Inject SQL query into http URL - sql

I got an assignment to make SQL injection to a fake website that was built for that purpose.
I wanted to know how to inject SQL query into an URL.
for example, http://localhost:<>/vulnerabilities/webapi/users//nickname?username=my_id
i have this URL, and i want to inject UNION query to it, how do I do that?
Thanks.

Let's assume that your web query will be translated to
SELECT * FROM users WHERE username = 'my_id';
Now, the trick is to replace 'my_id' by the malicious code. I assume that the purpose of the UNION query is to return all the users instead of just one. The result should be:
SELECT * FROM users WHERE username = 'my_id' UNION SELECT * FROM users; -- ';
Maybe the original query has a field list instead of *. Then you will have to duplicate this list in the second query.
Now instead of my_id, you must enter
my_id' UNION SELECT * FROM users; --
Note that we terminate our entry with a -- introducing a comment. The query mechanism will terminate the query by appending a final single quote (and maybe a semicolon). Now they will be turned into a comment.
The next question is, how do we escape this correctly for the URL. Using the online tool Code Beautify, HTML Escape/Unescape, we get:
my_id%27%20UNION%20SELECT%20*%20FROM%20users%3B%20--
This gives the full URL:
http://localhost:<>/vulnerabilities/webapi/users//nickname?username=my_id%27%20UNION%20SELECT%20*%20FROM%20users%3B%20--

Related

Adding <?xml-multiple?> in select statement

I select data from an Oracle SQL database using XMLELEMENTs. These data get passed to an application that will convert it into JSON and then sends it to a REST API.
Currently, I have the same issue as here, and the solution should be to add <?xml-multiple?> as a tag.
How can I select it from the database?
SELECT XMLEMENT("Body",
XMLELEMENT("User",
XMLELEMENT("Name", UserName),
XMLELEMENT("Adress", Adress)))
FROM USERS;
Let's say I want to mark that there could be multiple users with xml-multiple.
How do I need to change my query?
How about using the XMLPI function. It allows you to add processing instructions to the XML.
SELECT XMLEMENT("Body",
XMLPI("xml-multiple"),
XMLELEMENT("User",
XMLELEMENT("Name", UserName),
XMLELEMENT("Adress", Adress)))
FROM USERS;

SQL Server - Syntax around UNION and USE functions

have a series of databases on the same server which i am wishing to query. I am using the same code to query the database and would like the results to appear in a single list.
I am using 'USE' to specify which database to query, followed by creating some temporary tables to group my data, before using a final SELECT statement to bring together all the data from the database.
I am then using UNION, followed by a second USE command for the next database and so on.
SQL Server is showing a syntax error on the word 'UNION' but does not give any assistance as to the source of the problem.
Is it possible that I am missing a character. At present I am not using ( or ) anywhere.
The USE statement just redirects your session to connect to a different database on the same instance, you don't actually need to switch from database to database in this matter (there are a few rare exceptions tho).
Use the 3 part notation to join your result sets. You can do this while being connected to any database.
SELECT
SomeColumn = T.SomeColumn
FROM
FirstDatabase.Schema.TableName AS T
UNION ALL
SELECT
SomeColumn = T.SomeColumn
FROM
SecondDatabase.Schema.YetAnotherTable AS T
The engine will automatically check for your login's users on each database and validate your permissions on the underlying tables or views.
UNION adds result sets together, you can't issue another operation (like USE) other than SELECT between UNION.
You should use the database names before the table name:
SELECT valueFromBase1
FROM `database1`.`table1`
WHERE ...
UNION
SELECT valueFromBase2
FROM `database2`.`table2`
WHERE ...

SQL request Exceptions from *

If i create a sql database request with a * to get everything about one entry what do i have to do to get everything but one
for example: i want to have all information about the table article (ANR, BNR, BEZ, PC)(i don't want to have PC in it) so i start to write my request like this
SELECT a.*
FROM article a
In a select you can use * or specify all the columns you need, there's no way to extract everything but one:
SELECT ANR, BNR, BEZ
FROM article
Consider that using the *, even if it's shorter to write, may be dangerous, so I would only use it in simple check queries, and not in code to deploy.
Unfortunately there isn't a way to say 'select everything except...'.
I tend to go to the table in the object explorer, right click it and 'script as...' then choose 'SELECT To...' and new query window. It will then list all of the columns so you can remove the ones you do not want to select.
I should add, the above is only relevant for MSSQL and SSMS.

error while using the EXCEPT identifier in sql query

i have a user table with one attribute as habits that has valus like shopping,sports etc. Now when i log in to my application i get the username from the FORM tag and this is used in javascript for further use. I need a query that displays all the user table contents where habits=shopping but it shouldnt display the details of the currently logged in user. The query i used for this is,
select * from user where habits='shopping' except select * from user where username='niranjan';
But this line is generating an error stating that the EXCEPT identifier is not a valid input at this point.
pls correct my error or provide an alternative code for my issue.
select * from user where habits='shopping' and username!='niranjan';
No need for except here. Just add a condition to your where caluse:
And username <> 'niranjan'
The problem may be that user is a reserved word for SQL Server. I would suggest that you rename the table to users to get around this problem.
In the meantime, you can use square braces for the query:
select * from [user] where habits = 'shopping'
except
select * from [user] where username = 'niranjan';
However, it is bad form to use reserved words for table and column names.

SQL Injection without direct user input

In order to prevent SQL Injection for my site, i have used prepared statements.
Now let's say i use somewhere in my code, a simple SQL query like this :
SELECT DATA FROM DATABLE;
Is this code prone to injection ? Well it seems to me that's not possible to be, as there is no user input.But i just want to be sure.
If your statement is fixed (has no outside parameters), then it is immune to injection.
So if your code looks something like this:
result = RunQuery("SELECT * FROM Table")
then you are safe, since the query will always be the same everytime and cannot be influenced by users.
Inject is only possible if you use a variable in your query.
If you use prepaired statements with params it is not possible.
select * from user where id = ?
You cannot change this query, only the value, in that case you will just get no results
If you use
select * from user where id = '$id'
now depending on the value of $id we can have a sql inject.
If $id would be "0' or id > 0 " you will allways login ;)