charpentier <fcharpen () xmcopartners com>
Date: Fri, 07 Jan 2005 15:38:07 +0100

Hi list !

I'm wondering if someone have experiences to share about SQL Injectionspecificaly with DB2 and ASP.


the sql flaws found  :
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[IBM][CLI Driver][DB2/NT]

I've already test common Sql tricks, like "having or group by" toobtains infos.The problem here is that the underneath SQL command is a SELECT whichreturns a blob field ( a binary file).

So, my question is : is there specific DB2 commands (like xpcmdshellwith MSSQL) to perform stuffs like that : script.asp?p=3';db2.specific.cmd ; .....


Thanks in advance.
--
_______________________________________
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com

Current thread:

SQL injection from within a table - is it possible? Peter Bair (Jan 06)
- RE: SQL injection from within a table - is it possible? Eyal Udassin (Jan 07)
- Re: SQL injection from within a table - is it possible? Kevin Conaway (Jan 07)
- SQL Injection with DB2 and ASP Frederic Charpentier (Jan 07)
- <Possible follow-ups>
- RE: SQL injection from within a table - is it possible? Kelley, Brian (Jan 07)
- RE: SQL injection from within a table - is it possible? Burnett, Robert (Jan 07)
- RE: SQL injection from within a table - is it possible? Scovetta, Michael V (Jan 07)
- RE: SQL injection from within a table - is it possible? Ofer Shezaf (Jan 07)