Trying to exploit SQL injection for my assignment. Is it possible to execute delete or drop query after order by in select query without using the semicolon in Postgresql?
This is my sample query:
Select *
from table
order by {sql injection payload}
Without using the semicolon in the payload, can we delete data or drop a table?
https://stackoverflow.com/a/6800585
Do we have similar to this Postgrsql?
I tried
Select * from (delete from table_name returning *) a
But getting sql error as 'syntax error at or near from'
Check this document it says we can bypass forbidden character by CHR()
https://book.hacktricks.xyz/pentesting-web/sql-injection/postgresql-injection
DELETE cannot be put inside a subquery. Nor can DELETE be part of a UNION.
So aside from running a second query (that is, separated by a semicolon), there's almost no way you can do what you describe.
You could invoke a stored procedure or function, if you knew of an existing function that performs a DELETE. Example:
Select *
from table
order by {sql injection payload}
After your payload modifies this query:
Select *
from table
order by SomeFunctionThatDeletes()
Another type which works because you can select from a procedure in PostgreSQL:
Select *
from table
order by id
UNION
Select *
from SomeProcedureThatDeletes()
You can't create the function or procedure with SQL injection, so that routine must exist already, and you would need to know its name and how to call it.
DELETE or DROP TABLE are not the only bad things that can happen from SQL injection. It could be a problem if the query returns data that the current user shouldn't have privilege to see. For example, records about a different user's purchases or medical history.
SQL injection can also be accidental instead of malicious. I would even say that most instances of SQL injection result in simple errors instead of data breaches. Those aren't really attacks, but they lead to an unsatisfactory experience for your users.
I am writing a performance/system monitoring tool to augment load testing for my team's product and I am trying to store database system information with the results bundle but do not know how to write the query to capture this in Oracle (I'm a developer not a DBA).
I have this all working the way I want for SQL Server, but I need to do the same for Oracle. Below is a query I found online for this is SQL Server:
SELECT CONVERT(varchar(128),SERVERPROPERTY('ComputerNamePhysicalNetBIOS')) AS 'computerNamePhysicalNetBIOS',
CONVERT(varchar(128),SERVERPROPERTY('MachineName')) AS 'machineName',
CONVERT(varchar(128),SERVERPROPERTY('Edition')) AS 'edition',
CONVERT(varchar(128),SERVERPROPERTY('ProductLevel')) AS 'productLevel',
CONVERT(varchar(128),SERVERPROPERTY('ProductVersion')) AS 'productVersion',
CONVERT(varchar(128),SERVERPROPERTY('BuildClrVersion')) AS 'buildClrVersion',
CONVERT(INT,SERVERPROPERTY('ProcessID')) AS 'processID',
CONVERT(INT,SERVERPROPERTY('EngineEdition')) AS 'engineEdition',
CONVERT(INT,SERVERPROPERTY('HadrManagerStatus')) AS 'hadrManagerStatus',
CONVERT(INT,SERVERPROPERTY('IsHadrEnabled')) AS 'hadrEnabled',
CONVERT(INT,SERVERPROPERTY('IsAdvancedAnalyticsInstalled')) AS 'advancedAnalyticsInstalled',
CONVERT(INT,SERVERPROPERTY('IsClustered')) AS 'clustered',
CONVERT(INT,SERVERPROPERTY('IsPolybaseInstalled')) AS 'polybaseInstalled',
CONVERT(INT,SERVERPROPERTY('IsXTPSupported')) AS 'xtpSupported',
CONVERT(INT,SERVERPROPERTY('LCID')) AS 'lcid',
CONVERT(varchar(128),SERVERPROPERTY('ResourceVersion')) AS 'resourceVersion',
CONVERT(varchar(128),SERVERPROPERTY('ServerName')) AS 'serverName',
CONVERT(varchar(128),APP_NAME() )AS 'appName',
CONVERT(INT,DB_ID()) AS 'dbId',
CONVERT(varchar(128),DB_NAME()) AS 'dbName'
I don't really expect a one-to-one column match between the above query and Oracle's version, but in general, how can I get very similar information from Oracle?
I don't really expect a one-to-one column match between the above
query and Oracle's version, but in general, how can I get very similar
information from Oracle?
Most of that stuff, if it exists at all in the Oracle database, will be accessible through V$ views in the Oracle database. To get you started, here are some that are going to be most relevant to answering your question:
select * from v$instance;
select * from v$version;
select * from v$sql_feature;
select * from v$license;
select * from v$option;
If you want to get a complete list of V$ views to look around better,
select * from dict where table_name like 'V$%';
Some of those things are specific to MSSQL and have no meaning in Oracle. But you can get many of them with sys_context() using the userenv namespace.
For instance, to get the database name:
select sys_context('userenv', 'DB_NAME') as db_name
from dual;
Is there a lightweight sql statement that I can against an oracle database to test if the database is up, available and able to exceute sql?
SELECT 1
FROM dual
is a common one. You could select any constant value from DUAL as well.
If you don't want to connect first, you could query through a link, for example, I have a set of links to an external system and I run SQL of the following form:
select * from global_name#myLink01.WORLD;
If you write the sql statement to describe dual table, then also you will get to know it whether db is up and running.
desc dual;
Platform: SQL Server 2008
Language: TSQL
I have a number of queries that currently take the general form of (for simplicity sake)
-- Sample begin results
SELECT * from DB01.dbo.table UNION ALL
SELECT * from DB02.dbo.table UNION ALL --many other databases follow with same syntax
How can I modify these queries such that, when a new database comes into existence (named, say DB39C), I ensure that my queries already includes those new records?
--Sample end results
SELECT * from DB01.dbo.table UNION ALL
SELECT * from DB02.dbo.table UNION ALL
SELECT * from DB39C.dbo.table -- this was created as soon as a new database came into existence
I am looking to make sure programmatically, that this happens without my awareness as new databases are added quite regularly and I need the queries I rely on to keep pace.
You might want to have a look at using something like
SELECT name AS DATABASENAME
FROM master.dbo.sysdatabases
and creating dynamic queries
sys.databases (Transact-SQL)
Question: I can get the SQL Server database language by querying:
SELECT ##language
And I can get further info via
EXEC sp_helplanguage
How can I query for a column of sp_helplanguage where name= ##language
I do SELECT * FROM sp_helplanguage WHERE name='DEUTSCH'
but that obviously doesn't work.
What's the correct way to query it ?
You need to query the underlying system catalog table directlry:
SELECT * FROM sys.syslanguages WHERE name='DEUTSCH'