I want to show a attack of sql injection in which when user fill a user login form and submit to java servlet. in login and password filed how we are type a query which is update any other record. I know all column and table names.
for example I am write this query in servlet :
select userid,username from accountinfo where userid='testid' and pass='1234';
update accountinfo set emailid='aar#r.com' where userid='testid2';
but its give Sql Exception how to solve this issue.
Try a single query first:
select userid, username
from accountinfo
where userid='-' and pass='-'
union
select userid, pass
from accountinfo
where userid like 'adm%'
If that gives no exception, present first the query of system tables, and then the above query. Pick an injection of an SQL update for the update accountinfo.
Related
I am doing an exercise in class to find web page vulnerabilities through a user/password form and we are suppouse to be able to modify columns of a table using SQL injection.
I know the tables of the database, for instance I am trying to modify the table users that has the colums id, password and email.
The problem is that for INSERT, UPDATE or DELETE the server code use the executeUpdate() method and for SELECT use the executeQuery() method which returns the ResultSet, so obviusly when I try someting like:
correctpassword'; UPDATE usuarios SET id='newname' WHERE id='oldname'; --
it returns an error because UPDATE does not return the ResultSet object.
I have also tried nested queries so the main consult would be a SELECT so it would actually return a ResultSet object but it doesnt work either. The query is:
correctpassword'; SELECT id FROM usuarios WHERE id = (SELECT id FROM usuarios WHERE id=?admin?; UPDATE usuarios SET id=?luciareina? WHERE id=?admin?); --
Do you know anyway to do this? Thank you very much in advance!
Depending on the database server you have, you can not have an update statement inside of a select statement.
you should close out the existing query and then do the update
Also, make sure the column you are updating is not an auto generated/key column that is not updatable.
SELECT id FROM usuarios WHERE id = 1; UPDATE usuarios SET id=1 WHERE id=2
You should test your injection directly on server to see if it is valid before testing it via the webpage.
I have a java + spring framework application which works with Redshift. Right now code is mapping HttpServletRequest to MapSqlParameterSource and submit as a parameterized query. It works well only one issue that Redshift doesn't optimize some queries (where table is sorted by column) well with this approach. If I submit same query with parameters as part of sql statement performance is better.
I need an example how to replace parameters before submitting sql to the redshift.
instead
select column1
from table1
where create_date between :from_date and :end_date
from_date='2017-01-01'
end_date='2017-01-01'
submit
select column1
from table1
where create_date between '2017-01-01' and '2017-02-01'
I have developed a java program and I need to update and insert the login details of users. I have two textfields created and two buttons name add user and edit the user. when I type the username and password in the two textfields the user added to the database successfully, the error is in the edit user, I want to update the password of the user based on username,
I'm getting SQL error when trying to update the user,
here is my SQL query for updating the password of a user based on his username,
String sql = "UPDATE Admin SET password='"+JT_pass1.getText()+"' WHERE
username = "+JT_username1.getText();
when i execute im getting this error,
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column
'sss' in 'where clause'
"sss" is what I entered to username field,
Mysql database I have admin table which consists of two columns admin and username,
I cannot figure out where am I getting wrong, please any help would be highly appreciated.
Your immediate problem is that you forgot to place single quotes around the username in your query. Hence, the database is interpreting sss as a column. But you should really be using prepared statements:
String query = "UPDATE Admin SET password=? WHERE username = ?";
PreparedStatement update = con.prepareStatement(query);
update.setString(JT_pass1.getText());
update.setString(JT_username1.getText());
update.executeUpdate();
There are many advantages to using prepared statements. First, it will automatically take care of proper escaping of strings and other types of data. In addition, it will prevent SQL injection from happening.
To get this to work, you need to add quotes around the username like so:
String sql = "UPDATE Admin SET password='"+JT_pass1.getText()+"' WHERE
username = '"+JT_username1.getText()+"'";
However, updating the database this way is vulnerable to SQL injection, so it would be much better to use Prepared Statements.
To consider "JT_username1.getText()" as a part of you query string, you have to enclose it under proper quotation.
Same like added "JT_pass1.getText()" between single and double quote, you have to add "JT_username1.getText()" as well.
String sql = "UPDATE Admin SET password='" + JT_pass1.getText() + "' WHERE username = '"+JT_username1.getText()+"'";
I am developing a web app.... in which there will be a list of users requesting registration ...Wen ever we click on accept all the details must be moved from register table to login table...
PreparedStatement ps=conn.prepareStatement("insert into login(id,FirstName,LastName,Gender,Category,Dateofbirth,Age,Address,Country,State,city,PinCode,EmailId,ContactNo,MobileNo)select * from register ");
i have to insert all data from register table to login table when i click accept. But when i run this the whole table gets copied from register to login table...When i click accept only that particular users details must be moved.... Id must be fetched of that particular user... How to do that. Please someone help me fix this... Thanks in advance....
You should add a WHERE clause to the SQL statement:
INSERT INTO LOGIN (id,FirstName,LastName,Gender, ...)
SELECT * FROM REGISTER WHERE ID=?
then bind the id parameter to the PreparedStatement:
PreparedStatement ps=conn.prepareStatement( ... );
ps.setInt(1, id);
ps.executeUpdate();
This way you are limiting your SELECT to return only the row you are interested in and feeding it into the INSERT.
I am trying to write a DAO using Spring's HibernateTemplate that supports deletion from a table based on several conditions. For example, sample SQL:
Delete from Employee where Name='E01' AND Dept='D01' AND Address='ADR01';
I wrote the below code for this query:
session.createQuery("delete from Employee where name=? and dept=? and address=?")
.setParameter(0, name).setParameter(1, dept).setParameter(2, address)
.executeUpdate();
it works fine if all columns in where clause have some values. However, if I try to delete records which have "NULL" in their any column, then it does not work.
The generated SQL Query is always of the form:
Delete from Employee where Name=? AND Dept=? AND Address=?;
which of course cannot handle NULL comparison - SQL requires "IS NULL" for checking NULL and "=null" doesn't do the trick here. So when I pass dept as null in Java code, the generated SQL would be of the form:
Delete from Employee where Name='E01' AND Dept=null AND Address='ADR01';
This does not delete the records from DB which have NULL values in Dept column, as the correct condition would be "Dept IS NULL"; and "Dept=null" does not work! Is there anyway to compare NULL values in where clause without using a native query?
NOTE:
I do not want to use deleteAll(Collection) method of HibernateTemplate, as it requires fetching the records first and then deleting them - i.e. more than 1 SQL query. I want to achieve deletion using a single SQL query, without requiring to select first, or requiring native queries.
I am aware that Spring advices using SessionFactory now, but I am stuck with HibernateTemplate in existing code base.