case sensitive HQL injection select - hql

I am a pentester en found a HQL injection point. I can extract the password hashes of the users, but I have to do that with more or less a blind select statement where I put an extra parameter in the where:
select count(userName) from DB where userName='admin' AND Password like 'INJECT%' AND '1'='1
The INJECT I just loop through all possibilities and get a yes or no response if he can find password that starts with something. The bold part is the input that I have full control over.
Now my problem is that this like query is case insensitive, while a hash is case sensitive.
SO is there anyway that I can make sure the like query is executed case sensitive from only this injection point? (so I cannot do actuall HQL or SQL queries besides from this).

Whether the query is case sensitive is not an inherent characteristic of the LIKE operator or = or other string functions.
It has to do with the collation of the strings being compared. That is, if either string in your comparison is a string value with a case-sensitive collation, then the comparison will be case-sensitive.
If you can inject arbitrary SQL expressions, then you can inject an expression that converts the string to a case-sensitive collation.
Example: SQL Case Sensitive String Compare
There might be some variation in the syntax based on the brand of SQL database you use. You did not say which database you're using (unless you're one of those Microsoft users who say "SQL" when you mean "Microsoft SQL Server").

Related

How can I use standard SQL on text fields of elastic without using the specials SQL elasticSearch operators?

I would like to create SQL query on some text field (not keyword) for example "name" field and send that query to elastic server.
my problem is that I need to use the standard SQL language (not the MATCH and QUERY operators which are specials for elastic SQL) of text fields.
when I tried to use JDBC driver or when I tried to use high-level-java-client with LIKE operatorI got the following error
"No keyword/multi-field defined exact matches for [name]; define one or use MATCH/QUERY instead"
I also tried to use the translate API of elasticsearch- but even there I couldn't use the "LIKE" operator on text fields only on keyword fields.
does anyone have any solution for me? I want to use the LIKE operator on text fields instead of the full text operators which are unique to elastic sql.
Please check the this documentation. they have clearly mentioned in document that it is not possible.
One significant difference between LIKE/RLIKE and the full-text search
predicates is that the former act on exact fields while the latter
also work on analyzed fields. If the field used with LIKE/RLIKE
doesn’t have an exact not-normalized sub-field (of keyword type)
Elasticsearch SQL will not be able to run the query. If the field is
either exact or has an exact sub-field, it will use it as is, or it
will automatically use the exact sub-field even if it wasn’t
explicitly specified in the statement.
If you still want to used text field then you need to enabled multi-field as mentioned here. or you can try out to enable fielddata on text field but i am not sure that it will work SQL or not.

How to construct subquery in the form of SELECT * FROM (<subquery>) ORDER BY column;?

I am using gorm to interact with a postgres database. I'm trying to ORDER BY a query that uses DISTINCT ON and this question documents how it's not that easy to do that. So I need to end up with a query in the form of
SELECT * FROM (<subquery>) ORDER BY column;
At first glance it looks like I need to use db.QueryExpr() to turn the query I have into an expression and build another query around it. However it doesn't seem gorm has an easy way to directly specify the FROM clause. I tried using db.Model(expr) or db.Table(fmt.Sprint(expr)) but Model seems to be completely ignored and fmt.Sprint(expr) doesn't return exactly what I thought. Expressions contain a few private variables. If I could turn the original query into a completely parsed string then I could use db.Table(query) but I'm not sure if I can generate the query as a string without running it.
If I have a fully built gorm query, how can I wrap it in another query to do the ORDER BY I'm trying to do?
If you want to write raw SQL (including one that has a SQL subquery) that will be executed and the results added to an object using gorm, you can use the .Raw() and .Scan() methods:
query := `
SELECT sub.*
FROM (<subquery>) sub
ORDER BY sub.column;`
db.Raw(query).Scan(&result)
You pass a pointer reference to an object to .Scan() that is structured like the resulting rows, very similarly to how you would use .First(). .Raw() can also have data added to the query using ? in the query and adding the values as comma separated inputs to the function:
query := `
SELECT sub.*
FROM (<subquery>) sub
WHERE
sub.column1 = ?
AND sub.column2 = ?
ORDER BY sub.column;`
db.Raw(query, val1, val2).Scan(&result)
For more information on how to use the SQL builder, .Raw(), and .Scan() take a look at the examples in the documentation: http://gorm.io/advanced.html#sql-builder

Searching an expression logic in informatica mappings

Is it possible to search an expression code, in multiple informatica mappings with out manually going through the mapping? Say like exporting the mapping into an XML or anything similar.
Example :
I need to search if we are using an expression where we check if a field is NULL like below :
IF(ISNULL(PORT1), CONDITION1, CONDITION2)
I need to search say N number of mappings to check if i am using ISNULL function anywhere in the mapping, as we are going to replace all the NULL's in the database with default values and setting all the fields to NOT NULL, and in the informatica logic, if we are explicitly checking for ISNULL conditions, we would have to recode the logic.
Basically i need to do impact analysis, and need to check if and where there is an ISNULL condition used, it should be replaced with default values instead. say the above condition looks like below :
IF(PORT1='', CONDITION1, CONDITION2)
Any assistance would extremely be appreciated.
Export all workflows from repository manager as a single xml. Then search for the expression. If this is something you need to do frequently, you can consider writing script utility script to do this and return the list of mapping names.
The easiest way is by exporting the wf into xml and do search and replace using any text editor and then import the wf using repository manager.
If you want to check this is happening under sql override query then use repository query on meta data tables.

Query a table and only match rows where a field matches "STRING"

During prototyping I have imported a bunch of Facebook posts into a table in batches. After the first batch I did a bulk update to convert the "created_date" column from string to a native timestamp (using the handy r.ISO8601 function):
r.db('db').table('table').update({'created_date': r.ISO8601(r.row('created_date'))
On the second pass, when I try to repeat this update, the server throws an error because not all row fields are of type STRING (ie the ones previously converted), which is what ISO861 expects.
I've already tried to filter on r.row('created_date').typeOf() == "STRING" but got no matches. I can't find any other way to refer to the STRING type as an object rather than a literal string either.
I know that I could import these out and do the if/else logic in code, but I'm interested to understand if there's a native query that will filter out rows that match a certain type.
You have to use eq for comparing like this:
r.row('created_date').typeOf().eq("STRING")
Using == only works on some language support operator overrding.

LINQ Lambda Order in writing the query

I have the following query:
var query = db.Prog
.Where (a => a.Prog != "00000" && a.fn != "Koll")
.Select(a => new {a.Prog, a.MEfn})
.OrderByDescending(a => a.MEfn)
The query works fine but wondering if there are general rules on the order in which you write a Lambda linq query. Meaning, .Where comes before .Select, etc.
Can somebody enlighten me on the order in which LINQ needs to be written or best practices.
There isn't a best practice on the order in which you write a LINQ query, it will depend on if you want to do your filtering first, or your projection. For example in your case, you are projecting to an anonymous type which doesn't include the 'fn' property which your filter uses, so it wouldn't be available to use in a where clause if your select was first.
A better practice would be to give your properties less cryptic names. Also, 'fn' doesn't follow the PascalCase for property names, and if it's a field then it probably shouldn't be public.
Yours can be a good order.
Let's distinguish the case where db points to an SQL DB with a very good LINQ provider and the case db is an in-memory object. I guess it's the first.
In case you are using a LINQ to SQL provider, the statements are evaluated only when you materialize the query into an object, so the SQL optimizer (inside the DB) will take care of ordering of statements.
The vice versa occurs when your statements are run against in-memory collections or to materialized collections coming from LINQ to SQL. In that case they are executed sequentially, so you want to execute first those statements that reduce the number of results in the collection. Where is the best candidate!!!
The order that they should be in are completely dependent on the context of what you are doing. So if your OrderBy is simply formatting the data to be friendly to view, put it at the end after you have trimmed your collection, if your looking for the First value of a sorted collection then maybe you would need it before the collection is iterated to get the first.

Resources