I can't find a good answer for the meaning of % used in the sql statement:
REVOKE SELECT ON `%`.* FROM 'db_user'#'%
Is it a wildcard value? So does % in %.* refer to all available schemaIDs and * means all tables available in each schemaID?
When I try:
GRANT INSERT, UPDATE ON `%`.tablename TO 'db_user'#'%';
I get the error:
Error Code: 1146. Table '%.tablename' doesn't exist
Shouldn't it go to the specific schemaID with the tablename and grant the rights and ignore the rest?
Then how about % in 'db_user'#%? Versus 'db_user#localhost'?
Any help is appreciated.
Related
I am testing out a blind boolean SQL injection endpoint in a course and am having some issues figuring out where my payload is going wrong.
I have tested the below in the mysql shell on the target box and it works.
GRANT/**/ALL/**/ON/**/*.*/**/TO/**/root#localhost;
But when I submit it in the q GET param I am getting an error in the application.
php?q=off')/**/or/**/GRANT/**/ALL/**/ON/**/*.*/**/TO/**/root#localhost%23
I tested a basic boolean statement with '1'='1' instead and it works fine so I am assuming there is something wrong with my actual query in the context of the URL.
q=off')/**/or/**/'1'='1'%23
I have tried the payload url encoded as well but still with the same issues.
Any idea what might be causing this?
Using SQL injection to combine a partial expression like
OR '1'='1' as part of some other query works because there are many ways to append extra expression syntax to an existing SQL query that already has a WHERE clause.
For example, it's easy to see in the below example how the additional expression can be appended to the first query, and it's still a legal expression.
SELECT * FROM mytable WHERE col1 = 'off'
SELECT * FROM mytable WHERE col1 = 'off' OR '1'='1' -- '
But GRANT is a statement on its own. It cannot be appended to another query like that. There's no way to combine GRANT with a SELECT statement.
SELECT * FROM mytable WHERE col1 = 'off' OR GRANT ALL ON *.* TO ...
That's just not a legal SQL query. You can study the online syntax reference for SELECT and other types of statements.
SQL injection works by tricking the app into executing one SQL statement with different syntax than the original intended SQL statement. But it can't make invalid syntax work!
MySQL (Version 5.7.24 on Ubuntu 16.04 with lower_case_table_names as
0) : Following Query returns error
Error Code: 1054. Unknown column
'K.fieldname' in 'where clause'
SELECT *
FROM mytab k
WHERE K.fieldname IS NULL;
(InnoDB) table mytab's Alies name is in lower case(k) and fieldname is
referenced by upper case (K) letter.
Is there any option to resolve this without changing the code or my.cnf settings (like set variables sessionwise or tablewise ...).
It seems that the error you are receiving has nothing to do with the lower_case_table_names parameter setting. It is clearly mentioned in the Documentation:
Note
Although database, table, and trigger names are not case sensitive on
some platforms, you should not refer to one of these using different
cases within the same statement. The following statement would not
work because it refers to a table both as my_table and as MY_TABLE:
mysql> SELECT * FROM my_table WHERE MY_TABLE.col=1;
So, you have no other solution, other than fixing your query and use identical case for the alias throughout the query:
SELECT *
FROM mytab k
WHERE k.fieldname IS NULL; /* <-- use small k here */
Sorry if I'm asking some banal question but I couldn't find out what the # symbol means in, for instance, this mysql statement: "CREATE USER 'username'#'somehost' IDENTIFIED BY 'somepassword'". Is it a delimiter in this case or something else?
Im getting a funny MySQL error. Here's whats happening:
query:
SELECT COUNT(id) AS mycount FROM ip_protection.hits WHERE datetime_created>DATE_SUB(NOW(), INTERVAL 10 MINUTE) AND ip='166.248.6.19'
error:
SELECT command denied to user 'goatpric_db'#'166.248.6.19' for table 'hits'
privileges:
GRANT ALL PRIVILEGES ON `goatpric\_ip\_protection`.* TO 'goatpric_db'#'%'
'hits' is a table in ip_protection. Any thoughts?
You are using wrong database name everywhere. Use correct Database, which according to your question is ip_protection.
Add Use Procedure Bodies = false; to the connection string.
For example:
server=localhost; user id=dbuser; password=password; database=dbname; Use Procedure Bodies=false;
I'm using postgresql 8.4 and am having a bit of a problem granting select privileges on a view from a database onwed by a different user when the view uses any of the databases functions.
As the new user, when I try to run, for example select * from users_pwd; where users_pwd is defined as:
create view users_pwd as
select *, get_pwd(id)
from users;
and get_pwd as:
CREATE OR REPLACE FUNCTION get_pwd(p_id integer)
RETURNS text AS
$BODY$
declare u record;
BEGIN
select into u * from users where id = p_id;
return u.password;
END;
$BODY$
LANGUAGE plpgsql;
I get the following error:
ERROR: permission denied for relation users
CONTEXT: SQL statement "select * from users where id = $1 "
PL/pgSQL function "get_pwd" line 3 at SQL statement
The only way to have the user query the view is to explicitly grant select on the table users which I don't want to do.
If a view doesn't use any function, but rather just other tables which the new user doesn't have explicit access to it works perfectly fine.
You could create the function with owner who can select from the table users. Such a function should be created with SECURITY DEFINER clause, so it will be executed with the owner rights.
More information you can find here: http://www.postgresql.org/docs/9.0/interactive/sql-createfunction.html
You can also GRANT EXECUTE privileges on functions. See GRANT in the docs.