OWASP Juice Shop:
SELECT * FROM Users WHERE email = '' AND password = '' AND deletedAt IS NULL
Payload:
' OR 1=1;--
OWASP Mutillidae II:
SELECT * FROM accounts WHERE username='' AND password=''
Payload:
' OR 1=1 --
I really don't understand. There is not much of a difference in commands, but Juice Shop payload won't work in Mutillidae. It works Vice Versa.
Furthermore in Mutillidae, we have to enter payload in both username and password fields (same payload), however in JuiceShop entering random thing in Password would work.
Someone please explain WHY?
Please I really need to understand this concept before moving on.
I posted this as a comment but was the answer - so posting below
It is possible that you need a space at the end. I've read that some database comments require a whitespace after the comment indicators, whereas some others don't e.g., ' OR 1=1;-- may not work on all, but ' OR 1=1;-- should work. I'd usually put a whitespace before the -- as well, but probably isn't necessary.
Related
I have a PostgreSQL RPC that aims to select filtered rows of a view.
This RPC requires some parameters (name_article, catg_article, color_article, etc).
Most of these parameters are int[]/bigint[] because I want the user to be able to request "all blue articles or all red articles, etc" but I want the user to be able to post empty parameters as well, and that the request considers he doesn't care about which color or category so it will return all possibilities.
The problem is that from what I saw after many topics on Internet, the ANY () or IN () can't be empty, which I'd like to allow it otherwise my filters system would have to manage all possibilities and I really don't want to cry.
This is what I've readen on Internet to try ( param is null or in()/any() ) but it doesn't work, not returning any article (the first where is fine, also don't pay attention to the cast thing, it's just that catg_and_type is json so I have to say id_catgarticle from this json is a bigint so it works fine) :
SELECT *
FROM dev.get_all_articles
WHERE get_all_articles.lib_article ILIKE '%' || $1 || '%'
AND ($2 is null or CAST(get_all_articles.catg_et_type->>'id_catgarticle' AS BIGINT) = any ($2));
Do you have any idea how I could allow empty arrays that will be processed with IN/ANY commands ?
Thanks a lot.
Problem solved, as mentionned into my answer to #LaurenceIsla's answer to the topic.
When having to send an array parameter into a PostgREST API endpoint, the syntax is like this : /rpc/endpoint?param={1,2,3}. So in order to make the request understand an empty param in URL (endpoint?param={}), I had to say, in the WHERE clause this : OR $2 = '{}'. That's all. Kind of tricky syntax when you don't know it.
Ive come across a very unusual problem (for me at least) and I have no idea how to solve it.
Essentially I made a really simple selection query to search our clients in a table (dbo_t_Person) and return their records. I needed them to be searchable even if we only have an email address, or phone number for some clients on hand. Therefore I wrote the criteria to either ignore a field if no data was entered, or to search similar (via 'Like') if only partial details were entered into any given field. See the SQL below, apologies for how repetitive it is.
This is all well and good, it works perfectly and is fast enough for our uses.
However.
I can run the query as many times as I wish with new data entered and it works fine, but if I close the query and reopen it, the SQL goes haywire and it runs out of memory and crashes access, this is crashing just opening the SQL as well as running it. By haywire I mean that if i manage to luck out and reopen the SQL, lines of SQL are suddenly copied endlessly on the page.
This happens every time I rewrite the SQL from scratch, how the hell do I stop this happening?
Here is the working clean code:
SELECT dbo_t_Person.PersonID
,dbo_t_Person.FullName
,dbo_t_Person.Address1
,dbo_t_Person.Address2
,dbo_t_Person.City
,dbo_t_Person.Zip
,dbo_t_Person.STATE
,dbo_t_Person.Country
,dbo_t_Person.Mobile
,dbo_t_Person.Phone
,dbo_t_Person.Email
FROM dbo_t_Person
WHERE (
(
(dbo_t_Person.PersonID) = [Forms]![from MICHAEL TEST WORKING]![OwnerIDEntry]
OR [Forms]![from MICHAEL TEST WORKING]![OwnerIDEntry] IS NULL
)
AND (
(dbo_t_Person.FullName) LIKE "*" & [Forms]![from MICHAEL TEST WORKING]![NameEntry] & "*"
OR [Forms]![from MICHAEL TEST WORKING]![NameEntry] IS NULL
)
)
And so on for the remaining entry fields
However if I can get the SQL back open again it it appears thousands of lines of
Or [Forms]![from MICHAEL TEST WORKING]![NameEntry] Is Null
for all entry fields is endlessly repeated.
Something is making the code copy end on end, how do I stop it?
Consider an adjusted WHERE clause with NZ() to handle if controls are empty or not.
WHERE dbo_t_Person.PersonID = NZ([Forms]![from MICHAEL TEST WORKING]![OwnerIDEntry],
dbo_t_Person.PersonID)
AND dbo_t_Person.FullName = LIKE "*" & NZ([Forms]![from MICHAEL TEST WORKING]![NameEntry],
dbo_t_Person.FullName) & "*"
Try changing your criteria to be more efficient and clean, like this:
IIF(ISNULL([Forms]![from MICHAEL TEST WORKING]![OwnerIDEntry]),TRUE,PersonID=[Forms]![from MICHAEL TEST WORKING]![OwnerIDEntry])
Since you are only dealing with a single table you can also do away with dbo_t_Person. from everywhere, like this:
SELECT PersonID,FullName,Address1,Address2,City,Zip,STATE,Country,Mobile,Phone,Email
FROM dbo_t_Person
Maybe the simplified version of the SQL will stop Access from corrupting it.
I've been trying to extract any URL present within my 'Text' column in Big Query. The column contains a mixture of text and URLs dotted throughout (a cell might contain more than one URL) I'm trying to use this regexp:
SELECT
REGEXP_EXTRACT (Text, r'(http(s)?:\/\/.)?(www\.)?[-a-zA-Z0-9:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9%_:?\+.~#&//=]*')
FROM
Data.Text_Files
I currently get 'failed to parse regular expression' when I try to run the query. I've tried modifying it but to no avail.
The regexp works in an online builder but I'm just not sure how to incorporate it into Big Query.
Any help would be much appreciated - or at least pointers on how to incorporate regular expressions into Big Query!
Try below - it is for BigQuery Standard SQL (see Enabling Standard SQL and Migrating from legacy SQL)
WITH YourTable AS (
SELECT 1 AS id, 'What have you tried so far? Please edit your question to show a [Minimal, Complete, and Verifiable example](http://stackoverflow.com/help/mcve) of the code that you are having problems with, then we can try to help with the specific problem. You can also read [How to Ask](http://stackoverflow.com/help/how-to-ask). ' AS Text UNION ALL
SELECT 2 AS id, 'Important on SO, you can mark accepted answer by using the tick on the left of the posted answer, below the voting. see http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work#5235 for why it is important. There are more ... You can check about what to do when someone answers your question - http://stackoverflow.com/help/someone-answers.' AS Text UNION ALL
SELECT 3 AS id, 'If an answer has helped you solve your problem and you accept it you should also consider voting it up. See more at http://stackoverflow.com/help/someone-answers and Upvote section in http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work#5235' AS Text
)
SELECT
id,
REGEXP_EXTRACT_ALL(Text, r'(?i:(?:(?:(?:ftp|https?):\/\/)(?:www\.)?|www\.)(?:[\da-z-_\.]+)(?:[a-z\.]{2,7})(?:[\/\w\.-_\?\&]*)*\/?)') AS URL
FROM YourTable
This gives you output with id field, and repeated field with all respective URLs
If you need flattened result - you can use below variation
WITH YourTable AS (
SELECT 1 AS id, 'What have you tried so far? Please edit your question to show a [Minimal, Complete, and Verifiable example](http://stackoverflow.com/help/mcve) of the code that you are having problems with, then we can try to help with the specific problem. You can also read [How to Ask](http://stackoverflow.com/help/how-to-ask). ' AS Text UNION ALL
SELECT 2 AS id, 'Important on SO, you can mark accepted answer by using the tick on the left of the posted answer, below the voting. see http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work#5235 for why it is important. There are more ... You can check about what to do when someone answers your question - http://stackoverflow.com/help/someone-answers.' AS Text UNION ALL
SELECT 3 AS id, 'If an answer has helped you solve your problem and you accept it you should also consider voting it up. See more at http://stackoverflow.com/help/someone-answers and Upvote section in http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work#5235' AS Text
)
SELECT
id, URL
FROM (
SELECT id, REGEXP_EXTRACT_ALL(Text, r'(?i:(?:(?:(?:ftp|https?):\/\/)(?:www\.)?|www\.)(?:[\da-z-_\.]+)(?:[a-z\.]{2,7})(?:[\/\w\.-_\?\&]*)*\/?)') AS URL
FROM YourTable
), UNNEST(URL) as URL
Note: you can use here any regexp that you will be able to find on web - but what a must is - there is only one matching group is allowed! so all inner matching group should be escaped with ?: as you can see it in above examples. So the ONLY group that you expect to see in output should be left as is - w/o ?:
Your regex has an incomplete capturing group, and has 2 unescaped characters. I don't know which online regex builder you're using, but maybe you forgot to put your new regex into it?
The problems are as follows:
(http(s)?:\/\/.)?(www\.)?[-a-zA-Z0-9:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9%_:?\+.~#&//=]*
POINTERS TO PROBLEMS ON THIS LINE ---> ^1 ^^2
This is the start of a capturing group with no end. You probably want the ) right before the *.
All slashes need to be escaped. This should probably be \/ or maybe even \/\\.
Here is an example with both of my suggestions implemented: https://regex101.com/r/pt1hqS/1
Good luck fixing it!
I am not understanding the sql syntax problems I'm getting while launching an injection attack, so any help explaining them is much appreciated. I have a target php login script that takes a username/password combo and then very simply runs.
Select * FROM users WHERE username='$username' AND password='$password'
When i supply the basic
$username = ' OR '1=1
$password = ' OR '1=1
the system logs me in as admin because it evaluates to
Select * FROM users WHERE username='' OR '1=1' AND password='' OR '1=1'
and gets a match for the first user entry in the database (admin). Now I'm trying to get the script to log me in as an arbitrary user named adrian. My thought was to supply
$username = adrian
$password = ' OR (1=1 AND username='adrian') --
which I thought would evaluate to
Select * FROM users WHERE username='adrian' AND password='' OR (1=1 AND username='adrian') -- '
I thought the boolean order of operations was left to right when no parentheses are included:
Select * FROM users WHERE [[[username='adrian'] AND password=''] OR (1=1 AND username='adrian')] -- '
but this is not logging me in as anyone (and giving me no errors). Even if AND's are evaluated last, this statement would evaluate to
Select * FROM users WHERE [username='adrian'] AND [password='' OR (1=1 AND username='adrian')]
Which would still be true for the user adrian. Meanwhile
$username = adrian
$password = 'or(1=1 and username='adrian') --
is logging me in as adrian properly, which evaluates to
Select * FROM users WHERE username='adrian' AND password=''or(1=1 AND username='adrian') -- '
So why does my approach with "OR" not work while my approach with 'or' does work?
SOLVED: Thank you for the guidance. I understand sql better now, but my real problem was that autofill was removing spaces after the "--" I must've messed up the first time and then foolishly relied on autofill from then on out
The order of operations is not only left to right. In fact left to right (or positional precedence) is the very last thing considered when evaluating an expression like this. You have to understand operator precedence as well, as this is most important aspect in determining behavior of such a statement. In this case AND has higher precedence than OR.
That means your statement would behave as follows:
Select * FROM users WHERE (username='adrian' AND password='') OR (1=1 AND username='adrian')
So, you would get a row returned as long as there was a user named adrian.
Check out the MySQL documentation on operator precendence - https://dev.mysql.com/doc/refman/5.6/en/operator-precedence.html
I am trying to insert 2 scores into Mysql for two photos for a particular user that already exists in the database. The scores and the photos are both POST variables from a form. I am having great difficulty with the syntax - I am fairly certain the error is related to the position of quotes but despite searching here and finding similar questions I can't seem to get it working. Loathed to bother people with this but need some executive assistance.
$imageT=$_POST[randomimage]."T" ;
$imageH=$_POST[randomimage]."H" ;
$observerid=$_POST[scoreid];
$traction=$_POST[gradeT];
$honeycomb=$_POST[gradeH];
$sql="INSERT INTO scorers ('$imageT', '$imageH')
VALUES ('$imageT', '$imageH') WHERE id=$observerid ";
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
} else {
header("Location: testform.php");
} '
$imageT and $imageH are both integers with either T or H appended to them, for example 12T or 14H therefore I assumed they would be treated as strings and I put quotes around them. $traction, $honeycomb and $observerid are all integers. When I echo $imageT, $imageH, $traction, $honeycomb and $observerid the correct values are shown so I am assuming that there is no error in the these, just they way I am placing them within SQL code.
Very much appreciate any help (been learning PHP and My SQL for only 4 weeks so apologies).
At least three main problems at glance
You aren't using prepared statements
You are using WHERE clause in INSERT statement which is useless and erroneous. Either remove WHERE part or change your query to UPDATE.
You didn't post the error with your question. Which you always have to. Error messages is a cornerstone of troubleshooting.