I've been attempting to increase my knowledge and trying out some challenges. I've been going at this for a solid two weeks now finished most of the challenge but this one part remains. The error is shown below, what am i not understanding?
Error in sqlite query: update users set last_browser= 'mozilla' + select sql from sqlite_master'', last_time= '13-04-2019' where id = '14'
edited for clarity:
I'm trying a CTF challenge and I'm completely new to this kind of thing so I'm learning as I go. There is a login page with test credentials we can use for obtaining many of the flags. I have obtained most of the flags and this is the last one that remains.
After I login on the webapp with the provided test credentials, the following messages appear: this link
The question for the flag is "What value is hidden in the database table secret?"
So from the previous image, I have attempted to use sql injection to obtain value. This is done by using burp suite and attempting to inject through the user-agent.
I have gone through trying to use many variants of the injection attempt shown above. Im struggling to find out where I am going wrong, especially since the second single-quote is added automatically in the query. I've gone through the sqlite documentation and examples of sql injection, but I cannot sem to understand what I am doing wrong or how to get that to work.
A subquery such as select sql from sqlite_master should be enclosed in brackets.
So you'd want
update user set last_browser= 'mozilla' + (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
Although I don't think that will achieve what you want, which isn't clear. A simple test results in :-
You may want a concatenation of the strings, so instead of + use ||. e.g.
update user set last_browser= 'mozilla' || (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
In which case you'd get something like :-
Thanks for everyone's input, I've worked this out.
The sql query was set up like this:
update users set last_browser= '$user-agent', last_time= '$current_date' where id = '$id_of_user'
edited user-agent with burp suite to be:
Mozilla', last_browser=(select sql from sqlite_master where type='table' limit 0,1), last_time='13-04-2019
Iterated with that found all tables and columns and flags. Rather time consuming but could not find a way to optimise.
Related
I am getting this error while saving my data into the table. I have already created a 'product_Design' table in my database. I am using Sql Server 2008. Everything is working fine on local host but not on the server. I also tried to insert data in different tables and its working but I am just not able to insert data in this(product_Design) table ? I really need help regarding this thing.
here is my sql query
insert into z3ctjholo.dbo.product_Design values(#prodID, #productName, #designName, #designPath, #finalDesign, #front, #cont, #divHeight, GETDATE(), 0, 1)
I also tried this query
insert into product_Design values(#prodID, #productName, #designName, #designPath, #finalDesign, #front, #cont, #divHeight, GETDATE(), 0, 1)
Both the queries are generating error. Please help me out.
Thanks..
So finally i found what is the problem. if you ever face such kind of problem then execute this command in sql server and see whether your table is connected to any schema apart from dbo. Use this statement to check whether the table is connected to any other schema.
use yourDatabaseName
Then
SELECT * FROM INFORMATION_SCHEMA.TABLES
after that if you find that your table is connected with other schema apart from dbo then use your any statement like this
select * from schemaName.tableName
(eg. my schema name is z3ctjholo and my table name is product_Design)
so my statement would be like this
select * from z3ctjholo.product_Design
what i was doing wrong, i was using two schema names (z3ctjholo.dbo.product_Design).
I hope it will help someone..
Thanks...
There are two reasons, I can find so far.
1. Either the connection settings in web.config is incorrect.
2. your database is case sensitive collation and so check the name with case. May be you have created the table with name Product_Design and trying to insert in product_Design, in this case also, the command may not work.
Please check both the points.
I have a question on creating running totals in MS Access 2010 similar to the one here:
Access 2010 - query showing running total for multiple records, dropping old record and adding new record on each line
However when I input the equivalent code from that thread I get an error saying that the database cannot be found (Access seems to think the table I have specified is the database name)
Here is the code from the original thread:-
SELECT hbep1.EmployeeID, hbep1.PayPeriodID,
(
SELECT Sum(hbep2.HoursUsed)
FROM Hours_by_Empl_PP hbep2
WHERE hbep2.EmployeeID=hbep1.EmployeeID
AND (hbep2.PayPeriodID Between hbep1.[PayPeriodID]-3
And hbep1.[PayPeriodID])
) AS Sum_of_Hours_last_4_PPs
FROM Hours_by_Empl_PP hbep1;
Here is the code I inputted into my query:-
SELECT
V4_Try.ID_NIS_INV_HDR,
V4_Try.ID_ITM,
V4_Try.RunTot3,
V4_Try.BomVsActQty,
DMin("RunTot3","V4_Try","[ID_Itm]=" & [ID_ITM]) AS IDItmMin,
DMax("RunTot3","V4_Try","[ID_Itm]=" & [ID_ITM]) AS IDItmMax,
(
SELECT Sum([V4_Try].[BomVsActQty])
FROM [V4_Try].[BomVsActQty]
WHERE [V4_Try].[ID_ITM]=[V4_Try].[ID_ITM]
AND (IDItmMax < IDItmMin)
) AS RunTot6
FROM V4_Try
ORDER BY V4_Try.ID_ITM, V4_Try.RunTot3;
One thing I notice is that the main query uses DMax() and DMin() to create some aliased columns
...
DMin("RunTot3","V4_Try","[ID_Itm]=" & [ID_ITM]) AS IDItmMin,
DMax("RunTot3","V4_Try","[ID_Itm]=" & [ID_ITM]) AS IDItmMax,
...
and then the subquery tries to use those aliases in its WHERE clause
(
SELECT ...
WHERE...
AND (IDItmMax < IDItmMin)
) AS RunTot6
I'm pretty sure that the subquery will have no knowledge of the column aliases in the "parent" query, so they may be the items that are unrecognized.
Start by running this query:
SELECT * FROM V4_Try;
Then develop for complexity. Build the nested query before anything else. When you know that runs, try adding your aliases, then the DMax() function, and so on. Isolate the point at which you have an error popping up.
This is the process to fix a query.
Oh, and please specify the precise error that is raised by Access. Also, if this is being run from VBA, please let us know because that affects your trouble-shooting.
Here's the situation. Due to the design of the database I have to work with, I need to write a stored procedure in such a way that I can pass in the name of the table to be queried against if at all possible. The program in question does its processing by jobs, and each job gets its own table created in the database, IE table-jobid1, table-jobid2, table-jobid3, etc. Unfortunately, there's nothing I can do about this design - I'm stuck with it.
However, now, I need to do data mining against these individualized tables. I'd like to avoid doing the SQL in the code files at all costs if possible. Ideally, I'd like to have a stored procedure similar to:
SELECT *
FROM #TableName AS tbl
WHERE #Filter
Is this even possible in SQL Server 2005? Any help or suggestions would be greatly appreciated. Alternate ways to keep the SQL out of the code behind would be welcome too, if this isn't possible.
Thanks for your time.
best solution I can think of is to build your sql in the stored proc such as:
#query = 'SELECT * FROM ' + #TableName + ' as tbl WHERE ' + #Filter
exec(#query)
not an ideal solution probably, but it works.
The best answer I can think of is to build a view that unions all the tables together, with an id column in the view telling you where the data in the view came from. Then you can simply pass that id into a stored proc which will go against the view. This is assuming that the tables you are looking at all have identical schema.
example:
create view test1 as
select * , 'tbl1' as src
from job-1
union all
select * , 'tbl2' as src
from job-2
union all
select * , 'tbl3' as src
from job-3
Now you can select * from test1 where src = 'tbl3' and you will only get records from the table job-3
This would be a meaningless stored proc. Select from some table using some parameters? You are basically defining the entire query again in whatever you are using to call this proc, so you may as well generate the sql yourself.
the only reason I would do a dynamic sql writing proc is if you want to do something that you can change without redeploying your codebase.
But, in this case, you are just SELECT *'ing. You can't define the columns, where clause, or order by differently since you are trying to use it for multiple tables, so there is no meaningful change you could make to it.
In short: it's not even worth doing. Just slop down your table specific sprocs or write your sql in strings (but make sure it's parameterized) in your code.
I would like to find out if it is possible to find out which package or procedure in a package is updating a table?
Due to a certain project being handed over (the person who handed over the project has since left) without proper documentation, data that we know we have updated always go back to some strange source point.
We are guessing that this could be a database job or scheduler that is running the update command without our knowledge. I am hoping that there is a way to find out where the source code is calling from that is updating the table and inserting the source as a trigger on that table that we are monitoring.
Any ideas?
Thanks.
UPDATE: I poked around and found out
how to trace a statement back to its
owning PL/SQL object.
In combination with what Tony mentioned, you can create a logging table and a trigger that looks like this:
CREATE TABLE statement_tracker
( SID NUMBER
, serial# NUMBER
, date_run DATE
, program VARCHAR2(48) null
, module VARCHAR2(48) null
, machine VARCHAR2(64) null
, osuser VARCHAR2(30) null
, sql_text CLOB null
, program_id number
);
CREATE OR REPLACE TRIGGER smb_t_t
AFTER UPDATE
ON smb_test
BEGIN
INSERT
INTO statement_tracker
SELECT ss.SID
, ss.serial#
, sysdate
, ss.program
, ss.module
, ss.machine
, ss.osuser
, sq.sql_fulltext
, sq.program_id
FROM v$session ss
, v$sql sq
WHERE ss.sql_address = sq.address
AND ss.SID = USERENV('sid');
END;
/
In order for the trigger above to compile, you'll need to grant the owner of the trigger these permissions, when logged in as the SYS user:
grant select on V_$SESSION to <user>;
grant select on V_$SQL to <user>;
You will likely want to protect the insert statement in the trigger with some condition that only makes it log when the the change you're interested in is occurring - on my test server this statement runs rather slowly (1 second), so I wouldn't want to be logging all these updates. Of course, in that case, you'd need to change the trigger to be a row-level one so that you could inspect the :new or :old values. If you are really concerned about the overhead of the select, you can change it to not join against v$sql, and instead just save the SQL_ADDRESS column, then schedule a job with DBMS_JOB to go off and update the sql_text column with a second update statement, thereby offloading the update into another session and not blocking your original update.
Unfortunately, this will only tell you half the story. The statement you're going to see logged is going to be the most proximal statement - in this case, an update - even if the original statement executed by the process that initiated it is a stored procedure. This is where the program_id column comes in. If the update statement is part of a procedure or trigger, program_id will point to the object_id of the code in question - you can resolve it thusly:
SELECT * FROM all_objects where object_id = <program_id>;
In the case when the update statement was executed directly from the client, I don't know what program_id represents, but you wouldn't need it - you'd have the name of the executable in the "program" column of statement_tracker. If the update was executed from an anonymous PL/SQL block, I'm not how to track it back - you'll need to experiment further.
It may be, though, that the osuser/machine/program/module information may be enough to get you pointed in the right direction.
If it is a scheduled database job then you can find out what scheduled database jobs exist and look into what they do. Other things you can do are:
look at the dependencies views e.g. ALL_DEPENDENCIES to see what packages/triggers etc. use that table. Depending on the size of your system that may return a lot of objects to trawl through.
Search all the database source code for references to the table like this:
select distinct type, name
from all_source
where lower(text) like lower('%mytable%');
Again that may return a lot of objects, and of course there will be some "false positives" where the search string appears but isn't actually a reference to that table. You could even try something more specific like:
select distinct type, name
from all_source
where lower(text) like lower('%insert into mytable%');
but of course that would miss cases where the command was formatted differently.
Additionally, could there be SQL scripts being run through "cron" jobs on the server?
Just write an "after update" trigger and, in this trigger, log the results of "DBMS_UTILITY.FORMAT_CALL_STACK" in a dedicated table.
The purpose of this function is exactly to give you the complete call stack of al the stored procedures and triggers that have been fired to reach your code.
I am writing from the mobile app, so i can't give you more detailed examples, but if you google for it you'll find many of them.
A quick and dirty option if you're working locally, and are only interested in the first thing that's altering the data, is to throw an error in the trigger instead of logging. That way, you get the usual stack trace and it's a lot less typing and you don't need to create a new table:
AFTER UPDATE ON table_of_interest
BEGIN
RAISE_APPLICATION_ERROR(-20001, 'something changed it');
END;
/
I get the following error:
Cannot use empty object or column names. Use a single space if necessary.
Msg 1038, Level 15, State 3, Line 1
and the query command looks like:
SELECT TOP 100 PERCENT
[].[cms_page].[pa_id], [].[cms_page].[pa_key],
[].[cms_page].[pa_title], [].[cms_page].[pa_keywords],
[].[cms_page].[pa_description], [].[cms_page].[pa_header],
[].[cms_page].[pa_created], [].[cms_page].[pa_modified],
[].[cms_page].[pa_language] FROM [cms_page]
WHERE
[cms_page].[pa_key] = #pa_key0
ORDER BY
[pa_id] ASC;
Strange indeed. Why does this happen? I'm using SubSonic 2.1.
Connectionstring:
<add name="OCDB" connectionString="Network Library=DBMSSOCN;Data Source=127.0.0.1,1433;Initial Catalog=test_db;User ID=test;Password=testpwd"/>
Edit: Well the solution was just to simply generate and rebuild the Data Access Layer and I was good to go.
You seem to be using a 3 part name with part of it empty, i.e. '[].'
It looks as though the query text is being constructed with an empty table schema.
Those empty [] square brackets should contain something like "dbo" to make the query syntactically valid. I don't know enough about SubSonic to give you a code sample though.
I'm not familiar with SubSonic, but have you tried a simpler query to test if you have your syntax correct? Does this query even work in SQL Server (Management Studio / Query Analyzer)?
Just looking at this from the perspective of SQL Server, you are using way too many brackets. If I was writing that query in SQL Server, it would look more like what I wrote below. I'm not sure about the variable #pa_key0, is this query part of a stored procedure or does SunSonic replace this variable when the query is ran?
SELECT
pa_id,
pa_key,
pa_title,
pa_keywords,
pa_description,
pa_header,
pa_created,
pa_modified,
pa_language
FROM
cms_page
WHERE
pa_key = #pa_key0
ORDER BY
pa_id ASC;
I think you need to set the schema for Subsonic to use. This thread seems to have some information:
Subsonic - How to use SQL Schema / Owner name as part of the namespace?