Advanced SQL Injection - Shutdown With Nowait Question
Jun 13, 2005
Hello:I am doing this small experiment on SQL Injection, and appearantly, I was asked to do the shutdown thing, which I have read about, but don't have a single idea how how to start.Well, basically, I am still confused about a few things:1. Do I need to create a stored procedure first, before I start hacking (shutting down the SQL Server)? Or can I just use a normal User Table?2. I understand that the clause "shutdown with nowait" only allows the sysadmin and serveradmin to do so, so is there anyway a hacker makes himself a sysadmin or serveradmin?3. And I read that only with the login user: "sa", you can perform that action. But in my company, its sql login is not "sa", it's something else, so can I do anything about it?Well, that's all for now. So, actually, I have a project that first requires the user to login and must provide password. (Since I am doing experiment on SQL Injection, thus, it is vunerable). It connects to the sql server to match if the user name entered exists on the table.I hope this information is enough to help anyone to help me hahahahaha.... crossed my finger, though.Thanks in advance.
I need to perform insert operation where a large number of records are to be inserted in a table. I do not want the users to wait for a long time while another user is performing the insertion operation. As i searched here n there, i found that lock_timeout helps me to perform the job. But the query works fine at times and at times it doesnot. I have also tried using nowait but the result is the same. Sometimes it wait for the lock to be removed, then after the previous user is done it performs the insertion operation and sometimes it gives the error message: "Msg 1222, Level 16, State 56, Line 1 Lock request time out period exceeded."
Hi, Is there any shutdown command in sql that shutdowns the sql server with a single command or statement, as of now I am using the windows shutdown command.
Is restarting a Windows OS box without first stopping the MSSQL service comparable to a shutdown with nowait command? I know that MSSQL will recover, but wouldn't it recover more nicely if it was shutdown on its own terms prior to the box shutting down? OR. Since it's a Windows service does the OS *know* to stop the service gently, allow the engineto place checkpoints on every db and then shut down the OS?
I've googled plenty and cannot find an exact answer. Lots say it's fine to do - doesn't mean it's right ;)
for the last six months or so my pc has been shutting down all applications for no apparent reason when a 'low virtual memory' bubble appears. I have removed dozens of items, such as games, image editos; all programmes that require a lot of memory but it is no good. Every 40mins or so the pc decides to shut everything down and where it is impossible to start any further applications, unless I log off and on or shut down the pc myself. I really am fed up with this, its so annoying. Is it because of a virus or do I still have too much on my pc?
I have an SSIS package that looks for the existence of a file (using Konesans file watcher) on the network to begin processing. I am trying to find a way to terminate/shutdown the entire process if that file is not out there by say 7:30 AM. I think I could set a timeout on the filewatcher task, but was hoping there was another tool I could use. (If the process had to be restarted late a timeout would still countdown the same period wouldn't it? We'd still need the job to stop by 7:30.)
More background. The package, once deployed, will be called from a command line script that is started by a scheduled task normally, or manually in the event of late availability.
What is the right procedure for shutdown a production web sqlserver for maintenace purpose. Checking users by sp_who? Any other monitoring for current connections? lockings?
I am just trying to find a good article on the process SQL goes through when shutting down and starting up, so far I have not found anything definitive on Google. I am assuming a checkpoint is invoked and committed transactions are written to disk, while uncommitted are rolled back, but I would like an official textual description of what happens.
I want to install SP2 for SQL 2012, but I am not sure how my instance would be affected.
I want to know if the instance will go down for any amount of time during the update? I can schedule a server reboot after hours, but don't want to apply the service pack if it will take the instance offline at any point.
Currently i am using SQL server 2005. Since the begining i am facing sqlserver service shutdown problem. Normally it happens in every 2-3 days and sometimes happens twice a day. It halts all the banking operation. After starting MSSQL SERVER service, the system goes online.
Following is the error message recorded in the event viewer. --------------- SQL Server is terminating because of fatal exception c0000005. This error may be caused by an unhandled Win32 or C++ exception, or by an access violation encountered during exception handling. Check the SQL error log for any related stack dumps or messages. This exception forces SQL Server to shutdown. To recover from this error, restart the server (unless SQLAgent is configured to auto restart). ---------------
Please tell me what steps i should take to resolve it.
I have a problem with an instance of SQL Server that refuses torespond to a shutdown request. I've managed to shutdown the SQLManager and DTC services but the sqlservr.exe process is permanentlyin a "Stopping" state.I cannot logon to the instance to issue a SHUTDOWN WITH NOWAITcommand. Short of rebooting the entire server, is there a way I canforce the process to end?Tony
While working on my Visual C# 2005 Express programs, I will sometimes open SQL 2005 Express to look at the database. Then I will disconnect the database and exit the SQL Server Management Studio Express.
Then when I run my Visual C# 2005 program the next time, I will always get this error message. "Cannot open user default database. Login failed...."
SqlCommand cmd = new SqlCommand("Select * from CableReading", tcrConn);
tcrConn.Open();
The error is being generated when "tcrConn.Open()" is being executed. This is line 27 of my program.
My question is: Am I shutting SQL 2005 Express down wrong when I go in and look at the database. The SQL 2005 Express is located on the same computer that I am writing my program on.
I copied the error message to the clipboard and copied into this thread.
System.Data.SqlClient.SqlException was unhandled Message="Cannot open user default database. Login failed. Login failed for user 'HDC\jfeeney'." Source=".Net SqlClient Data Provider" ErrorCode=-2146232060 Class=11 LineNumber=65536 Number=4064 Procedure="" Server="\\.\pipe\8A52A6B8-493D-45\tsql\query" State=1 StackTrace: at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK) at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject) at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart) at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance) at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance) at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection) at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options) at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject) at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject) at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject) at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection) at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) at System.Data.SqlClient.SqlConnection.Open() at WindowsFormsApplication1.Form1.button1_Click(Object sender, EventArgs e) in C: empTestCableReadingTestCableReadingForm1.cs:line 27 at System.Windows.Forms.Control.OnClick(EventArgs e) at System.Windows.Forms.Button.OnClick(EventArgs e) at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent) at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks) at System.Windows.Forms.Control.WndProc(Message& m) at System.Windows.Forms.ButtonBase.WndProc(Message& m) at System.Windows.Forms.Button.WndProc(Message& m) at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m) at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m) at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam) at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg) at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32 dwComponentID, Int32 reason, Int32 pvLoopData) at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context) at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context) at System.Windows.Forms.Application.Run(Form mainForm) at WindowsFormsApplication1.Program.Main() in C: empTestCableReadingTestCableReadingProgram.cs:line 18 at System.AppDomain._nExecuteAssembly(Assembly assembly, String[] args) at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args) at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly() at System.Threading.ThreadHelper.ThreadStart_Context(Object state) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Threading.ThreadHelper.ThreadStart() InnerException:
SQL Server 2005 X64 Standard running on Windows Server 2003 X64 Htper Threaded Quad processors with 16 GB RAM.
I have had two production servers shut down this week due to Error 3449: SQL Server must shut down in order to recover a database (database ID 1). The database is either a user database that could not be shut down or a system database. Restart SQL Server. If the database fails to recover after another startup, repair or restore the database.
Previous to the shutdown I received multiple Error 3314 & 602: Could not find an entry for table or index with partition ID 491897996509184 in database 2. This error can occur if a stored procedure references a dropped table, or metadata is corrupted. Drop and re-create the stored procedure, or execute DBCC CHECKDB.
Also, Error 9001: During undoing of a logged operation in database 'msdb', an error occurred at log record ID (838:208:1). Typically, the specific failure is logged previously as an error in the Windows Event Log service. Restore the database or file from a backup, or repair the database.
Does anyone have an idea why I have begun receiving these error messages? I have run dbcc checkdb on Master and msdb and they do not show any problems.
What are the steps to be followed to shutdown a production sqlserver? (like checking user connections, termination processes etc) IIS is connecting to the database.
I have SQL Server 2014 Enterprise Edition with a number of in-memory tables sitting in my database.When server is restarted it takes many hours to recover my database if there was data in these in-memory tables before shutdown.As a result, I need to clean up in-memory tables every time before server instance shutdown. This is really annoying and requires extra prescriptive actions for support team. Can I have DDL server/database level trigger to catch shutdown event and clean my data before instance goes down?
I have Configured always on Availability groups between Server 1 Primary Replica(Active), server 2 Secondary Replica(Passive) on top of WCFS...
Listener Name: AGListner( CLIENTS/APPLICATIONS connect using this Name)
Testing Scenario 1(on Virtual Servers):
I have turned network down on Server 1(primary) , then secondary server (Passive ) one came ONLINE and this is now the primary and i was able to connect to AGListner.now When i try to SHUTDOWN/POWER OFF PRIMARY(current Active server),failover happened to Secondary successfully but lost cluster and lost AGListner and was not able to connect ....now applications which are trying to connect using AGListenr name will loose all connections..does AlwaysOn Availability does not support Server SHUTDOWN/POWER OFF?or is there a way to resolve this? or am i doing wrong somewhere?
- Have server1 and server2 - The job has 3 steps: + Step1: check server1 is running, next step2 Server1 is shutdown or can not ping, next step3 + Step2: do anything, for Example: run batch exe on server1 + Step3: do anything, for Example: run batch exe on server2
Step1, i am using ping server1 command,
My problem is if server1 is shutdown, my command (ping server1) is also return true
and in the fact, job is run by follow Step1 -> Step2.
Expectation the job is run by follow step1 -> Step3
Got this situation, trying to do Use SignleMode to recover my handing db, after that lost ldf (and physically too). Tried all things thru SSMS and scripts (below) that I know with no result, is there anything else I can try to recover it, I don't need log file.
An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)
Could not open new database 'MyLostDB'. CREATE DATABASE is aborted.
File activation failure. The physical file name "C:xxxMyLostDB.ldf" may be incorrect.
The log cannot be rebuilt because there were open transactions/users when the database was shutdown, no checkpoint occurred to the database, or the database was read-only. This error could occur if the transaction log file was manually deleted or lost due to a hardware or environment failure. (Microsoft SQL Server, Error: 1813)
EXEC sp_attach_single_file_db @dbname='Commissions', @physname=N'C:SQLDataMyLostDB.mdf' GO CREATE DATABASE Commissions ON (FILENAME = N'C:SQLDataMyLostDB.mdf') FOR ATTACH_REBUILD_LOG GO
This is my code: CommandText = "SELECT * FROM Products"
If textboxStockID.Text.Length > 0 Then CommandText = CommandText & " where [StockID] like '%" & textboxStockID.Text & "%'" End If Is this subject to the sql injection bug... if so, what changes do I need to make? Canning
What is the best way to avoid SQL injection?I know not to do stuff in Visual Basic such as...
Dim objCmd As New SqlCommand("SELECT * FROM mytable where id ='" & Request.QueryString("id") & '" , objConn)As it's best to use stored proceduresIs there any other problems you guys might have had happen to you or other possibilites for attackers that I should know about? Cheers
I manage a VBSript/ASP/IIS/SQL website for a nonprofit, and our website has been hacked by SQL injections. I have changed the code on the website so it can't access the database, cleaned the database, backed up the database, but now need to find a way to tighten up the security so it won't happen again. We're a non-profit- so the server is Windows 2000 Terminal SP4 (yeah, I know, it's old, bear with me). I was using the following code to access the database from the website: dbconn.open "DSN=cptigers;UID=sqlwebaccess;Password=password" (where cptigers is the name of the DSN connection with SQL server authentication). So far, I've removed read permission in IIS on the include file that I use to open the database. I've changed the data source to use Windows NT authentication, and set the SQL login MDBCA/cptigers (this is the IIS login) to have public and db_denydatawriter roles. But I'm not sure how to call this database connection in the code (how do you define the IIS user and password?), and not sure if this is sufficient to protect from future SQL injections. Am I heading the right direction? Thanks, Amanda
Hi All:I can't seem to get this thing work... When I type this in a textbox : '; exec master.dbo.sp_addsrvrolemember 'redice','sysadmin' -- , there's no respond, I mean, I check redice's role, but the System Administrators is not checked.Any idea about this?Thanks in advance.
Does anyone have any insight regarding SQL injection involving a table name t_jiaozhu? Is this a new hack script or old? I am having a hard time finding any clear details other than ways to stop injection from happening. This I know, what I am trying to figure out is what damaged may have been caused (worse case) and what would be a good plan of attack to figure out what steps suceeded/failed.
I have a windows 2003 server with SQL Express 2005. The server has about 15 websites and uses ASP Hackers somehow are creating NT Administrator Users on the server and then logging in with Terminal Services.
I ran thru SQL injection and tried to stop these attacks by stopping keywords in the SQL, but they still happen
Can anyone help, I really cant afford to pay for a security analyst so any advice would be nice.
Hi there. I use MS Enterprise library to get access to my MSSQL database. All actions are performed by stored procedures. Should I check the input parameters for "bad" symbols such as ' or union words or the library do all this for me? Thanks.
I want to inject a "where" criteria parametrically, but I can't get this to work:
CREATE PROCEDURE dbo.CopyTestCases @Criteria varchar(255) AS
declare @t table(NID int not null);
set transaction isolation level serializable; begin tran; insert into TestIT (Product,CatID,Category,Title) output inserted.TestID into @t( NID) select Product,CatID,Category,Title from TestIT where @Criteria order by TestID;
commit; GO
I get the message "An expression of non-boolean type specified in a context where a condition is expected". How do I fix this?
