It’s not uncommon for a penetration tester to identify a SQL injection (SQLi) vulnerability while assessing a website.
Unfortunately, many of these vulnerabilities exist in custom-coded applications that are unique to each organization.
While some tools exist, this variety has always made SQLi very difficult to exploit in an automated fashion, most of these tools are particularly effective against a few select Database Management Systems (DBMSes). However, the SQLMap tool is capable of exploiting a variety of DBMSes.
Recently while performing an assessment, SecureState identified SQLi in an application that was using IBM’s DB2 DBMS. While reviewing the methodologies used after the assessment, we identified improvements that could be made to the SQLMap tool that was used.
As part of our ongoing effort to contribute to the open source community, SecureState’s Research and Innovation team developed and released the first of what will be a series of patches to improve SQLMap’s support for the DB2 DBMS platform.
This first patch included two improvements, one of which is not DB2 specific. During the assessment, the injection type identified was Boolean-based blind injection.
While testing this injection, we identified the potential for tools like SQLMap to miss a valid injection point with the vulnerable parameter within a LIKE statement utilizing wild card characters.
For example, consider the following query:
- SELECT * FROM users WHERE name LIKE ‘%Spencer%’
Given that there is a username of “Spencer McIntyre”, the above statement would evaluate to true. This however changes when a value that contains a trailing comment is inserted, causing the last wildcard to be ignored and the statement to always evaluate to false.
Without both a true and false test case, SQLMap can’t identify a Boolean based blind injection point. To address this, SecureState released a couple of boundaries that include wildcard characters to help statements in this situation evaluate to true.
The second improvement to SQLMap is DB2 specific and offers support for identifying the back end Operating System and Service Pack (when the OS is Windows). This support can be used with the “--os-pwn” option.
Although exploitation is not yet supported, the OS will be fingerprinted and displayed to the user.