Hi ive just hear about an error in cakephp that allows sql inyection;
https://twitter.com/cakephp/status/328610604778651649
I was trying to test my site using sqlmap, but i cant find how to specify the params.
The url i am testing is;
http://127.0.0.1/categories/index/page:1/sort:id/direction:asc
And the parameters i want to sqlmap inyect are in the url (page:,sort:,direction:)
I have try to run;
python sqlmap.py -u "http://127.0.0.1/categories/index/page:1/sort:id/direction:asc"
But nothing...
Any clue? Thanks!
In CakePHP there are passed arguments, named parameters, and querystring parameters.
Passed arguments look like .../index/arg are accessed with $this->request->pass[0], where '0' is the array index. Named parameters look like .../index/key:value and are accessed with $this->request->named['key']. Querystring parameters look like ̀.../index?key=valueand are accessed with$this->request->query['key']`.
Your URL uses named parameters so it should look like this (without the question mark):
http://127.0.0.1/categories/index/page:1/sort:id/direction:asc
Edit:
Since CakePHP uses mod_rewrite, you have to specify the parameters as explained in the sqlmap wiki.
Related
I am trying to connect to this API endpoint, some parameters such as roomTypes and addOns require more parameters inside them. What should the URL be like?
Here is what I am trying, unsuccessfully:
https://api.lodgify.com/v2/quote/308200/?arrival=2020-10-02&departure=2020-10-07&propertyId=308200&roomTypes=[Id=373125, People=5]&addOns=[]
See image of Documentation
The correct format of parameters are as following:
https://api.lodgify.com/v2/quote/{PropertyID}?arrival={DATE}&departure={DATE}&roomTypes[0].id={RoomID}&roomTypes[0].people={PEOPLE}
It seems like you have space (white space) between Id and People in your URL, an URL must not contain a literal space
Can I use a parameter from Carte's URL in a Job? Something like this:
http://localhost:8080/kettle/startJob/?name=myjob&xml=Y&testvar=filename.txt
I want to do this because I have a job to transform an input file but I want to change that filename dynamically, and creating a new XML file for each file is a bit nonsense.
I've tried many things and I couldn't find a solution :-(
All named parameters must be declared in the parameters tab of said JOB and KTR to be executed and receive the information passed from the URL parameters.
I'm trying to call a http endpoint. For that I need to specify a url that uses a query string to filter data.
Sample URL: http://example.com?date=2017-10-04T22:18.007Z
I need to use the current system time as a value for date query string.
I created a script and assigned the generated url with the current datetime to a variable. However, when I assigned that variable for the url field in the source HTTP definition, it did not resolve the variable.
Is there a way to solve this issue?
I do this all the time. As long as your script is running properly (you can test that with the test feature on the script), you are writing the URL value to a global variable (something like $URL), and you are writing that global variable out in your target (something like [URL]), it should work.
If you want to show your script (just where you are creating the URL), and your target URL field that could help narrow down the problem.
Does Restlet support exploded path variable (reference to URI Template RFC)?
An example would be /documents{/path*} where path can be for example "a/b/c/d/e".
This syntax doesn't seem to work with Restlet.
I'm creating a folder navigation api and I can have variable path depth, but I'm trying to have only one resource on the server side to handle all the calls. Is this something I can do with Restlet? I suppose I could create a custom router but if there is another way to do this I would like to know.
Thanks
It is possible to support this using matching modes.
For example:
myRouter.attach("/documents{path}",
MyResource.class).setMatchingMode(Template.START_WITH);
Hope this helps!
I'm doing the following
myRouter.attach("/documents/{path}", MyResource.class).setMatchingMode(Template.START_WITH);
Now I do get inside the resource GET method, but if I request the value of the path variable, I only get the first part (for example, /documents/a/b/c, path returns "a".) I use getRequest().getAttributes().get("path") to retrieve the value. Am I doing something wrong ?
Mathieu
I'm using the google custom search api and want to create a search using the siteSearch:
https://www.googleapis.com/customsearch/v1?key=k&cx=cx&q=cocos2d&siteSearch=www.cocos2d-iphone.org&siteSearchFilter=i
and it works fine (returns all the result only from the given site).
Then I want to specify TWO sites to search so I tried to change the :
siteSearch=www.cocos2d-iphone.org
to
siteSearch=www.cocos2d-iphone.org www.XXXXXXXX.org
siteSearch=www.cocos2d-iphone.org|www.XXXXXXXX.org
siteSearch=www.cocos2d-iphone.org||www.XXXXXXXX.org
but none of these works.
hope someone can help here, thanks:)
Currently I don't believe you can specify more site through the query param siteSearch.
nevertheless you can configure your Custom Search Engine here: https://www.google.com/cse/manage/all
in the "Site to search" area.
This also works for excluding, as you can read here: https://support.google.com/customsearch/bin/answer.py?hl=en&answer=2631038&topic=2601037&ctx=topic
You cannot do this with the as_sitesearch parameter as that only accepts a single value. But you can achieve what you want with the as_q parameter, setting it to some value like: "site:google.com OR site:microsoft.com" - that will work in a similar way to this search.
The as_q parameter is documented here as:
The as_q parameter provides search terms to check for in a document.
This parameter is also commonly used to allow users to specify
additional terms to search for within a set of search results.
Examples q=president&as_q=John+Adams
Use "space" as seperator
Below is sample PHP code which works for me
$url="https://www.googleapis.com/customsearch/v1?key=k&cx=cx&q=cocos2d&siteSearch=".urlencode("www.cocos2d-iphone.org www.XXXXXXXX.org")."&siteSearchFilter=i"
Thanks,
Ojal Suthar