Tag: Query

How to determine Sender Score IP to look up if straight query fails?

I’m checking up on my email set-up and came across Sender Score as part of my research and tests.

We are sending email through Outlook’s mail server. Our original mailfrom domain is fieldworkhub.com. If I put that into Sender Score, I get “no data available”.

The DKIM records are validated from Fieldworkhub.onmicrosoft.com. That domain again doesn’t have any data. However, it shows around 300 related sending domains, like ACTStoma.onmicrosoft.com which do give you a sender score for some IPs if queried. Why does this not work for our domain? Are we not sending enough emails?

From the email headers, I can find that client-ip=40.107.11.139. Is that the correct IP to put into the query field? Is there another way to discover sending IPs that doesn’t require looking up email headers? For example, checking SPF records? If so, how do I do it?

Response seems to get redirected if SQL injection query succeeds, if not then it doesn’t get redirected

Under the authorization of my friend, I am testing his website against potential vulnerabilities.

I was trying to find if I was able to inject a SQL query into a POST request parameter hi' or 1=1 --:

query=hi'%20or%201%3d1%20--

I found that the document prints out:

<div class="error">index job,query: syntax error, unexpected '-' near '-'</div>

while with ' or 0=0 -- I get:

<div class="error">index job,query: syntax error, unexpected '|' near ' | 0=0) --'</div>

does this mean that it’s vulnerable to SQL Injection? If yes, how can I make it print server system data (like information, etc.)? By the way, if the string is correct it gets redirected to another webpage (I think that’s why SQLMap tells me the parameter is not SQL-injectable).

I can see the query works just if the URL gets redirected, but I won’t see the query output. If the URL doesn’t get redirected, I can see these SQL query errors. I’m trying to see how to get the output and do something more useful to attack the website, or even make it detectable from sqlmap.

The current command I’m using is sqlmap -r thework.txt -p query --dbs. thework.txt contains the full valid POST request.

Adding to the query string via input

I have a form that takes multiple input fields and makes an API request via GET.

The fields are not properly sanitizing input and I am able to add arbitrary parameters to the query string by submitting input such as test&color=red.

Instead of some sort of encoding, the resulting API query looks like api.com/search?field=search&color=red

I cannot think of any malicious use to this, as anybody could just hit this endpoint directly or use a proxy to bypass any client side validation.

If you were performing an application review, is this something that might be worth calling out?

How is this sqlmap query is correct?

I am practicing on some vulnerable application, and I am asked to find an injection vulnerability with a payload. it states there is a common and simple filter in place. Then I need to extract the flag value from the chlns table. So I use SQLmap to find it.

Please read below and correct me if I am wrong in any stage:

sqlmap -u 'http://www.site.com/game.php?name=sarah’ --dbs

When I run it, it asks that it is being redirected to facebook, and I press n to not do that. Then it continious and load 3 databases as such:

-- information_schema -- chlns -- people

on I run the following query:

sqlmap -u 'http://www.site.com/game.php?name=sarah’ -D chlns --tables

to get all the tables. After it starts running it gives the below error:

[ERROR] unable to retrieve the table names for any database do you want to use common table existence check? [y/N/q] y

Then it asks for a file or use the default wordlist. Which I used the default option. At the end it came up with a list of tables (13 overall) which then I used the below code for one of the sample table names:

sqlmap -u 'http://www.site.com/game.php?name=sarah’ -D chlns T- table --dump

this code asks for the same thing when i run it and want to run it through a worklist. each process takes a long time around 10/15 mins and each time it come up with an error like below: 

HTTP error code: 414 (Request-URI Too Large) [*N times...

And i get nowhere. Am I doing anything wrong here? or is there any easier way? the excercise mentiones there is a table called chlns but it seems chlns is a database instead. This could be the case as in another excercise chlns was the database and one was the name of the table that flag existed.

Is there any suggestions to make this process easier or any pro advice?

Thanks in advance,

Most efficient way to query a date range in Postgresql

I have a table with a timestamp with tz column. I want to perform a count / group by query for rows within a certain date range:

select count(1), url  from mytable  where viewed_at between '2019-01-01' and '2020-01-01';

viewed_at has a btree index applied, but when I view explain... it doesn’t appear to be using the index:

postgres=# explain select count(1), url from app_pageview where viewed_at < '2019-01-01' group by 2 order by 1 desc limit 10;                                                       QUERY PLAN                                                        -----------------------------------------------------------------------------------------------------------------------  Limit  (cost=2165636.99..2165637.02 rows=10 width=32)    ->  Sort  (cost=2165636.99..2165637.24 rows=101 width=32)          Sort Key: (count(1)) DESC          ->  Finalize GroupAggregate  (cost=2165609.22..2165634.81 rows=101 width=32)                Group Key: url                ->  Gather Merge  (cost=2165609.22..2165632.79 rows=202 width=32)                      Workers Planned: 2                      ->  Sort  (cost=2164609.20..2164609.45 rows=101 width=32)                            Sort Key: url                            ->  Partial HashAggregate  (cost=2164604.82..2164605.83 rows=101 width=32)                                  Group Key: url                                  ->  Parallel Seq Scan on app_pageview  (cost=0.00..2059295.33 rows=21061898 width=24)                                        Filter: (viewed_at < '2019-01-01 00:00:00+00'::timestamp with time zone)  JIT:    Functions: 13    Options: Inlining true, Optimization true, Expressions true, Deforming true (16 rows)

I have generated ~100M rows of dummy data to test this out.

How can I make it more efficient?

Would storing the viewed_at field as two different fields be any use (date and time)

SQL injection using URL query string (web application/php server)

Hacker is trying to attack the site by using the following SQL injection query to get the SQL version.

Using URL site. example:

www.abc.com/?queryParamString=(SELECT 9701 FROM(SELECT COUNT(*),CONCAT(0x71787a7171,(SELECT (ELT(9701=9701,1))),0x71767a6271,FLOOR(RAND(0)*2))X FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY X)a)

In my application, I am using prepared statmenets that queryParamString as a clear text into DB without any side effects.

My question:

  • Is there any best practices to sanitize the URL when PHP server receives a request to render the page.
  • Or any client-side practices?
  • Any pointers on how to prevent or how you would deal with this kind of attack

Are stored procedure query texts stored in any tables?

I don’t readily see anything in the sys schema objects, other than the DM_EXEC_SQL_TEXT function that requires a plan handle, but the procedures I’m trying to get their query texts from aren’t currently running. (Maybe there’s a way through their cached plans?…though the ones I’m looking for might not have a cached plan.)

Are the query texts of stored procedures stored anywhere that’s queryable?

I see sp_helptext might be an option: https://docs.microsoft.com/en-us/sql/relational-databases/stored-procedures/view-the-definition-of-a-stored-procedure?view=sql-server-ver15#TsqlProcedure

WordPress Query doesn’t return the correct value

According to this page:

Return #Return

(int|bool) Boolean true for CREATE, ALTER, TRUNCATE and DROP queries. Number of rows affected/selected for all other queries. Boolean false on error.

From this, I can see that I should get a “number of rows affected” value returned, however – it’s returning false.

Usually, this indicates an error and can see that a bool false on return = error. But this is where it gets a bit weird, the data is updated, yet the query is apparently a fail?

This my current code:

if (!$  this->conn->query($  this->conn->prepare($  this->qry, $  values))) {     var_dump($  this->conn->print_error()); }

which prints:

<div id="error"><p class="wpdberror"><strong>WordPress database error:</strong> []<br /><code>UPDATE `wp_eng_dm_dealers` SET name = &#039;foo&#039;, blurb = &#039;trey&#039;, email = &#039;foo@dummy.com&#039;, tel = &#039;123456&#039;, www = &#039;https://google.com/&#039;, addr_line_1 = &#039;some place&#039;, addr_line_2 = &#039;&#039;, addr_line_3 = &#039;&#039;, town = &#039;A town&#039;, county = &#039;county&#039;, post_code = &#039;SOME PLACE&#039;, lat = XYZ, lng = XYZ, dealer_type_id = 1, dealer_of_the_month = 1 WHERE id = 4</code></p></div>NULL

using the last_error property, I got:

string(0) “”

decoding the code wrapped in the <code> tag, I get a valid SQL statement, yet my conditionals never work because WP is returning a successful update as false. How can I go about debugging and resolving the issue?

WordPress version: 5.3.2

WP Query search for attachments and their exact title

Due to lack of reputation, I must now ask the question. I want to create a search for all images in the media libary. The search result should only appear if you search for the exact title of the image. I already tried it with ‘exact’ => true but it does not work. Still get similar images displayed. I have created a query with the following parameters:

<?php $  args = array(         'post_type' => 'attachment',         'post_mime_type' => 'image',         'orderby' => 'post_date',         'order' => 'desc',         'posts_per_page' => '30',         'post_status'    => 'inherit',          );       $  loop = new WP_Query( $  args );  while ( $  loop->have_posts() ) : $  loop->the_post();  $  image = wp_get_attachment_image_src( get_the_ID() ); echo "<img src='" . $  image[0] . "'>";  endwhile; ?>

Hope that somebody can help me.

Use SELECT query to retrieve UPDATE information

I am confused about inability of using UPDATE query inside SELECT queries. I got this idea, it would be amazing to use queries like follows for elegant reporting purposes

My non-working code:

SELECT (     UPDATE animals SET status=1 WHERE status=5 ) as 'total_changed_animals', (     UPDATE sports SET status=1 WHERE status=4 ) as 'total_changed_sports';

Problem:

In MySQL’s query docs there is written following:

UPDATE returns the number of rows that were actually changed.

That being said, in example above I would expect UPDATE subquery to return number of changed records into SELECT query. However this does not work, and query example mentioned avove will fail.

Can anyone explain why it is not allowed? I believe there may be a reason for this. Is there any workaround?