Sqlinjection in where Clause - sql-server-2008

I am testing an application and encountered a bit unique issue I have found that application is sending parameters like
?$filter=ModuleName+ne+'Bookings'+and+ModuleName+eq+'Transport'+and+(ContactID+eq+null+and+IsToBeShown+eq+true)+&$orderby=ReportName
Obviously I can add and +1+eq+1 and all results are shown but if I try to terminate the query like using (;, or ') it gives me error.
Kind of not sure how to terminate the query and add a union etc. clause to extract data .
Any thoughts are welcome

It seams that $filter is used in where clause and probably is added to some other hard coded conditions. To get all the result you need to add or 1 eq 1 (or instead of and).
It may make a difference if other condidions are added before or after $filter.
Try $filter=union all select ... where 1 eq 1 but remember that column list must be the same in all unioned queries. You don't need to terminate the query with ;
Replace spaces with +, I wrote spaces to make it easier to read.

Related

Laravel 5.6 - GroupBy is not working

I have tried it in several ways but it doesn't work (seems like ignoring it). So what I tried:
$user->notes()->groupBy('title')->get();
Above way completely ignores groupBy and just returns collection of notes.
Note::where('user_id', $user->id)->groupBy('title')->get();
Exactly same output with this one too.
In my database.php, the database is set to 'strict' => false
I have also tried using raw db query, it returns it in a weird format (returns 1 row for each title when I use groupBy)
DB::table('notes')->where('user_id', $user->id)->groupBy('title')->get();
I have seen many people facing this issue however none of the suggested ways (above) solved the issue.
I can achieve what I want with using collection->each(function ($note) {...} ), however while there is groupBy to make achieve this easily with 1 line, why the heavy work..
Does anyone has any idea why it doesn't work?
you just need to call first the ->get() then the ->groupBy() method.
Thats because in a SQL Query you need to select first the elements, then group.
So your code need to be like:
DB::table('notes')->where('user_id', $user->id)->get()->groupBy('title');
Heres an example of a Group By Query:
SELECT column_name(s)
FROM table_name
WHERE condition
GROUP BY column_name(s)
ORDER BY column_name(s);
go with select() and please add your group by field in select
e.g DB::table('notes')->select('title','Other_field')->where('user_id', $user->id)->groupBy('title')->get();

MySQLi PHP using OR and AND

Sorry about the title, I wasn't sure how to word it
I'm wanting to make a instant messaging system with PHP (I've done ajax for it) but I'm not sure how to get the query, I'm wanting something like this:
"SELECT * FROM messages WHERE user='$to' AND sender='$username' OR user='$username' AND sender='$to'"
Does anyone know if this is possible? Or a mysqli_fetch_array for two invididual queries on the same variable.
You can use parenthesis to use multiple operations to work as single operation in query. This is the typical approach anyway, and very useful for using multiple AND, OR operators in a query.
For you case, query should be like
"SELECT * FROM messages WHERE ( user='$to' AND sender='$username' ) OR ( user='$username' AND sender='$to' )"
Notice that tho we used 4 conditions, but with parenthesis we shrieked it into 2 separate conditions and ultimately one OR operation in the query.
Some good reading about this stuff at this article in case you want to dig it more

SQL Injection on BadStore

I'm trying to excercise on BadStore, for those who don't know it's a fake online store site which can be run on VM box, and offers a lot of security vulnerabilities.
One thing i'm trying to do is to apply sql injection on the search query.
When searching for "book", for instance, we see this:
So, i'm trying to show all the store items trying to search for 1=1' --, which will result with the query of:
SELECT itemnum, sdesc, ldesc, price FROM itemdb WHERE '1=1' --' IN (itemnum,sdesc,ldesc)
however, this not giving the expected outcome as I get the following error:
Any suggestions?
You realize that -- in MySQL acts as a comment for the rest of the line?
If this is what you are trying to do, commenting out the rest of the line, then as per the MySQL documentation, you need a space after the --.
I understand you are trying out MySQL injection, so try to type your query, and then after the query type ; -- Notice that there IS a trailing space.
TL;DR
Change
'1=1' --' IN
TO
'1=1' -- ' IN

nested "select " query in mysql

hi i am executing nested "select" query in mysql .
the query is
SELECT `btitle` FROM `backlog` WHERE `bid` in (SELECT `abacklog_id` FROM `asprint` WHERE `aid`=184 )
I am not getting expected answer by the above query. If I execute:
SELECT abacklog_id FROM asprint WHERE aid=184
separately
I will get abacklog_id as 42,43,44,45;
So if again I execute:
SELECT `btitle` FROM `backlog` WHERE `bid` in(42,43,44,45)
I will get btitle as scrum1 scrum2 scrum3 msoffice
But if I combine those queries I will get only scrum1 remaining 3 atitle will not get.
You Can Try As Like Following...
SELECT `age_backlog`.`ab_title` FROM `age_backlog` LEFT JOIN `age_sprint` ON `age_backlog`.`ab_id` = `age_sprint`.`as_backlog_id` WHERE `age_sprint`.`as_id` = 184
By using this query you will get result with loop . You will be able to get all result with same by place with comma separated by using IMPLODE function ..
May it will be helpful for you... If you get any error , Please inform me...
What you did is to store comma separated values in age_sprint.as_backlog_id, right?
Your query actually becomes
SELECT `ab_title` FROM `age_backlog` WHERE `ab_id` IN ('42,43,44,45')
Note the ' in the IN() function. You don't get separate numbers, you get one string.
Now, when you do
SELECT CAST('42,43,44,45' AS SIGNED)
which basically is the implicit cast MySQL does, the result is 42. That's why you just get scrum1 as result.
You can search for dozens of answers to this problem here on SO.
You should never ever store comma separated values in a database. It violates the first normal form. In most cases databases are in third normal form or BCNF or even higher. Lower normal forms are just used in some special cases to get the most performance, usually for reporting issues. Not for actually working with data. You want 1 row for every as_backlog_id.
Again, your primary goal should be to get a better database design, not to write some crazy functions to get each comma separated number out of the field.

RegEx to insert a string before each table in a MySQL query

I need to take a MySQL query and insert a string before each table name. The solution doesn't need to be one line but obviously it's a regex problem. It will be implemented in PHP so having programming logic is also fine.
Rationale and Background:
I'm revamping my code base to allow for table prefixes (eg: 'nx_users' instead of 'users') and I'd like to have a function that will automate that for me so I don't need to find every query and modify it manually.
Example:
SELECT * FROM users, teams WHERE users.team_id = teams.team_id ORDER BY users.last_name
Using the prefix 'nx_', it should change to
SELECT * FROM nx_users, nx_ teams WHERE nx_ users.team_id = nx_ teams.team_id ORDER BY nx_ users.last_name
Obviously it should handle other cases such as table aliases, joins, and other common MySQL commands.
Has anybody done this?
How big of a code base are we talking about here? A regular expression for something like this is seriously flirting with disaster and I think you're probably better off looking for every mysql_query or whatever in your code and making the changes yourself. It shouldn't take more than the hour you'd spend implementing your regex and fixing all the edge cases that it will undoubtedly miss.
Using a regex to rewrite code is going to be problematic.
If you need to dynamically change this string, then you need to separate out your sql logic into one place, and have a $table_prefix variable that is appropriately placed in every sql query. The variable can then be set by the calling code.
$query = "SELECT foo from " . $table_prefix . "bar WHERE 1";
If you are encapsulating this in a class, all the better.
This example does not take into consideration any escaping or security concerns.
First off, regular expressions alone are not up to the task. Consider things like:
select sender from email where subject like "from users group by email"
To really do this you need something that will parse the SQL, produce a parse tree which you can modify, and then emit the modified SQL from the modified parse tree. With that, it's doable, but not advisable (for the reasons Paolo gave).
A better approach would be to grep through your source looking for either the table names, the function you use to sent SQL, the word from, or something like it at script something to throw you into an editor at those points.