Im going through the beginner hackerone ctfs and Im trying to crack the Micro-CMS v2. There is a login page that is vulnerable to an SQL injection. The query goes like this:
'SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')
In the username field I input ' UNION SELECT '123' AS password WHERE '1'='1 but then it returns this error
ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE '1'='1'' at line 1")
I tried commenting it out with --' or usingg WHERE 1=1' instead but nothing seamed to work
Maybe try to put UNION' or 1=1; -- in the username field.
So the query would become like this:
SELECT password FROM admins WHERE username='UNION' or 1=1; --
The result of this query would output all values in the password field.
Related
Attempting to perform operations with a random integer in SQL.
The following code works perfectly as intended when run as pure SQL, but triggers a syntax error when attempting to save it into a stored procedure.
SET #sample_count = (SELECT count(*)
FROM cinder_sample);
SELECT #sample_count;
SET #random_ID = (SELECT FLOOR(RAND()*#sample_count));
SELECT #random_ID;
Any ideas as to what could be going wrong?
The exact error triggered is:
"The following query has failed: "CREATE DEFINER=root#localhost PROCEDURE play_random_sp() NOT DETERMINISTIC CONTAINS SQL SQL SECURITY DEFINER DELIMITER // SET #sample_count = (SELECT count() FROM cinder_sample)// SELECT #sample_count// SET #random_ID = (SELECT FLOOR(RAND()#sample_count))// SELECT #random_ID"
MySQL said: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '// SET #sample_count = (SELECT count(*) FROM cinder_sample)// SELECT' at line 1"
If id is present in flowVars, i will fetch user from database by id. If not present, I will fetch all users. I tried to use this expression but no success:
select * from user #[flowVars.userId != null ? 'where id = ' + flowVars.userId : '']
error is :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''where id = 1'' at line 1 (com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException).
I think it creates single quote in query.
Insert into info Values (#[payload.Cname], #[payload.orderid], #[payload.customerid], #[payload.allergies])
you can write like this a dynamic query
IF NOT EXISTS (select * from sys.server_principals where lower([name]) =lower('DOMAIN\t''acct'))
BEGIN
CREATE LOGIN [DOMAIN\t'acct] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
END
The above code works correctly. My question is, is there a way to efficiently use placeholders so that I can pass in the same account and use in both the places when I have special characters?
IF NOT EXISTS (select * from sys.server_principals where lower([name]) =lower('$(account)'))
BEGIN
CREATE LOGIN [$(account)] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
END
where I would just replace $(account) with DOMAIN\t''acct or DOMAIN\t'acct?
replacing with the former works only for the first replacement and says
CREATE LOGIN [DOMAIN\t''acct] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
Windows NT user or group 'DOMAIN\t''acct' not found. Check the name again.
for the create login statement.
And for the latter, I cannot just replace with t'acct as that would be incorrectly escaped. Doing it with a box throws this error:
select * from sys.server_principals where lower([name]) = lower([DOMAIN\t'acct])
Invalid column name 'DOMAIN\t'acct'.
Any additional pointers to prevent sql injection would be helpful. I'm considering accounts such as DOMAIN\'tacct as well (input is validated as valid windows user as well as domain format (contains \ in the name)).
To prevent sql injection it is better to use parameterized query instead of using placeholders, I think.
To make CREATE LOGIN statement work with sql parameter you will have to use dynamic sql. Function QUOTENAME will help you escape login name properly. In this case your sql code could look like:
if not exists(select * from sys.server_principals where lower([name]) = lower(#loginName))
begin
declare #sql nvarchar(max);
set #sql =
'CREATE LOGIN ' + quotename(#loginName) +
' FROM WINDOWS WITH DEFAULT_DATABASE = [master]';
exec sp_executesql #sql;
end
where #loginName is the parameter that you should supply.
Use SQL replace function in the select query alone to replace ' with '' while passing the placeholder
I'm creating a SQL function on System i V7R1:
CREATE FUNCTION MYSCHEMA.GROUPDIBAS(v_code VARCHAR(50))
RETURNS VARCHAR(2048)
LANGUAGE SQL
BEGIN
DECLARE str VARCHAR(2048);
SET str = '';
FOR row AS (
SELECT
FIELD2
FROM MYSCHEMA.DIBAS
WHERE FIELD1 = v_code
)
DO
SET str = 'Bubi'; --I removed many statements to make clear the problem doesn't come from them
END FOR;
RETURN str;
END
;
I execute it with "Run SQL script" tool, which is part of the iSeries Navigator V7R1.
It works on another V7R1 server (using iSeries Navigator V5R4), but not in that one where I'm working now. It fails with this message:
SQL State: 42601
Vendor Code: -104
Message: [SQL0104] Token <END-OF-STATEMENT> was not valid. Valid tokens: ;.
Cause . . . . . : A syntax error was detected at token <END-OF-STATEMENT>.
Token <END-OF-STATEMENT> is not a valid token. A partial list of valid tokens is ;.
This list assumes that the statement is correct up to the token.
The error may be earlier in the statement, but the syntax of the statement appears to be valid up to this point.
Recovery . . . : Do one or more of the following and try the request again:
-- Verify the SQL statement in the area of the token <END-OF-STATEMENT>. Correct the statement.
The error could be a missing comma or quotation mark, it could be a misspelled word, or it could be related to the order of clauses.
-- If the error token is <END-OF-STATEMENT>, correct the SQL statement because it does not end with a valid clause.
If I remove the FOR block, it works.
Moreover if I execute the statement with 5250 Emulator, command STRSQL, it works. So it seems like a bug in "Run SQL script" client.
Any hint will be appreciated!
The issue is with the FOR statement. The query analyzer is inconsistent on when the cursor-name CURSOR FOR is optional and when it is required even though the documentation states if it is not specifified a unique cursor name is generated. SQL submitted via the IBM Access Navigator Run Scripts utility require it.
The parenthesis are also incorrect but sometimes they are accepted (STRSQL, Navigator Run SQL Scripts) and sometimes they aren't (DBVisualizer/JDBC).
TIL there must be a different query analyzer running depending on the source of the query.
CREATE FUNCTION MYSCHEMA.GROUPDIBAS(v_code VARCHAR(50))
RETURNS VARCHAR(2048)
LANGUAGE SQL
BEGIN
DECLARE str VARCHAR(2048);
SET str = '';
FOR row AS C1 CURSOR FOR
SELECT
FIELD2
FROM MYSCHEMA.DIBAS
WHERE FIELD1 = v_code
DO
SET str = 'Bubi'; --I removed many statements to make clear the problem doesn't come from them
END FOR;
RETURN str;
END
Given the tests made by #JamesA and me, I fear the problem can be in the Program Temporary Fix (PTF) that this server hasn't and the other ones have. Specifically, running WRKPTFGRP command, I can guess it probably misses this PTF group:
PTF group Level Text
SF99701 5 DB2 FOR IBM I
Unfortunately I can't try installing it now :(.
In the session properties of your IDE change the Statement Separator field value from ; to | then reconnect your session. then use | instead of ;. this way you can run your statement or procedure or function.
usage example,
CREATE FUNCTION MYSCHEMA.GROUPDIBAS(v_code VARCHAR(50))
RETURNS VARCHAR(2048)
LANGUAGE SQL
BEGIN
DECLARE str VARCHAR(2048);
SET str = '';
FOR row AS C1 CURSOR FOR
SELECT
FIELD2
FROM MYSCHEMA.DIBAS
WHERE FIELD1 = v_code
DO
SET str = 'Bubi'; --I removed many statements to make clear the problem doesn't come from them
END FOR;
RETURN str;
END |
I want to execute the following statement through from a linked server (openquery):
UPDATE SAP_PLANT
SET (OWNER, OWNER_COUNTRY) = (SELECT import.AFNAME, import.COUNTRY
FROM SAP_IMPORT_CUSTOMERS import, SAP_PLANT plant
WHERE plant.SAP_FL = import.SAP_NO
AND import.role ='OWNER')
I've tried to form it into the following syntax, without success :(
update openquery(‘my_linked_server, ‘select column_1, column_2 from table_schema.table_name where pk = pk_value’)
set column_1 = ‘my_value1′, column_2 = ‘my_value2′
I hope for you this is no problem?
I guess this is not really a query you want to open, rather an SQL statement you want to execute. So instead of openquery, you shoud use execute. See example G here: http://msdn.microsoft.com/en-us/library/ms188332.aspx
So your script shoul look like
execute ('your sql command here') at my_linked_server
Are you getting syntax error? Your server parameter in the update openquery is missing a trailing quote. Change ```my_linked_servertomy_linked_server'`.