I am doing an exercise in class to find web page vulnerabilities through a user/password form and we are suppouse to be able to modify columns of a table using SQL injection.
I know the tables of the database, for instance I am trying to modify the table users that has the colums id, password and email.
The problem is that for INSERT, UPDATE or DELETE the server code use the executeUpdate() method and for SELECT use the executeQuery() method which returns the ResultSet, so obviusly when I try someting like:
correctpassword'; UPDATE usuarios SET id='newname' WHERE id='oldname'; --
it returns an error because UPDATE does not return the ResultSet object.
I have also tried nested queries so the main consult would be a SELECT so it would actually return a ResultSet object but it doesnt work either. The query is:
correctpassword'; SELECT id FROM usuarios WHERE id = (SELECT id FROM usuarios WHERE id=?admin?; UPDATE usuarios SET id=?luciareina? WHERE id=?admin?); --
Do you know anyway to do this? Thank you very much in advance!
Depending on the database server you have, you can not have an update statement inside of a select statement.
you should close out the existing query and then do the update
Also, make sure the column you are updating is not an auto generated/key column that is not updatable.
SELECT id FROM usuarios WHERE id = 1; UPDATE usuarios SET id=1 WHERE id=2
You should test your injection directly on server to see if it is valid before testing it via the webpage.
Related
I am using SpringBoot connceted with Hibernate and Cassandra Database. I made couple of methods using ResultSet and everything works perfect till now. I create another method, create query and then ResultSet.
String queryString = query.toString().replace("?", dayList.toString());
ResultSet rS = dataSource.executeQuery(queryString);
It throws me:
com.datastax.driver.core.exceptions.InvalidQueryException: No keyspace has been specified. USE a keyspace, or explicitly specify keyspace.tablename
Query is correct. When I execute query in database it returns me proper data.
It is wierd because I use same implementation in previous method and it works.
Here is my query:
SELECT * FROM object_action_statistics WHERE day IN ('2018-04-29','2018-04-30') AND action_id=14 AND timestamp_from>=1525099500073 AND timestamp_from<1525120897000 ALLOW FILTERING
Correct query should be like this:
SELECT * FROM KEYSPACE_NAME.object_action_statistics WHERE day IN ('2018-04-29','2018-04-30') AND action_id=14 AND timestamp_from>=1525099500073 AND timestamp_from<1525120897000 ALLOW FILTERING
I guess you forgot to put keyspace name ahead of table name.
I am developing a web app.... in which there will be a list of users requesting registration ...Wen ever we click on accept all the details must be moved from register table to login table...
PreparedStatement ps=conn.prepareStatement("insert into login(id,FirstName,LastName,Gender,Category,Dateofbirth,Age,Address,Country,State,city,PinCode,EmailId,ContactNo,MobileNo)select * from register ");
i have to insert all data from register table to login table when i click accept. But when i run this the whole table gets copied from register to login table...When i click accept only that particular users details must be moved.... Id must be fetched of that particular user... How to do that. Please someone help me fix this... Thanks in advance....
You should add a WHERE clause to the SQL statement:
INSERT INTO LOGIN (id,FirstName,LastName,Gender, ...)
SELECT * FROM REGISTER WHERE ID=?
then bind the id parameter to the PreparedStatement:
PreparedStatement ps=conn.prepareStatement( ... );
ps.setInt(1, id);
ps.executeUpdate();
This way you are limiting your SELECT to return only the row you are interested in and feeding it into the INSERT.
I have asked this question and wanted to edit it , however StackOverflow for some reason did not allow me to edit . So here is the edited version
For example a query :
create volatile table testTable as (select * from ... blah blah) ;
select top 10 * from testTable ;
drop table testTable ;
It executes perfect in sql assistance as one session. I am sure it is possible to execute it in Java in one session.
Goal : need to execute it in one session similar to sql assistant so that it is possible to refer to the volatile table in the subsequent select statement. Also the data from the select statement should be saved in the ResultSet
PS
I saw one answer to a similar question about mysql. The trick is to turn on allow multiple queries
String dbUrl = "jdbc:mysql:///test?allowMultiQueries=true";
For teradata specifically,
what is the solution ?
I tried
String dbUrl = "jdbc:odbc:dsn?allowMultiQueries=true";
What is exactly failing?
Is there an error message "testtable doesn't exist"? Then your program closes the connection after each request.
Is the table empty when you do the SELECT? Then you forgot to add ON COMMIT PRESERVE ROWS to the CREATE.
I am trying to write a DAO using Spring's HibernateTemplate that supports deletion from a table based on several conditions. For example, sample SQL:
Delete from Employee where Name='E01' AND Dept='D01' AND Address='ADR01';
I wrote the below code for this query:
session.createQuery("delete from Employee where name=? and dept=? and address=?")
.setParameter(0, name).setParameter(1, dept).setParameter(2, address)
.executeUpdate();
it works fine if all columns in where clause have some values. However, if I try to delete records which have "NULL" in their any column, then it does not work.
The generated SQL Query is always of the form:
Delete from Employee where Name=? AND Dept=? AND Address=?;
which of course cannot handle NULL comparison - SQL requires "IS NULL" for checking NULL and "=null" doesn't do the trick here. So when I pass dept as null in Java code, the generated SQL would be of the form:
Delete from Employee where Name='E01' AND Dept=null AND Address='ADR01';
This does not delete the records from DB which have NULL values in Dept column, as the correct condition would be "Dept IS NULL"; and "Dept=null" does not work! Is there anyway to compare NULL values in where clause without using a native query?
NOTE:
I do not want to use deleteAll(Collection) method of HibernateTemplate, as it requires fetching the records first and then deleting them - i.e. more than 1 SQL query. I want to achieve deletion using a single SQL query, without requiring to select first, or requiring native queries.
I am aware that Spring advices using SessionFactory now, but I am stuck with HibernateTemplate in existing code base.
I want to show a attack of sql injection in which when user fill a user login form and submit to java servlet. in login and password filed how we are type a query which is update any other record. I know all column and table names.
for example I am write this query in servlet :
select userid,username from accountinfo where userid='testid' and pass='1234';
update accountinfo set emailid='aar#r.com' where userid='testid2';
but its give Sql Exception how to solve this issue.
Try a single query first:
select userid, username
from accountinfo
where userid='-' and pass='-'
union
select userid, pass
from accountinfo
where userid like 'adm%'
If that gives no exception, present first the query of system tables, and then the above query. Pick an injection of an SQL update for the update accountinfo.