I am trying to use this code that was provided to me for a penetration test exercise. According to the author that created this you enter this code and it will get the users hashes from a machine we are trying to compromise. When I enter the code it does not return anything from the database. All I get is a ":" on the screen. Something does not seem right with this code can you please help. My job is not to fix the code but to just query the information from the database to get the hashes for the users. I am just going based up on the instructions of the LAMPSecurity CTF8 pdf that was provided to me.
<?php
$res = db_query('select name,pass from users');
while ($rec = db_fetch_object($res)) {
print $rec→name . ":" . $rec→pass . "<br/>";
}
?>
Somewhere during the parsing of your PDF, the characters -> have been turned into the UTF8 equivalent of →.
However, → is not a valid operator in PHP.
Replace → with -> and try again.
Also, your code doesn't connect to the DB anywhere, so that may cause further issues.
Related
How would you search for all resources for a given patient e.g. encounter, appointment, consent?
I know you could search for it via postman request http://localhost:9090/organId/Patient/12345/$everything and get the result. But I want to be able to execute the search query from my java program.
This is what I have so far, but I know the include part is not good and not working. Googling didn't return any result.
Bundle bundle = myFhirClient
.search()
.forResource(Patient.class)
.returnBundle(Bundle.class)
.where(new NumberClientParam(Patient.SP_RES_ID).exactly().number(patientId)).include(new Include("$everything"))
.sort(new SortSpec().setOrder(SortOrderEnum.DESC).setParamName(Patient.SP_RES_ID))
.execute();
Any help is much appreciated
I had to use Fhir Client operation instead of search. This will return all the reference resources for the given patientId.
Parameters outParams = myFhirClient
.operation()
.onInstance(new IdType("Patient", patientId))
.named("$everything")
.withNoParameters(Parameters.class) // No input parameters
.execute();
I am a newbie in ModX, trying to insert to database but always failed. This is my insert script :
<?php
define('MODX_CORE_PATH', '/aocore/');
define('MODX_CONFIG_KEY','config');
require_once MODX_CORE_PATH . 'model/modx/modx.class.php';
$host = 'localhost';
$username = 'asdsadsada';
$password = 'dsadsadsada';
$dbname = 'sadsadsadsadas';
$port = 3306;
$charset = 'utf8';
$dsn = "mysql:host=$host;dbname=$dbname;port=$port;charset=$charset";
$xpdo = new xPDO($dsn, $username, $password);
echo $o = ($xpdo->connect()) ? 'Connected' : 'Not Connected';
$results = $xpdo->query("insert into table_name (name,email) VALUES ('".$_POST['name'].",".$_POST['email']."')");
$stmt = $modx->prepare($results);
$stmt->execute();
?>
Please help, totally stuck here.
Thanks
Without seeing much of your database structure let alone any error log info it's very hard to debug/test your code because we can't reproduce anything.
By the looks of it you are not using objects. You may want to concider using your own schema and inserting the given records as objects in the DB. Have a look at this guide for more information on creating custom database tables in MODX.
Please make sure you're sanitizing the input that is being saved into the database with functions such as strip_tags() and htmlspecialchars() in order to prevent XSS and other injection attacks. Also make sure you are using prepared statements.
By looking at the code however i can see that you are executing the query() function which is meant for querying the database (retreiving database records). If you want to execute SQL statements such as "INSERT" you will need to use the exec() function.
Example:
$xpdo->exec("INSERT INTO `table_name` (`name`,`email`) VALUES ('".htmlspecialchars(strip_tags($_POST['name'])).",".htmlspecialchars(strip_tags($_POST['email']))."')");
If you are not going to be using MODX objects you may find it easier to use PHP's PDO interface with prepared statements.
Well, if it is not too late. You didn't share the exact problem but I see something strange in your code:
...VALUES ('".$_POST['name'].",".$_POST['email']."')");
If the values from POST array get into the string, you have
...VALUES ('John,mail#mail.com')");
John,mail#mail.com' is a single value where as there should be two values for name and email. So, try to put ' inside your query like
...VALUES ('".$_POST['name']."','".$_POST['email']."')");
I am sure I am not the first to encounter this, but I was unable to find a solution while Googling.
I am trying to add a drop-down list to my document. At the top of my model I am adding these namespaces:
use \DocuSign\eSign\Model\List;
use \DocuSign\eSign\Model\ListItem;
When doing so I get this error because "List" is a reserved word in PHP.
A PHP Error was encountered
Severity: Parsing Error
Message: syntax error, unexpected List (T_LIST), expecting identifier (T_STRING)
Filename: models/Docusign_model.php
Line Number: 19
I tried changing the name of the class from List to Elist but then I got errors from ObjectSerializer that it could not find Elist:swaggerType.
What am I missing on how to add a list to my document?
Thom
#thom I think this is really a "PHP" parsing question as is answered here for you Parse error: syntax error, unexpected (T_STRING), expecting variable (T_VARIABLE)
So I think the $ missing is your real issue as discussed in the referenced article above and below from PHP Manual.
http://www.php.net/manual/en/language.oop5.basic.php
Recommend you look at GIT example from SDK using CustomFieldList at https://github.com/docusign/docusign-php-client/blob/ccc86ac37334f34728361d73b2f8c4592225b8d2/src/Model/CustomFieldsEnvelope.php
excerpt
protected static $swaggerTypes = [
'list_custom_fields' => '\DocuSign\eSign\Model\ListCustomField[]',
'text_custom_fields' => '\DocuSign\eSign\Model\TextCustomField[]'
];
http://www.php.net/manual/en/language.oop5.basic.php
Also, maybe the first place to validate if you even need a specific "use" is by reviewing this PHP sample code from a good friend Ergin https://gist.github.com/Ergin008/d4a8b9210fbea41414b0
As I see it with most of the DocuSign SDK's, you have the client and specific services you want to use per excerpt below:
// Download PHP client: https://github.com/docusign/DocuSign-PHP-Client
require_once './DocuSign-PHP-Client/src/DocuSign_Client.php';
require_once './DocuSign-PHP-Client/src/service/DocuSign_RequestSignatureService.php';
require_once './DocuSign-PHP-Client/src/service/DocuSign_ViewsService.php';
Regardless if I am right or wrong, let us know if this helped you go in the right direction :-)
Just wondering if anyone could enlighten me to what sth might be. (Seen in Tranalyzer flow files.) Basically it's a web analysis category (ip address, port, sth, etc) but I'm not sure what meant by it and there is no mention in the documentation.
(Also for bonus points what would a value of dir mean for sth?)
I'd appreciate any help.
sth means : STatement Handle
The connection to a database.
See http://perlmeme.org/tutorials/connect_to_db.html and https://stackoverflow.com/a/13208866/465183
Edit :
In perl, if I display the content of the object using Data::Dumper with a DBI script :
$VAR1 = bless( {}, 'DBI::st' );
but that's not very helpful. It's means only that's a DBI::st object.
I am using websockets , nodejs v0.10.12 and also PostgreSQL 9.1, with PostGIS 2.0.
Now, on websockets, on the server side, in order to gather textual data and send them to the client I perform a query using node's pg plugin.
I have something like
var query = client.query('SELECT p_name,p_date FROM pins WHERE p_id ='+ja)
//send them and render in client as html
query.on("row", function (row, result) {result.addRow(row);});
query.on("end", function (result) {
for (var i=0; i<result.rows.length; i++){
connection.send(
'Name</br>'
+result.rows[i].p_name+
'</br>Date</br>'
+result.rows[i].p_date+
'</br>'
}
client.end();
});
Now, here is the tricky part. I want to render the date like 25/02/2012.
With the above code, I get Sat Feb 02 2002 02:00:00 GMT+0200 (Χειμερινή ώρα GTB)
To get DD/MM/YYYY I have to put a line of code like
SET datestyle = "SQL, DMY";
This is apparently PHP and I am using Javascript because I work with websockets.
The only thing I could think of is editing the above query like so
var query = client.query('SET datestyle = "SQL, DMY"; SELECT p_name,p_date FROM pins WHERE p_id ='+ja)
I dont get any errors, but on the client the date renders null.
How can I fix this?
Thanks
OK. Where to start?
This:
var query = client.query('SELECT p_name,p_date FROM pins WHERE p_id ='+ja)
is not the correct way to build a query. Used a parameterised query and protect yourself from SQL injection.
SET datestyle = "SQL, DMY";
This is apparently PHP and I am using Javascript because I work with websockets.
What? I'm trying to think of something constructive about this sentence, but the best I can think of is "What?". It is far from apparent that the above is PHP, because it isn't. The fact that you are sending it to the database ought to give you a hint that it's SQL. Also, you're not using javascript because you work with websockets. You're using javascript because you're using javascript - websockets are nothing to do with anything here.
The only thing I could think of...
Doesn't include looking in the manuals.
Go to the PostgreSQL website, click through to the documentation and manuals, and on the contents page click "Functions and Operators" and then "Data type formatting functions". Here is the link for you:
http://www.postgresql.org/docs/current/static/functions-formatting.html
You'll notice that the PostgreSQL developers not only produce extensive and detailed manuals, but they keep multiple versions online and make it simple to switch back and fore to see what's changed.
There is a whole section on this page on how to format date-times in different ways, with clear descriptions of each effect. I didn't find this using the documentation search or anything clever like that - just the obvious links on each page.
If you did a search you would find plenty on the datestyle parameter, and a little further digging would show that you can set it per-session or as a default for a given user or database.
Finally though, don't do it that way at all. Return ISO-standard date formats like #mu said (YYYY-MM-DD etc). and format them in your javascript client code.
Oh - while I'm no expert, I'm not sure that </br> is valid HTML, XHTML or XML either. Did you perhaps mean <br/>?