I am trying Error Based SQL injection technique using SQLMAP. The technique as identified by SQLMAP is
error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)
It will be great if someone can help give some clarity on the payload SQLMAP is using.
Payload: web/test?abc='' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716b626b71,(SELECT (ELT(9092=9092,1))),0x71626b7071,0x78))s), 8446744073709551610, 8446744073709551610)))-- pprs
More specifically, what is happening in this SQL query
(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x716b626b71,(SELECT (ELT(9092=9092,1))),0x71626b7071,0x78))s), 8446744073709551610, 8446744073709551610)))
Update1:
The formatted query looks like this:
SELECT
2*(IF((
SELECT
*
FROM
(
SELECT
CONCAT(0x716b626b71,
(
SELECT
(ELT(9092 = 9092, 1))
)
, 0x71626b7071, 0x78)
)
s), 8446744073709551610, 8446744073709551610))
SELECT (ELT(9092 = 9092, 1)) : Query output is 1 as 9092=9092 results to true(i.e 1) and ELT function returns the 1st argument i.e is 1
So the next sub-query is :
SELECT CONCAT(0x716b626b71, 1, 0x71626b7071, 0x78) : Query Output results to concatenated string "qkbkq1qbkpqx" (after converting the hex to string)
However, the resultant sub-query SELECT * FROM qkbkq1qbkpqx gives an error saying Every derived table must have its own alias
Update2:
I missed the alias in the query as #tcadidot0 mentioned. So now the resultant sub-query is :
SELECT * FROM qkbkq1qbkpqx s
And the final query is:
SELECT 2*(IF((SELECT * FROM qkbkq1qbkpqx s), 8446744073709551610, 8446744073709551610))
If the table "qkbkq1qbkpqx" exists, then it returns 8446744073709551610 else it returns 8446744073709551610, however 2 times the result leads to this error : BIGINT value is out of range in '(2 * if((1 > 0),8446744073709551610,8446744073709551610)), assuming 1>0 is the condition instead of the select statement.
Related
Lets assume we have got query1 as follow :
select * from users where status = 1
this will output some results,I can cache these data, now the second query is :
select * from users where status = 1 and point >= 50
as you see the second query is somehow the child of first query, it returns a subset of last query data and has common code as well, is there a way which I can speed up my second query by using first query results and shorten my code using the first query code?
Yes, you use nested queries:
select x.*
from
(
select * from users
where status = 1
) as x
where x.point >= 50;
I am running the following query which keep stating that more then one row is given:
select filestorage.id
from `filestorage`
where (SELECT LEFT(filestorage_inst_data.value, length(filestorage_inst_data.value - 1)) as seconds
FROM filestorage_inst_data
WHERE filestorage_inst_data.parameter = "Time" AND filestorage_inst_data.filestorage_id = filestorage.id) <= 3600
For some reason, the only very first value is passed into the subquery. Also, if I do set a limit within the subquery than the data is fetched fine, it's just I don't see why query would fetch multiple results?
Try this:
SELECT filestorage.id
FROM filestorage f
WHERE EXISTS(SELECT 1 FROM filestorage_inst_data fid
WHERE fid.parameter = 'Time'
AND fid.filestorage_id = f.id
AND CAST(LEFT(fid.value, length(fid.value - 1)) AS UNSIGNED) <= 3600)
You have to pass a specific one row when giving a select statement on where clause. select clause that, the one you using on where clause must return one unique row. for example.
"SELECT * FROM user WHERE role_id=(SELECT role_id FROM user_role WHERE role_name='Admin');"
I wrote a CTE to remove non numeric values from a data set, then get a count of numeric values within a range.
WITH dtr
AS ( SELECT resultlevel r
FROM dbo.Result
WHERE DrugID = 'AMP'
AND ISNUMERIC(ResultLevel) = 1
AND AuditStamp > '1/1/2016'
AND DeleteFlag = 0
)
SELECT COUNT(*)
FROM dtr
WHERE CONVERT(INT, r) BETWEEN 50 AND 75
This returns an error in SMS
Msg 245, Level 16, State 1, Line 2
Conversion failed when converting the varchar value 'PND ' to data type int.
This error is completely possible without the 'dtr' query in the CTE.
When I rewrite this, instead of a CTR, but a TEMP table, it works.
SELECT resultlevel r
INTO #d
FROM dbo.Result
WHERE DrugID = 'AMP'
AND ISNUMERIC(ResultLevel) = 1
AND AuditStamp > '1/1/2016'
AND DeleteFlag = 0
SELECT COUNT(*)
FROM #d
WHERE CONVERT(INT, r) BETWEEN 50 AND 75
So my questions is why?? I have always thought a CTE was like creating a TEMP table.
TEST DATA
if object_id('tempdb..#temp') is not null drop table #temp
create table #temp (result char(5))
insert into #temp (result) values
('1'),('A'),('>2'),('PEN ') ,('#3'),('-2'),('-33')
;with isnum AS (
SELECT result
FROM #temp
WHERE ISNUMERIC(result) = 1)
--Selecting from the CTE yields 1, -2, and -33 all of which can be converted to INT
--Running the query with the where clause causes the conversion error
SELECT
result,
ISNUMERIC(result)
FROM isnum
--WHERE CONVERT(INT,result) > 1
In SQL Server there is Logical Processing Order of the SELECT statement, which determines when the objects defined in one step are made available to the clauses in subsequent steps:
FROM
ON
JOIN
WHERE
GROUP BY
WITH CUBE or WITH ROLLUP
HAVING
SELECT
DISTINCT
ORDER BY
TOP
This is how your query is going to be proccesed and your query looks perfectly fine. But sometimes, the SQL Server decides not to follow this order in order to optimize your query.
In your case, the SQL Server might be simplyfing/transforming your query into another and performing the convert function, before applying the where isnumeric filtering.
If we made your query a little more complex (but still giving the same results), the SQL Server is executing the code correctly this time:
;with isnum AS (
SELECT result
FROM #temp
WHERE ISNUMERIC(result) = 1
GROUP BY result
HAVING MAX(result) = result
)
SELECT
result,
ISNUMERIC(result)
FROM isnum
WHERE CONVERT(INT,result) > 1;
In your case (and this is what I am doing in such situations when different types are stored in one column), you can simply use TRY_CONVERT function:
;with isnum AS (
SELECT result
FROM #temp
WHERE ISNUMERIC(result) = 1)
SELECT
result,
ISNUMERIC(result)
FROM isnum
WHERE TRY_CONVERT(INT, result) > 1
When I am trying to run this query it gives me error "At most one record can be returned by this subquery"
SELECT * from rosterTbl
WHERE
rosterTbl.CounsellorID IN (IIF (ISNULL([Forms]![ReportsGUI]![cmbCounsellor]) , (SELECT counsellorID FROM
[Main: Counsellors_Tbl]),[Forms]![ReportsGUI]![cmbCounsellor]))
For what you're trying to accomplish, your query should look something like this:
SELECT * from rosterTbl
WHERE [Forms]![ReportsGUI]![cmbCounsellor] IS NULL
OR rosterTbl.CounsellorID
IN (SELECT counsellorID FROM [Main: Counsellors_Tbl])
I run the following query in T-SQL with LINKED_AS being my SSAS.
SELECT * FROM
(SELECT * FROM OPENQUERY(LINKED_AS,
'SELECT FLATTENED PredictTimeSeries([PredictColumnName], -3, 0)
FROM [Foo]') AS a
) AS b
and everything works perfect.
But if I want to use just one of the returned columns (it returns PredictColumnName and $TIME), how do I access them?
SELECT PredictColumnName FROM
(SELECT * FROM OPENQUERY(LINKED_AS,
'SELECT FLATTENED PredictTimeSeries([PredictColumnName], -3, 0)
FROM [Foo]') AS a
) AS b
does not work, and I've tried a lot of combinations with alias and such, but haven't managed.
Solution moved from #Niklas' question post.
Found out the answer, the way to select is like this
SELECT b.[Expression.PredictColumnName] FROM
(SELECT * FROM OPENQUERY(LINKED_AS,
'SELECT FLATTENED PredictTimeSeries([PredictColumnName], -3, 0)
FROM [Foo]') AS a
) AS b
I got confused by "." being a part of the column name.