MySQL Queries - Display information created by 'sys' - mysql

I'm learning to work with databases and have been learning to write queries based on the tables created.
I'm trying to display information about all the views that were created by the sys user.
I've tried Information_Schema but it returns results that I've created and not the 'sys'.
I'm not sure if I'm attempting it correctly, but I'm getting a result with;
EXEC sp_tables
#table_owner ='sys';
but as it still displays everything and not just 'view' - when I try;
EXEC sp_tables
#table_owner ='sys',
#table_type = 'view';
It returns no data.
Not sure how to work this one out. Tried many things but all were wrong.

I don't know if I got this right but have tried :
SELECT * FROM INFORMATION_SCHEMA.Views where TABLE_schema='sys'

Related

Couldn't figure out how the payload worked

I was solving one of TryHackMe's rooms about SQL injection.But I couldn't figured out one thing that came to my mind and after spending lots of time I thought it's best to ask that question here. In the room there is a machine to deploy, after deployed machine it gave me an interface(webapp) that takes inputs from me like so :
And if you give it a value like test. It returns following output:
When I saw it, I thought it was an easy SQLi question so I tried most basic SQLi payloads for common dbms like so:
' ; sleep(1) --
' or 1=1 -- ...
But none of them worked and returned me an error message like that:
After that failure, I run sqlmap and it found 2 types of SQLi payload with following payloads:
Then I realized that in time based SQLi, sqlmap used ||. Then I tried to send '|| (select sleep(2)) -- . And it worked. Now my question is why my first payload(' ; select sleep(2) -- ) didn't work, but this one worked ?
By default, MySQL query interfaces do not support multiple queries separated by semicolon. To get that, the application would have to explicitly request this feature to be enabled when it connects to the database. There's a connect option for that.
So by default, any type of SQL injection that works by trying to append a malicious query after a semicolon doesn't work.
But an SQL injection that works by modifying an expression in the single query can still work.

why ami getting this #1305 - FUNCTION homeshopping.partID does not exist

mysql php admin table query enter image description here
I don't see why it says partID is giving me a problem? it is in the table and i think i have them linked correctly. I Have changed a few things i replaced comma with the and statement which cleared up alot of my errors. But since I've done that it continues to give me #1305 - FUNCTION homeshopping.partID does not exist. I have even looked at the structures an designer to make sure column names an tables are correct.
Don't forget to post your query as text also.
Because it's missing the keywork IN to have a query like this:
SELECT CONCAT(hscust.first,' ', hscust.last AS Customer,hsitems.description,hsitems.price,hsitems.itemCalss
FROM hscust,hsorders,hslineitem,hsitems
WHERE hslineitems.orderId = hsorders.orderId AND hsitems.partID = hslineitem.partNum AND hslineitem.price = hsitems.price AND partID IN ('CB03', 'CZ82');

Query unexpectedly fails

I am creating a simple member system using MySQL, and have stumbled onto a problem.
The issue is that I am using the correct SQL query to search the column Username, and find Administrator, but however my query isn't finding anything.
I have searched the internet for a solution (with many results taking my back to Stack Overflow), but however have not found anything.
The query that I am using is:
SELECT * FROM members WHERE Username = "Administrator"
Which looks find from my end, but however does not return any results:
Am I doing something wrong here?
I am new to MySQL & PHP, so if something is obviously wrong with what I'm doing here, please tell me nicely, and please don't 'flame'.
Edit:
When attempting to run this query though PHP, I get:
Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in /home/crysisor/public_html/checklogin.php on line 22
The above code confirms that something is wrong...
Relevant code:
$user = mysqli_real_escape_string($sqli, $_POST['user']);
$pass = mysqli_real_escape_string($sqli, $_POST['pass']);
if ($user && $pass) {
$checkuser= mysqli_num_rows(mysqli_query($sqli, "SELECT * FROM users WHERE Username='".$user."'"));
I have a few hints which may help you resolve your problem.
Make the query itself a PHP variable, and echo it. Then copy and paste the echoed result into phpMyAdmin.
Use single quotes for query variables. The query itself should be in double quotes.
Unrelated: the password looks short. It shouldn't be stored in plain text.

CakePHP Error: SQLSTATE[42S02] table not found - but exist

You might read this question every day so i tried another Stackoverflow's answer before asking:
CakePHP table is missing even when it exists
Anyways. The table i try to select data from does exist (quadra-checked uppercase/lowercase!) and it gets also listed via $db->->listSources().
Here's a screenshot of the query, the message and the last result from listing all Datasource's tables:
http://i.stack.imgur.com/CdhcV.png
Note: If i run this query in PHPMyAdmin manually it works fine. I would say its impossible to get the pictures output at one time in a view - now its up to you to tell me the opposite. By the way: I am pretty sure to use the correct Datasource.
I should tell additionally that the mysql-server is hosted on another platform. Since i can use it for my localhost-phpmyadmin if i modify the config.inc.php i can promise it is no Firewall-Problem.
Written in behalf of xcy7e:
The mistake was to execute the Query from the local Model. Here's the code:
$conn = ConnectionManager::getDataSource('myDB');
$conn->query($query);
// instead of $this->query($query);

Get Redmine custom field value to a file

I'm trying to create a text file that contains the value of a custom field I added on redmine. I tried to get it from an SQL query in the create method of the project_controller.rb (at line 80 on redmine 1.2.0) as follows :
sql = Mysql.new('localhost','root','pass','bitnami_redmine')
rq = sql.query("SELECT value
FROM custom_values
INNER JOIN projects
ON custom_values.customized_id=projects.id
WHERE custom_values.custom_field_id=7
AND projects.name='#{#project.name}'")
rq.each_hash { |h|
File.open('pleasework.txt', 'w') { |myfile|
myfile.write(h['value'])
}
}
sql.close
This works fine if I test it in a separate file (with an existing project name instead of #project.name) so it may be a syntax issue but I can't find what it is. I'd also be glad to hear any other solution to get that value.
Thanks !
(there's a very similar post here but none of the solutions actually worked)
First, you could use Project.connection.query instead of your own Mysql instance. Second, I would try to log the SQL RAILS_DEFAULT_LOGGER.info "SELECT ..." and check if it's ok... And the third, I would use identifier instead of name.
I ended up simply using params["project"]["custom_field_values"]["x"] where x is the custom field's id. I still don't know why the sql query didn't work but well, this is much simpler and faster.