SQl injection getting current user and database priv - sql

I am doing a tutorial a lab on SQL Injection.
I am stuck at retrieving the username of the current user and the priv it has.
I tried Select user FROM dual, select current_user. In SQLPlus, to get current user I will type
SQL> show user.
Question being asked:
1. Use a SQL Injection string in the Search field to get the name of the database user that the application is connecting to the database with.
2. Use a SQL Injection string in the Search field to get the system privileges granted to the user that the application is connecting to the database with.
Please help. Thanks

Related

Issue while creating a user in azure SQL server

In my application I need to create a user with the email id in the azure Sql server. Eg:
The email id is: xxxx#gmail.com
create user xxxx#gmail.com with password '123131'
The user gets created but when I try to login with that user a message is shown.
Cannot open server "gmail.com" requested by the login. The login failed Click here
The issue is with #. If I change it with some other character it works. Is there any alternative because I need to create user with the email id.
Any help would be greatly appreciated.
SSMS recognize #gmail.com as server name here, and the workaround is simple: Assuming your SQL database server name is testserver.database.windows.net and you have a user username#gmail.com, in SSMS you should specify the username as username#gmail.com#testserver and that would work. This should also applies to JDBC and ODBC connections as well.

CREATE USER in MS Access 2010

I have been searching for several hours regarding how to create a user using SQL for a database I am building in Access. I found several sources on Microsoft's website that say I can use the CREATE USER command to do this. However, whenever I attempt to run the query, an error saying Syntax error in CREATE TABLE statement pops up. What am I doing wrong? Thank you in advance for your help! If you're interested, the code format I am attempting to use is as follows: CREATE USER username, password, pid.
Access does support CREATE USER as a DDL statement, but unfortunately it won't work in all contexts. Specifically, it won't work if we try to run it from
the Query Designer within Access itself,
a DAO connection to the database, or
an ODBC connection to the database.
It will only work when run from an OLEDB connection to the database. That can be accomplished from VBA code within the Access database itself by using the CurrentProject.Connection object, like so:
CurrentProject.Connection.Execute _
"CREATE USER newuser newpassword newpid"
(Note that there are no commas between the three arguments to the CREATE USER statement.)

Invalid Object Name in mssql 2005

We currently have an issue with our MSSQL 2005 database. We've recently undergone a migration from windows server 2003 to 2008. SQL Server has remained as 2005. I'm using SQL Server Management Studio to work on.
All the tables in the database follow the format: [SCHEMA].[TABLE_NAME]
When I enter the SQL:
SELECT * FROM [table_name]
I get the error message: Invalid object name '[table_name]'.
If I type in:
SELECT * FROM [schema].[table_name]
This works fine. The username we log into the database with owns the schema which is prepended to all the table names.
The problem is, we have 3rd party companies which have software which exports data from the database. 2 companies have now tried to run their exporters, however are getting the error 'Invalid object name'. The software is logging in with the username which owns the schema.
My question is exactly the same as this one I've found on the internet:
http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=99802
However the answer on that question seems to be full of keywords rather than actual sentences which makes it very hard to understand.
If anyone could help, it'd be greatly appreciated.
Many thanks
Phil
Set the default schema for the 3rd party's username to the schema their un-prefixed references should point to:
ALTER USER foo WITH DEFAULT_SCHEMA = [bar];
(This is different from owning the schema.)
And tell them to write software correctly. In SQL Server you should always be specifying the schema name, even if you always use dbo.

Permissions in SQL Server 2008

I have created 10 database of 'Northwind' for training purpose. Suppose I have 10 students, so databases are Northwind_Student1,Northwind_Student2 etc. I would like to create separate login for each pupil, so that Student1 can only see(or can access) the data base 'Northwind_Student1'. How can I accomplish this using T-SQL or SSMS 2008 ?
You can create different users for different databases and assign permissions like below. It's for SQL 2008, but it will be same for 2005 also :
In SSMS, expand the Security tree of the server in Object Explorer and right-click Logins to choose New Login..., then add as many as needed.
Then in the Security tree of each individual database, add the login as a user of that db and grant appropriate rights.
Create 10 different logins and assign each to the database it can access.
CREATE LOGIN yourloginname WITH PASSWORD = 'yourpassword'

can not retrieve data from sql server

I can not retrieve data from db in sql server.
I use the c3p0 as the pool,this is the c3p0.properties:
c3p0.user=test
c3p0.password=123456
c3p0.jdbcUrl=jdbc:sqlserver://xxxxxx:1433;databaseName=TIMDB;SelectMethod=cursor
c3p0.driverClass=com.microsoft.sqlserver.jdbc.SQLServerDriver
c3p0.maxPoolSize=15
c3p0.testConnectionOnCheckin=true
c3p0.idleConnectionTestPeriod=3600
In the sql server,I have create a new user named test,and its default db is TIMDB,the server roles is public,and this is the user mapping:
But when I start the application,I can get nothing.
From the log created by log4j,I can get the sql used to retrieve data,but if I copy the sql to the sql management stutio and create a new query,I can retrieve some data.
I wonder why?
It looks like a permissions problem to me. If the generated SQl runs when you use it in management studio (i.e under your user account) then you know the code is good. What access have you given the user "test" from your post I see "user mapping: enter image description here"? he will need at least db_datareader and possibly more depending on what code is generated.
You could also try logging on to SQL Management studio under your "test" user and see if you can execute the code. That will eliminate the possibility that its something wrong with your application/network.