Unable to practice Sql Injection (blind) on DVWA 1.10 - sql-injection

I am practicing for Security Testing. I came across DVWA and I started practicing for Sql Injection. I was doing fine till I started with SQL Injection (blind). No matter which query I try I am not getting the desired result.
For eg :
1' and 1=0 union select null,table_name from information_schema.tables#
simply returns User ID exists in the database.
I have set the DVWA Security to Low. Also made sure there are no errors on setup page of the application under Setup Check section.
Following are environment details:
Operating system: Windows
Backend database: MySQL
PHP version: 5.6.16

I think the answer is here and the behavior is expected
https://github.com/ethicalhack3r/DVWA/issues/12
Someone complained of the opposite behavior and the developer agreed, and a contributor named g0tm1lk fixed it. He made the exercise really "blind" and we have to use blind injection methods to test the vulnerability.
Showing the SQL error messages to the user is just: a SQL injection vuln + a misconfiguration issue.
A blind SQL injection might occur when the columns of the results returned by a query are not shown to the user. However, the user can tell somehow if the query returned any records or none.
E.g.: Suppose the url "http://www.example.com/user?id=USER_ID" returns:
200 if USER_ID exists
404 if USER_ID not exists
But it won't show any information from the query results (e.g. username, address, phone, etc)
If the page is vulnerable to SQLi [blind], an attacker won't be able get info from the DB printed in the result page, but he might be able to infer it by asking yes/no questions.

Related

How to avoid Mongo DB NoSQL blind (sleep) injection

While scanning my Application for vulnerability, I have got one high risk error i.e.
Blind MongoDB NoSQL Injection
I have checked what exactly request is sent to database by tool which performed scanning and found while Requesting GET call it had added below line to GET request.
{"$where":"sleep(181000);return 1;"}
Scan received a "Time Out" response, which indicates that the injected "Sleep" command succeeded.
I need help to fix this vulnerability. Can anyone help me out here? I just wanted to understand what I need to add in my code to perform this check before connecting to database?
Thanks,
Anshu
Similar to SQL injection, or any other type of Code Injection, don't copy untrusted content into a string that will be executed as a MongoDB query.
You apparently have some code in your app that naively accepts user input or some other content and runs it as a MongoDB query.
Sorry, it's hard to give a more specific answer, because you haven't shown that code, or described what you intended it to do.
But generally, in every place where you use external content, you have to imagine how it could be misused if the content doesn't contain the format you assume it does.
You must instead validate the content, so it can only be in the format you intend, or else reject the content if it's not in a valid format.

Orientdb: Error executing live query subscriber

Orientdb throws on each live query subscripion using binary protocoll following Nullpointer exception:
Error executing live query subscriber. java.lang.NullPointerException at com.orientechnologies.orient.server.network.protocol.binary.OLiveCommandResultListener.onLiveResult(OLiveCommandResultListener.java:113)
at com.orientechnologies.orient.core.sql.OCommandExecutorSQLLiveSelect$2.call(OCommandExecutorSQLLiveSelect.java:134)
at com.orientechnologies.orient.core.sql.OCommandExecutorSQLLiveSelect.execInSeparateDatabase(OCommandExecutorSQLLiveSelect.java:144)
at com.orientechnologies.orient.core.sql.OCommandExecutorSQLLiveSelect.onLiveResult(OCommandExecutorSQLLiveSelect.java:131)
at com.orientechnologies.orient.core.query.live.OLiveQueryQueueThread.run(OLiveQueryQueueThread.java:69)
The Live Query is subscribed by one client: "live select from Account where CheckInDateTime like "2018-02-25%"", Orientdb returns also the live request token ID gracefully. But when another client updates Account with "update Account set CheckInDateTime = "2018-02-25 13:00:00"" the mentioned NullPointerexception is thrown. I've tried to use versions 2.2.30 and 2.2.32 Comunity, DB Administrator and Server Administrator accounts. Also loading of plugins seems not to work (even the used version is 2.2.30 and 2.2.32 where Live Query should be enabled at server by default). Nothing seems to help to get that work, also queries like "live select from account" (without where ...).
Any further ideas? Thx.
Currently live queries do not support the WHERE clause you included in the query.
You can only select entire collections or V and E (which is what I use to get all updates)
If you would like to filter using that where, you will have to write it yourself in code.
Thx for answering mitchken! Fortunately, I found the mistake. The TCP connection from client to DB was in wrong state (must be all the time in waitforreadyread).

What kind of int storage is this?

We have an Firebird database for a (very crappy) application, and the app's front end, but nothing in between (i.e. no source code).
There is a field in the database that is stored as -2086008209 but in the front-end represents as 63997.
Examples:
Database Front-End
758038959 44093
1532056691 61409
28401112 65866
-712038758 40712
936488434 43872
-688079579 48567
1796491935 39437
1178382500 30006
1419373703 66069
1996421588 48454
890825339 46313
-820234748 45206
What kind of storage is this? The aim for us here is to access the application's back-end data and bypass the front-end GUI alltogether, so I need to know how to decode this field in order to get appropriate values from it. It is stored as a int in FireBird (I don't know if FireBird has signed/unsigned ints, but this is showing as signed when we select it).
This is the definition of the field:
It is not, as far as I can tell, de-normalised. The generator GEN_CONTACTS_ID has 66241 against it, which at a glance looks accurate.
I work on with an application that stores bitmaps in integers (just don't ask), if you express them in that form do you something useful or consistant
My impression is that the problem is in the front end. If what is stored in the DB is -2086008209, then what is stored in the DB is -2086008209. To understand better how the application is manipulating the data, try storing other numbers in the DB and see how they are displayed.
Did you come to this realization through logging SQL? If you havent, you may serve yourself well by using the Firebird Trace API to get that SQL: http://www.firebirdfaq.org/faq95/. An easier tool to parse the Trace API is this commercial product: http://www.upscene.com/products.fbtm.index.php.
I've used these tools and other techniques (triggers etc,.) to find what an application is using/changing in the Database.
Of course, if the SQL statement is select * from table, then these tools would not help much.

SugarCRM Querying Database

In SugarCRM, using SOAP API, imagining i have lots of accounts populated in the database, and i want to find the account that has 'phone_work' = '00352254856987'. How can i make a query to accomplish that? It would be something like this:?
$query = "phone_work = '${myPhone}'";
For what i have tried, it seems the compiler finds an error in the XML document, which means the query is not well executed. What is the best way to do this kind of queries?
I'm using magento and creating a module to connect to sugar, so it is PHP
It turned out the field 'phone_work' is wrong. You can access at: http://apidocs.sugarcrm.com/schema/6.3.0/pro/tables/accounts.html and get all the fields related to that module. In the module 'Accounts', the field name is called 'office phone', but in the database, the name is 'phone_office'. Because the query is for the database, we need to use database field names.
Could you post the error that you get? Take also a look at the sugarcrm.log and maybe increase the logging level to see if the sql that gets created from your query is wrong.
By the way I switched to REST Json to get rid of soap related problems.

SSRS: Dropdown is not populated in filter in Report Builder

Whenever I try to apply filter to an attribute, which has ValueSelection= Dropdown, the dropdown is not populated and error message "The requested list could not be retrieved because the query is not valid or a connection could not be made to the data source" is shown instead.
If I set up ValueSelection=List I am getting a different error message:
An attempt has been made to use a semantic query extension associated with the data extension 'SQL' that is not registered for this report server.
(Microsoft.ReportingServices.SemanticQueryEngine)
This happens within BIDS environment and was observed both in SQL 2005 and SQL 2008.
I've already studied articles, which discussed the similiar problem, but neither of them applied to my case. The user account in data source has all necessary rights, data could be retrieved without any problem (for example if i try "Explore data" in data source view). The SQL profiler shows that no query is being sent to SQL Server when there is an attempt to populate dropdown. So nothing is wrong with the query, it is simply never executed.
Your connection is not working. Try to test you connection by trying a simple table and query output.
This will enable you to test the connection before trying anything advanced.
Got this problem and in my case it was caused by wrong connection string in Data Source - instead of just having a SQL Server name like "SOMESQLSERVER_MACHINE" I had for some reason "SOMESQLSERVER_MACHINE.our.corp.domain". It had to be the same, but then I realized that the domain is wrong, after removing it all works like a charm again. That said: it's always good idea to start with detailed checks on your basic settings.
Otherwise this could be a problem with permissions to the folders on Report Manager.