Blind SQL Injection Guidance - sql

So I'm doing an exercise for class and I'm having a bit of trouble understanding this particular database that I'm meant to break into blindly.
The database throws the following error with the string:
x'
Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC driver for Oracle][Oracle]ORA-01756: quoted string not properly terminated
showing that it is vulnerable.
Similarly, the database concatenates fine with a valid input aka valid'||'input returns the correct webpage for the input.
What confuses me is that the database does not throw an error when the input x' -- is entered, but when the input x'; -- is entered the db throws the following error:
Error Type: Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC driver for Oracle][Oracle]ORA-00911: invalid character
I've also tried URL encoding the input so that it reads x'%3b+-- or x'%3b -- but it returns the same result.
Does anyone have any clue where to step next since it seems that I can't inject a semicolon ; into a query?
Everything's an Edit Below This:
Edit 1: I got to thinking and thought I might be inside of a parenthetical block. I tried the input x'); and it produces the following error:
Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)
[Microsoft][ODBC driver for Oracle][Oracle]ORA-00933: SQL command not properly ended
Edit 2:
Found out that the statement validinput'order by 52-- produced a result, but validinput'order by 53-- produced an error. I concluded the table has 52 columns.
I'm attempting validinput' union select 1 from table_name now, but it feels largely like a huge guessing game. I don't know what any of the table names could possibly be.
Edit 3:
My brain is honestly hurting at this point but I think I'm almost there...
The statement
validnum'+union+select+null,2,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null+from+dual--
returned a legitimate page
Edit 4:
Followed Jeffrey Kemp's suggestion and I got a single table (the output seems to be limited to 1 row). Uh oh. More information though, the version is Oracle 9i, and I know the database name plus user name, and few of the tables through blind luck. The goal of the exercise is to change a value in one of the tables. However, I've run into difficulty getting the column names since the output is limited to 1 row. Any suggestions?

Related

Copy Firebird fdb from old.fdb to new.fdb with slightly different structure

I am trying to copy a database from old.fdb to new.fdb which has a slightly different structure like additional tables or columns. So, far I've tried using IBPump but it doesn't support FDB it's for GDB.
I tried using FBCopy but it gives me an error
*** IBPP::SQLException ***
Context: Statement::Prepare( INSERT INTO TABLE1 ("FIELD1","FIELD2","FIELD3")
VALUES (?,?,?) )
Message: isc_dsql_prepare failed
SQL Message : -104
Invalid token
Which I think is because my database dialect is 1. Also, I tried using dbMigration .NET but the connection isn't being established because the charset of the database is NONE.
I don't know what to do next. I will really appreciate any help or suggestions.

dbGetQuery in R truncates really long the SQL query (of length 10564 characters)

I have been trying to execute a really long SQL query and get the result into a data frame in R. But the following line throws an error and displays partial query in the console (truncates it)
my_dataframe <- dbGetQuery(conn, my_large_query)
The length of the query is 10564 characters where I use a lot of CTEs.
I have removed the string truncation via options menu in R studio but I wonder if there a character limitation in the dbGetQuery function in R?
Any suggestions?
RDMBS: DB2 (on IBM AS400),
R Package: DBI (library - RJDBC)
You mentioned changing the 'string truncation', but how about warning.length?
options("warning.length"={integer})
I'd also suggest that you test the query out first in whatever GUI is available for your database. When you verify there's no problem with the query, then run it in R.
When dbGetQuery (assuming the DBI package) throws an sql/database error, the actual content of the error won't be shown until after the full text of the query. In other words, if the query text is being truncated in the R error output, the database error code/text coming will not be visible at all. The issue may be something extremely simple like an unmatched bracket or a missing comma.
Please note whether the error message starts with Error in dbGetQuery (R issue) or Error in .verify.JDBC.result (database issue).

Firebird select statement gives SQLSTATE = 42S02

I've made a very simple database and am trying
select * from klant;
I've verified the table exists, and last week was able to see data in it. Today however I keep getting
Statement failed, SQLSTATE = 42S02
Dynamic SQL Error
-SQL error code = -204
-Table unknown
-KLANT
-At line 1, column 15
The same select query in flameRobin gives the following error:
Error: *** IBPP::SQLException ***
Context: Database::Statistics
Message: isc_database_info failed
SQL Message : -902
can't format message 13:98 -- message file C:\WINDOWS\SYSTEM32\firebird.msg not found
Engine Code : 335544727
Engine Message :
Error writing data to the connection.
I have copied the firebird.msg to the system32 folder so it should be able to find it there.
Any pointers toward the solution would be greatly appreciated. Similar question all seem to point toward issues with transactions, I can't see that being the problem here.
Edit:
I'm using the included ISQL tool from firebird and start the session by connecting to the database that includes my table. Same for flamerobin, first connect to database, I can see the table that i want to select from but it gives this error.
Edit2:
Finally reinstalled Firebird making sure I gave it admin right, which I think it had before, but wasn't sure about. This seems to have fixed it.

SQL and IBMDASQL

I'm trying to query a set of files.
Out of the 15 I have to query 3 of them are returning the error:
Msg 7314, Level 16, State 1, Line 1
The OLE DB provider "IBMDASQL" for linked server "Server name here" does not contain the table "system.lib.file". The table either does not exist or the current user does not have permissions on that table.
I am using SQL and made a linked server using the IBMDASQL driver.
Like I said, 3 files out of the 15 are only giving me this problem.
When I do a wrkobj on the files I see that public has all permission, and I've added the specific user account just in case.
When I connect using a basic ODBC and microsoft query I don't even see the file on the list. When I log directly into the iSeries I can see and manipulate the files. .
Now using the alternate file name. But getting an insert error. As asked, here is the code and then below the exact error.
INSERT INTO [PARKWAY-TRAIN].S60017.ORDERF912.NC_NURS_ORD_REF
(RECORD_ID, NURSING_ORDER_CD, ORDER_DESCRIPTION, LONG_DESCRIPTION, ORDER_TYPE, FREQUENCY_CD, FREQ_PM_MAINT, NOTE_REQUIRED_STS, NOTE_TEMPLATE, TPL_STATUS, FORM_ID, PARAMETER_ID, COSIG_REQ)
SELECT STND.RECORD_ID, STND.NURSING_ORDER_CD, STND.ORDER_DESCRIPTION, STND.LONG_DESCRIPTION, STND.ORDER_TYPE, STND.FREQUENCY_CD, STND.FREQ_PM_MAINT, STND.NOTE_REQUIRED_STS, STND.NOTE_TEMPLATE, STND.TPL_STATUS, STND.FORM_ID, STND.PARAMETER_ID, STND.COSIG_REQ
FROM [MODEL2].TNICLN2.ORDERF143.NC_NURS_ORD_REF STND
WHERE STND.RECORD_ID <> 'D' AND NOT EXISTS (SELECT HOSP.NURSING_ORDER_CD FROM [PARKWAY-TRAIN].S60017.ORDERF912.NC_NURS_ORD_REF HOSP WHERE HOSP.NURSING_ORDER_CD = STND.NURSING_ORDER_CD)
The error message:
OLE DB provider "IBMDASQL" for linked server "PARKWAY-TRAIN" returned message "SQL0104: Token . was not valid. Valid tokens: .
Cause . . . . . : A syntax error was detected at token .. Token . is not a valid token. A partial list of valid tokens is . This list assumes that the statement is correct up to the token. The error may be earlier in the statement, but the syntax of the statement appears to be valid up to this point. Recovery . . . : Do one or more of the following and try the request again: -- Verify the SQL statement in the area of the token .. Correct the statement. The error could be a missing comma or quotation mark, it could be a misspelled word, or it could be related to the order of clauses. -- If the error token is , correct the SQL statement because it does not end with a valid clause.".
Msg 7343, Level 16, State 2, Line 1
The OLE DB provider "IBMDASQL" for linked server "PARKWAY-TRAIN" could not INSERT INTO table "[PARKWAY-TRAIN].[S60017].[ORDERF912].[NC_NURS_ORD_REF]".
If I run just the Select portion of the code, I get a return 503 lines to be exact. It only fails when I throw in the insert portion of the code.
IBM says to correct the token. I've got no clue as to which token is in error to correct though.
The 'Table not found' error is very suspicious. Using STRSQL:
select table_name, table_schema,
base_table_name, base_table_schema, base_table_member,
system_table_name, system_table_schema
from systables
where table_name = 'NC_NURS_ORD_REF'
Check to see that the table named NC_NURS_ORD_REF in library ORDERF912 is really associated with the system table name NCORDER in the library ORDERF912.
The syntax error is equally suspicious. Given that this is a cross-system query, I doubt you'll be able to run it as-is from the IBM i STRSQL command. That would mean that the proper multi-system database configuration is set up on the i side.
I found someone with a similar problem and it looks like it's on the Microsoft side: http://bytes.com/topic/db2/answers/447753-error-inserting-into-iseries-db2-table-long-name-via-sql-server-2000-linked-server I think his workaround was to use the OPENQUERY() form.
One thing you can definitely check on the IBM i side is whether journaling is turned on for ORDERF912.NC_NURS_ORD_REF. This is important because you need to use the right commit level. Take the results of the previous query against SYSTABLES and use the SYSTEM_TABLE_NAME to do a DSPFD. Look for the text 'File is currently journaled'. If the table is not journaled, you have several choices. The best choice is to start journaling the file, but if that's not available, try INSERT... WITH NC. Or turn off commitment control at the driver.
Also, have a look at the following IBM technote to make sure the linked server is set up properly: http://www-01.ibm.com/support/docview.wss?uid=nas8N1014514

MS Access database: Select statement error

I am trying following query in MS Access 2010 database:
Query:
SELECT ID, Title, Priority, Workflow_Instance_Step_ID:ID
FROM Task
Error:
Error Source: Microsoft Office Access Database Engine
Error Message: Syntax error (missing operator) in query expression 'Workflow_Instance_Step_ID:ID'
I know that field "Workflow_Instance_Step_ID:ID" is giving error as it has ':' operator, but I cant change it as it it coming from share point list.
I have tried '[Workflow_Instance_Step_ID:ID]' but still its giving an error.
Please give me your suggestion on the same.
I am unable to recreate your issue, at least with a native Access table in Access 2010. I created a table named [baz] with a single text field named [foo:bar]
foo:bar
-------
this
is
a
test
and the query
SELECT [foo:bar] FROM baz;
works fine, so a field name containing a colon character does not seem to cause problems for Access SQL as such.
An ODBC linked table to a SQL Server table with the same structure does not cause problems either.
In both cases the queries were run from within Access 2010 itself.
So we might be in diagnosis mode, so lets try
SELECT * FROM Task
and then look at the FieldNames that come back.