I have been given a task of reproducing the issue/testing the unauthorized access to file system through request.param and query string.
For instance i have something like this. request.querystring("blah");
How could somebody pass "../../../b1/b2" in the query string and access file system.
This may be related to cross site scripting.
Need help..at least provide resources. Thanks in advance.
Wish I could provide a definitive answer, but can at least steer you in some direction. Not sure how confident you are that request.querystring() was indeed responsible, but some possibilities are:
Directory Traversal/Path Traversal:
Overview: http://en.wikipedia.org/wiki/Directory_traversal
Testing For: http://www.owasp.org/index.php/Testing_for_Path_Traversal
Remote File Inclusion:
Overview: http://en.wikipedia.org/wiki/Remote_file_inclusion
Tutorial: http://www.offensivecomputing.net/?q=node/624 (KnightLighter's Tutorial)
Hope this moves you in the right direction.
Related
First, thanks Hasura for incredible good product! I love it.
I have issue with derive action with Hasura Console. My use case:
I enable anonymous role for subscribe function (everybody can send email to subscribe)
I have configured permission on my subscribe table, everything is fine.
I want to validate the user input on server side, for example, validate email format. I have followed by this guide about derive action. I found no mistake here.
But I got the error "Type query_root must define one or more fields." when I hit "Derive action" at the first time.
According to this question, as I understand, I need to have object type for root query.
Of course, I will have object type for root query eventually. I can work around by giving some dummy queries for anonymous role. But I do not like that cheat anyway.
Any idea on that? Any help will be highly appreciated.
Edited:
My related current version:
Hasura 1.3.2
One click deployment using Docker on Digital Ocean.
Hello I am trying to read a module with this code:
(: Entry point - must be a read-only query. :)
xdmp:invoke(
'/path/mydocument.xqy',
(xs:QName('var1'), 'test',
xs:QName('var2'), "response"))
I am new in MarkLogic, I am using groovy and the api to connect to it, but also I saw I can invoke the module with this and indeed I did but it returns me
your query returned an empty sequence
I want to know if I can query xs:QName('var1'), 'test', changing test with a wildcard or how can I get all the information from the file called /path/mydocument.xqy?
I tried to use this:
xdmp:document-get("/path/mydocument.xqy)
but it says the file is not found. Although, if I use invoke I can query it, but I don't know what are the values I have to pass. I was wondering if there is something like sql using %% or something to give me all the data.
To answer the first question: "I am trying to read a module "
IF the module is in the database, then you must query the Modules database in which the module resides.
If the module is in the filesystem then you cannot directly access its source as a document but you can by executing xdmp:filesystem-file()
Simplification:
With the Default configuration of the server and REST client, user placed modules are in the "Modules" database and user placed documents are in the "Documents" database. This means, if you do a GET (read a "Document") with no additional parameters, it will return documents from the "Documents" database. Assuming you are using the default configuration for client and server, this would result in the behavior you are seeing. E.g. your Module code is in the Modules database, doing a GET for it by name will search the Documents database and correctly not find it.
You don't mention, and I don't know, the groovy library being used, but the REST API itself and all implementations of general purpose ML REST client libraries I am familiar with have options for overriding the default database with another. If the groovy library supports that, then specify the "Modules" database for your query and it should return the module document. Note: content-type will be application/text not text/xml.
You can simplify things for testing by bypassing the libraries and simply use a browser and try a URL like this http://yourserver.com:8000/v1/documents?uri=/your/module.xqy&database=Modules
Ref: https://docs.marklogic.com/REST/GET/v1/documents
Making the appropriate changes to the path and server for your use.
If you are still confused, then you should start with the basic MarkLogic tutorials and work through them one by one. You will most likely succeed faster by doing this then jumping straight into coding you don't understand yet.
DETAIL:
Note: The default behaviour is to EXECUTE documents when doing a GET call, using the Modules database. Thus doing a GET of http://yourserver:8000/your/module.xqy will EXECUTE it not return its source.
You will notice the REST API has a uri query parameter. This is EXECUTING the REST API code on /v1/documents which in turn will read the document specified by the uri and database parameters and return it.
I guess I can use:
xdmp:invoke(/pview/get-pview-browse-profiles.xqy,
cts:and-query((
cts:element-value-query(
xs:QName("letter"),"*", "wildcarded"),
cts:element-value-query(
xs:QName("collection"),"*", "wildcarded"))))
although it doesn't return anything
Could someone please explain how to obtain a list of all existing databases on a PostgreSQL server, to which the user already has access, using Qt? PostgreSQL documentation suggests the following query:
SELECT datname FROM pg_database WHERE datistemplate = false;
What are the correct parameters to the following functions:
QSqlDatabase::setDatabaseName(const QString & name) //"postgres" or "pg_database"?
QSqlDatabase::setUserName(const QString & name) //actual user name?
QSqlDatabase::setPassword(const QString & password) //no password? or user password?
Much appreciated. Thank you in advance.
You appear to have already answered the first part of your question. Connect to the postgres or template1 database and issue the query you've quoted above to get a list of databases. I'm guessing - reading between the lines - that you don't know how to connect to PostgreSQL to send that query, and that's what the second part of your question is about. Right?
If so, the QSqlDatabase accessor functions you've mentioned are used to set connection parameters, so the "correct" values depend on your environment.
If you want to issue the query above - to list databases - then you would probably want to connect to the postgres database as it always exists and isn't generally used for anything specific, it's there just to be connected to. That means you'd call setDatabaseName("postgres");. Passing pg_database to setDatabaseName would be nonsensical, since pg_database is the pg_catalog.pg_database table, it isn't a database you can connect to. pg_database is one of those odd tables that exists in every database, which might be what confused you.
With the other two accessors specify the appropriate username and password for your environment, same as you'd use for psql; there's no possible way I could tell you which ones to use.
Note that if you set a password but one isn't required because authentication is done over unix socket ident, trust, or other non-password scheme the password will be ignored.
If this doesn't cover your question, consider editing it and explaining your problem in more detail. What've you tried? What didn't work how you expected? Error messages? Qt version?
I'm using SQL server and web developer(C#).
I know I should do something with my connection string, but I don't exactly what and where I should do that.
Can you write me code example
or explain me what to do?
Edit:
I should connect my database with the site(the site is on the internet).
how would i know the right path for this database?
I should put his address, IP or what?
first you have to know that you cannot just add the database to the server like this !!!
you have to script the whole database, and then you have to upload it into your database server like godaddy.com or what ever . your hosting server should support you with these setails ,they gonna give you a user name and password and other details so you can access to the sql manger ( like my ltitladmin) online ....there you have to upload or just copy and execute your code directly so you can make all your tables and stored procedures or what ever ....
after all this all what you have to is just take the online database new connection string and then add it o your web.confg or in you pages ,this is the way how to make it work right.
It depends on your ASP.NET application.
Basically, connection strings could be stored anywere.
One of suggested connection strings' store is Web.config file. Look for "connectionStrings" configuration element and you should find there the one to change for your production server.
Look at this page:
http://www.connectionstrings.com/
You'll find SQL Server connection string examples.
there is a lot os ways to do that, try to take a look to this simple example:
http://www.csharp-station.com/Tutorials/AdoDotNet/Lesson02.aspx
I guess you need to read about it a little:
http://msdn.microsoft.com/en-us/library/ff648340.aspx
[edit: I've written a blogpost that explains everything in detail: look here]
Hi!
I'm desperately trying to build a service for trusted timestamps based on rfc3161. I've decided to use the free trusted timestamp service at zeitstempel.dfn.de.
My question is how i shall contact this service in order to receive a valid response. Regarding the request format, the RFC tells:
TimeStampReq ::= SEQUENCE {
version INTEGER { v1(1) },
messageImprint MessageImprint,
--a hash algorithm OID and the hash value of the data to be
--time-stamped
reqPolicy TSAPolicyId OPTIONAL,
nonce INTEGER OPTIONAL,
certReq BOOLEAN DEFAULT FALSE,
extensions [0] IMPLICIT Extensions OPTIONAL }
where
MessageImprint ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
hashedMessage OCTET STRING }
I've found a client which helped me a bit.
Nevertheless, I still don't know how I should construct the request for the timestamp service.
Regards!
I'm glad that you find our software helpful. But you refer to our old service. Please visit www.ntp.org.pl - you'll find there the latest version of timestamping client and a lot of other useful free software related to time topic.
I'm not sure what you want to do. Maybe if you give a few more details, I'd be able to help you better. Anyway, I'll give you some hints, where to find some precious information.
Firs of all, you should look at OpenSSL project:
http://www.openssl.org/docs/apps/ts.html#
There is an example, how to create TSRequest. The request is stored in file, so you can read it's content. Later, you can send request to the server using this:
http://www.openssl.org/docs/apps/tsget.html#
Antoher trick you can do is to install some sniffer (for example Wireshark - www.wireshark.org/ ), start our client from www.ntp.org.pl , send request, then find proper packet in wireshark to see what it contains.
Feel free to ask, if you have some additional questions. Please, give some more information about your service.