In SL support ticket opened last year, I was looking for assistance in working around a SoftLayer issue where when my team orders Baremetal servers through some custom scripting, sometimes, the server id associated with the new BM server changes during the provisioning process, and at that point, my tooling loses track of it, and fails. In this ticket:
https://control.softlayer.com/support/tickets/21903245
I was told that I should use the global identifier instead of the server id. I finally got around to testing that, but I am seeing an issue. It would seem that I can't query the hardware status of the new server using the global identifier when I have first submitted the request, like I can with the server id.
[chrisr#ratsy tools]$ curl -k -u chrisr1:<PW> "https://api.softlayer.com/rest/v3/SoftLayer_Hardware/320526/getHardwareStatus.json"
{"id":3,"status":"DEPLOY"}
[chrisr#ratsy tools]$ curl -k -u chrisr1:<PW> "https://api.softlayer.com/rest/v3/SoftLayer_Hardware/75302613-e55a-481a-829f-967799a41968/getHardwareStatus.json"
null
However, it does work later. I ran the same query for a server that was all ready provisioned.
[chrisr#ratsy tools]$ curl -sS -k -u chrisr1:<PW> "https://api.softlayer.com/rest/v3/SoftLayer_Hardware/1ab37f37-9373-4e10-9de4-7319fffcb4f8/getHardwareStatus.json" | json_pp
{
"status" : "ACTIVE",
"id" : 5
}
I need an identifier that I can query on that is:
a) available right away, and
b) won't change
Thanks.
The Global Identifier is assigned to the hardware until the provision is complete, for this reason the request returns "null" value. But it is the identifier that would not change if the server has been re-assigned.
Apparently there not exists any identifier that you can use to track Bare Metal Servers according your requirements.
However, I can recommend to track your server provisioning through hostname that you assigned to the server.
Getting server's information
https://$user:$apiKey#api.softlayer.com/rest/v3/SoftLayer_Account/getHardware?objectFilter={"hardware":{"hostname":{"operation":"serverHostname"}}}
Method: Get
Replace: serverHostname with the server's hostname that you
defined in your order.
The response will provide information about server's identifier,
then you can check the status from server with it.
https://$user:$apiKey#api.softlayer.com/rest/v3/SoftLayer_Hardware/123123/getHardwareStatus
Method: Get
Note: You need to make sure that you don't have more than one bare metal server's with the same hostname.
You are using wrong the global identifier, the idea is you query the server repeatedly until the provisionDate is filled in, it means you call the http://sldn.softlayer.com/reference/services/SoftLayer_Hardware_Server/getObject method and review if the "provisionDate" field has been filled in, in case that the field is not filled in that means that the server is still in provisioning. Once the provisioning server has been completed the "provisionDate" field will be filled in and also the ID of the server and other data will be updated as well. So you do not need to call the getHardwareStatus method in order to know if the server is still in provisioning or completed.
Related
Under the authorization of my friend, I am testing his website against potential vulnerabilities.
I was trying to find if I was able to inject a SQL query into a POST request parameter hi' or 1=1 --:
query=hi'%20or%201%3d1%20--
I found that the document prints out:
<div class="error">index job,query: syntax error, unexpected '-' near '-'</div>
while with ' or 0=0 -- I get:
<div class="error">index job,query: syntax error, unexpected '|' near ' | 0=0) --'</div>
does this mean that it's vulnerable to SQL Injection? If yes, how can I make it print server system data (like information, etc.)? By the way, if the string is correct it gets redirected to another webpage (I think that's why SQLMap tells me the parameter is not SQL-injectable).
EDIT: I can see the query works just if the URL gets redirected, but I won't see the query output. If the URL doesn't get redirected, I can see these SQL query errors. I'm trying to see how to get the output and do something more useful to attack the website, or even make it detectable from sqlmap.
The current command I'm using is sqlmap -r thework.txt -p query --dbs. thework.txt contains the full valid POST request.
SQL injection isn't only about malicious attacks that read data or change data on your site.
The majority of SQL injections are simply errors like the one you saw. They might not even be malicious. What if you have an SQL injection vulnerability that simply causes an error when someone wants to register their last name as "O'Reilly"? The user is well-intentioned, but your site breaks when they use their real name.
That's reason enough to detect and fix cases of SQL injection in your code.
You didn't post your code that builds the SQL query from this input, so what you have shown is only circumstantial evidence. But I do infer that you are copying a GET input into your SQL query without proper escaping or the preferred method, using a query parameter.
Wish I had 50 reps so I could put this in comments. But yes the site is most likely vulnerable. To be sure ask your friend to allow you to run an initial exploit.
sqlmap.py -u < Target Address> --dbs
If you successfully pull up the data base you have found the vulnerability or at least have confirmed there is a vulnerability.
Is there any command in Redis to get the database name that I am using right now?
I know select is to switch the database. I am looking for "get database name" kind of a command.
First of all, there's NO name for Redis database. Instead, it has an index.
You can use the CLIENT SETNAME and CLIENT LIST commands to get the database index dynamically:
call CLIENT SETNAME a-unique-name to set a unique name for the current connection.
call CLIENT LIST to get info of all clients that connecting to Redis.
find the connection info with the unique name that we set in step 1.
parse the client info the get the database index.
You can get the format of client info from the doc.
NOTE: If anyone has a simpler solution, please let me know :)
UPDATE: Since Redis 6.2.0, you can use CLIENT INFO to get the information of current connection. So that you don't need to run step 1 - 3 mentioned above.
Since Redis version 6.2.0 you can use the CLIENT INFO command, the response of which contains both the name and the db number of the current client connection.
Hi I have managed to implement container managed authentication in weblogic 12c with an SQLAuthenticator. I am successfully loging in with the users I create in the database when the password setting is set to PLAINTEXT in the provider specific sqlauthenticator settings and the database value is not encrypted.
If I am storing the user's password inside the database using the following code though I cannot login:
String encPass = "{SHA-1}" + new sun.misc.BASE64Encoder()
.encode(java.security.MessageDigest.getInstance("SHA1")
.digest(newUser.getPassword().getBytes()));
By providing the password "weblogic1" this value is stored in the db: {SHA-1}r49g3WeQasgoe6ODQ+5fa4Ic5tk=
In my SQLAuthenticator provider specific settings I have "Plaintext Passwords Enabled" set to false, "Password Style Retained" set to true, Password Algorithm: set to SHA-1.
When I run
request.login(email, password);
It throws the Authentication Failed exception...
What am I doing wrong?
A little late, but I think I can answer this one for you.
From the sound of things, your code was in fact correct, however, as you discovered, your tables were not properly set up.
When configuring your RDBMS authentication, it is assumed that you have three tables in your DB, they are:
users (username, password, description)
groupmembers (group name, group member)
groups (group name, group description)
I expect you were mostly there, but lacking the description column for the "users" and "groups" tables was causing your problems.
You can check out this link from Oracle's online documentation for more info:
https://docs.oracle.com/cd/E21764_01/web.1111/e13707/atn.htm#SECMG195
OK, my code now runs correctly but I don't know why. The only thing I changed is that I added some description columns to my tables and fixed my queries in the provider description accordingly. This shouldn't actually affect the login, just the user creation from the weblogic console which didn't work. Maybe weblogic just needed a few restarts IDK.
I have created a job scheduler using pgagent in postgresql:
What I did is mentioned as screen shots
I had created like this to update name in my database field in a certain time. But when I check it is getting failed.
The failed status as follows:
What I did wrong? How can I correct it?
I have also faced the same problem exactly. By trial and error, I changed the Connection Type from Local to Remote and gave the following connection string
user=some_user password=some_password host=localhost port=5432 dbname=some_database
in the properties of the Step. And, it worked. So, the trick is to treat even the local server as a remote server.
I AM NOT RUNNING THE COMMANDS FROM PHP!
I have MySQL log_error value set to /var/log/mysql/error.log
However when I connect to a database and run an SQL command, the error does not appear in the log.
SELECT *
FROM some_table
where this_is_invalid_and_will_fail="Doesn't matter because column doesn't exist!";
There are commands running from some sort of windows application. All I want to know is what invalid commands its sending to the MySQL server so that I can attempt to resolve them.
Error log doesn't do that:
https://dev.mysql.com/doc/refman/8.0/en/error-log.html
The error log contains information
indicating when mysqld was started and
stopped and also any critical errors
that occur while the server is
running.
MySQL doesn't log invalid/failed queries anywhere.
If it's for debugging purposes, you might try setting up a MySQL Proxy, which could log this I think:
http://dev.mysql.com/downloads/mysql-proxy/
Basically, there are 2 ways.
1) setup some kind of proxy, which can log error queries. There are a lot of forks of the original mysql proxy (which was mentioned by #Mchl) - https://github.com/search?utf8=%E2%9C%93&q=MySQL+Proxy Also you can find latest version of the original mysql proxy here https://github.com/mysql/mysql-proxy
I dont like this way, because its kind of too complicated for quick debug
2) you can enable general log in mysql (which will log ALL queries).
It will create big overhead and doesnt fit production requirements, but its fast and easy way to fix bugs in development environment.
Just login to your mysql and execute
SET GLOBAL general_log = 'ON';
SHOW GLOBAL VARIABLES LIKE 'general_log%';
You will see logs location, like
+------------------+------------------------+
| Variable_name | Value |
+------------------+------------------------+
| general_log | OFF |
| general_log_file | /mnt/ssd/mysql/s.log |
+------------------+------------------------+
After that execute
mysqladmin flush-logs -u root -p
When you will need to stop logs - just execute
SET GLOBAL general_log = 'OFF';
As of mysql version 5.6.3 (released 2011-10-03), there is a variable called log-raw which allows you to include invalid queries in the general query log:
https://dev.mysql.com/doc/refman/5.6/en/server-options.html#option_mysqld_log-raw
You will need to turn on general query log using general-log and general-log-file, e.g.:
[mysqld]
general-log=1
log-raw=1
general-log-file=/var/log/mysql/general.log
Could you enable the General Query Log? That should tell you everything you need to know.
This is not so trivial. The best way to do this, is to log bad queries in your application. There is no built-in way.