I am trying to inject SQL statements into a Box.
I have the following injection point:
example.com/?o=1&page=app
when I inject 1' then I receive the following error message:
DEBUG INFO: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '5' or dest like '1'') LIMIT 10' at line 1
I was trying to inject the following:
1' ORDER BY 1 --
I still get error message and I don't know how to close the statement:
DEBUG INFO: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'ORDER BY 1 --') and ( dest like '5' or dest like '1' ORDER BY 1 --') LIMIT 10' at line 1
What I am doing wrong?
Thanks for the answers!
Given that when you tried 1' the query included '1'' it seems that the original query is something like this:
... '5' or dest like '$o') LIMIT 10
e.g.
SELECT * FROM table WHERE (category = '5' or dest like '$o') LIMIT 10
To get this to be a valid query you'd need to close the parentheses.
So e.g. %') --, giving:
SELECT * FROM table WHERE (category = '5' or dest like '%') --') LIMIT 10
or %' OR '' = ', giving:
SELECT * FROM table WHERE (category = '5' or dest like '%' OR '' = '') LIMIT 10
Related
See title.
This is what I'm trying:
select a.work_order_no
from (
select work_order_no as work_order_no
from work_order_line
where insert_timestamp is not null
FETCH FIRST 1 ROWS ONLY
union all
select work_order_no as work_order_no
from work_order_line
where insert_timestamp is null
FETCH FIRST 1 ROWS ONLY
) as a
FETCH FIRST 1 ROWS ONLY
But it give the following error:
SQL State: 42601 Vendor Code: -199 Message: [SQL0199] Keyword UNION not expected. Valid tokens: ). Cause . . . . . : The keyword UNION was not expected here. A syntax error was detected at keyword UNION. The partial list of valid tokens is ). This list assumes that the statement is correct up to the unexpected keyword. The error may be earlier in the statement but the syntax of the statement seems to be valid up to this point. Recovery . . . : Examine the SQL statement in the area of the specified keyword. A colon or SQL delimiter may be missing. SQL requires reserved words to be delimited when they are used as a name. Correct the SQL statement and try the request again. Processing ended because the highlighted statement did not complete successfully Failed statements: 1
In SQL this concept would work with the 'top 1' syntax. I'm assuming this can also work in DB2 but I'm just doing something wrong with the syntax order?
I have asked a colleague and luckily he responded rather quickly:
I missed some ()
select a.work_order_no
from (
(select work_order_no as work_order_no
from work_order_line
where insert_timestamp is not null
FETCH FIRST 1 ROWS ONLY)
union all
(select work_order_no as work_order_no
from work_order_line
where insert_timestamp is null
FETCH FIRST 1 ROWS ONLY )
) as a
FETCH FIRST 1 ROWS ONLY
I am trying to convert Time to Sec but whatever I try I get error message.
The following query is what I done so far
SELECT
SUM(TIME_TO_SEC(mi.Time)),
uti.Date_
FROM
users ui
LEFT JOIN project_users pui
ON(ui.UserID = pui.UserID)
LEFT JOIN user_timesheets uti
ON(ui.UserID = uti.user_id)
LEFT JOIN moments mi
ON(uti.UserTimesheetsID = mi.UserTimesheetsID)
WHERE
uti.user_id = 1 AND mi.Time != ''
AND
EXTRACT(MONTH FROM uti.Date_) = '2020-01-21'
AND
EXTRACT(YEAR FROM uti.Date_) = '2020-01-21'
AND
mi.AtestStatus = 1
GROUP BY
uti.Date_
HAVING SUM(SELECT(TIME_TO_SEC(mi.Time))) > 28800;
I get error
ORA-00936: missing expression
00936. 00000 - "missing expression"
*Cause:
*Action:
Error at Line: 74 Column: 36
I am not sure what to use here to convert, but so far I try to use TO_CHAR and CAST
The reference link is here
REFERENCE
You refer TIME_TO_SEC function from MySQL documentation though question is marked with oracle tag. Use extract(second ...) or google oracle extract epoch equivalent, depending on what you want.
Also the expressions EXTRACT(MONTH FROM uti.Date_) = '2020-01-21' and EXTRACT(YEAR... look suspicious, returned values definitely are not of form 'YYYY-MM-DD'.
I used a query to create a table, which has a SET in one of its columns.
T1:
serial _c3
1 193748 ["special","normal","normal"]
2 263565 ["normal","normal"]
Then I have another Table with serials only.
T2:
serial
1 193748
2 263565
3 636474
4 928396
I want a query that produces serials from T2 IF they are NOT in T1 or if T1's _c3 data has the word "special" in it. I also want a boolean value that indicates if T1 is in T2.
So using above example, I want:
T3:
serial in_t1
1 193748 1
3 636474 0
4 928396 0
Here is my query so far:
SELECT
T2.serial,
array_contains(T1._c3, 'special') as in_t1
FROM T2 LEFT OUTER JOIN T1 ON T1.serial = T2.serial
WHERE T1.serial is NULL OR array_contains(T1._c3, 'special')
LIMIT 50;
So for array_contains in select line I get this error message:
Error while compiling statement: FAILED: cannot recognize input near 'T1' '.' '_c3' in select expression.
When I remove that line from select and just run:
SELECT
T2.serial
FROM T2 LEFT OUTER JOIN T1 ON T1.serial = T2.serial
WHERE T1.serial is NULL OR array_contains(T1._c3, 'special')
LIMIT 50;
I get the same error but in the WHERE clause line now: cannot recognize input near 'T1' '.' '_c3' in select expression
Could you point me in the right direction? Thank you!
_c3 is illegal alias/column name, due to the underscore as its first character.
If you want to use it, wrap it with ticks signs (`).
Anther option would be to rename to column.
The cleanest solution would have been to alias the expression in the first place.
SQL Code
SELECT DtsDavaIslem.DAVAISLEM_NO, DtsDavaIslem.DOSYA_ID, DtsDavaIslem.ISEMRI_NO,
DtsDavaIslem.GIREN_KULLANICI, DtsDavaIslem.GIRIS_TARIHI, DtsDavaIslem.DEGISTIREN_KULLANICI,
DtsDavaIslem.DEGISTIRME_TARIHI, DtsDavaIslem.ISLEMLISTESINO, DtsDavaIslem.YAPILACAKIS,
DtsDavaIslem.BASLANGICTARIHI, dtsdavaislem.bitmesigerekentarih, (SELECT
DtsDavaIslemListesi.ISLEM_ADI || ';' || DtsDavaIslem.ISLEMLISTESINO FROM DTS.DAVA_ISLEMLISTESI DtsDavaIslemListesi WHERE
DtsDavaIslemListesi.ISLEMLISTESINO=DtsDavaIslem.ISLEMLISTESINO ) AS islem_auto_suggest FROM DTS.DAVA_ISLEM DtsDavaIslem WHERE 1=1
Do you edit the SQL code for me please?
Error
oracle.jbo.SQLStmtException: JBO-27122: Deyim haz?rl??? s?ras?nda SQL hatas? olu?tu. Deyim: SELECT * FROM (SELECT * FROM (SELECT DtsDavaIslemListesi.ISLEMLISTESINO,
DtsDavaIslemListesi.ISLEM_ADI,
DtsDavaIslemListesi.GIREN_KULLANICI,
DtsDavaIslemListesi.GIRIS_TARIHI,
DtsDavaIslemListesi.DEGISTIREN_KULLANICI,
DtsDavaIslemListesi.DEGISTIRME_TARIHI,
DtsDavaIslemListesi.dava_durumno,
DtsDavaIslemListesi.ISLEM_ADI || ';' || DtsDavaIslemListesi.ISLEMLISTESINO as Aciklama
FROM dts.dava_islemlistesi dtsdavaislemlistesi
WHERE :bSorgu<>'1'
AND 1=1) QRSLT WHERE ( ( (ACIKLAMA = :vc_temp_1 ) ) )
ORA-00907: missing right parenthesis
Do you edit the SQL code for me please?
You have 4 left "(" and 3 right ")". They are called "parenthesis". If the error says missing right parenthesis, it means you're missing one or more ")". Next time first google it (or bing it :P) before asking such a question.
The error isn't in the SQL from beginning but in the sql that your code is making up. So look at the sql before it executes and look where you went wrong.
If you look at the error you can se how the SQL is wrong, but you will need to look at your own code to find where you're building it up wrong.
I have a simple code to display latest error msg based on timestamp:
SELECT
line_item || ': ' || error_msg as RejectionMsg
FROM reqs
WHERE reqs_number = 'XXXXXXX'
and rqj_timestamp = (select max(rqj_timestamp) from reqs
WHERE reqs_number = 'XXXXXX' )
My data is something like :
rqj_timestamp line_item Error_msg
08-MAY-2009 14:00:04 8928 INVALID (RC4C) E
08-MAY-2009 14:00:04 8929 INVALID (R4CO) EY0
05-AUG-2013 00:13:42 11760 OO_USR_1 - NO_DATA_FOUND:No Data found for REQUEST
05-AUG-2013 00:13:42 11761 OO_USR_1 - NO_DATA_FOUND:No Data found for REQUEST
05-AUG-2013 00:13:42 11762 OO_USR_1 - NO_DATA_FOUND:No Data found for REQUEST
05-AUG-2013 00:14:59 11763 OO_USR_1 - NO_DATA_FOUND:No Data found for REQUEST
06-AUG-2013 06:55:59 11807 OO_45_ERROR_REGION_DERIV
06-AUG-2013 06:55:59 11808 OO_45_ERROR_REGION_DERIV
06-AUG-2013 06:55:59 11809 OO_45_ERROR_REGION_DERIV
My query is giving me output for 08-MAY-2009 14:00:04 time-stamp instead of the 06-AUG-2013 06:55:59 time-stamp.
3: INVALID (RC4C) E
3: INVALID (R4CO) EY0
Any idea where I am going wrong in this?OR how i can improve my query.. if i remove 08-MAY-2009 14:00:04 rows, it works perfectly fine.
Thanks in advance for help.
I would assuem your timestamp is not a date or similar data type, but a character data type like nvarchar2. Change you table to the proper data type.
A working but less clean solution would be to use something like
cast((select max(cast(rqj_timestamp as date)) from reqs) as nvarchar2)
which might depend on national language settings etc.
You would use the character data type that the column has in the outer cast.
Try something like (untested):
select *
from (
select r.*,
row_number() over (partition by reqs_number order by rqj_timestamp desc nulls last) rnum
from reqs r
where reqs_number = 'XXXXXXX'
)
where rnum = 1;
Also, the assumption is the "rqj_timestamp" is actually a timestamp (or at least a date).
Thanks for pointing out to check the datatype..turns out it was varchar, adding to_date(rqj_timestamp,'DD-MON-YYYY HH24:MI:SS') worked.