I am trying to create a java servlet with a NoSQL injection vulnerability. I've connected the servlet with MongoDB and check if the login info submitted by the user exists, I'm doing the next query:
String andQuery = "{$and: [{user: \""+u+"\"}, {password: \""+p+"\"}]}";
Where u is the user and p is the password given by the user.
For what I've seen this is correct, and the NoSQL injection should exist, bu I really dont kno how to prove it.
I've tried submitting with burp this:
username[$ne]=1&password[$ne]=1
But its not working, and when I check the content of u and p after I submitted that the content of both variables is null.
I dont have the servlet configured to receive json objects so I need a solition that doesn't imply send a json object with burp.
PD: I tryed also to insert something like this:
{\"$gt\":\"\" }
in the user and password fields but the result query is
{"$and": [{"user": "{\"$gt\":\"\" }"}, {"password": "{\"$gt\":\"\" }"}]}
I guess this doesn't work because the {"$gt":"" } is in quotes, ¿how can I do the servlet to be vulnarable and with which input it would be vulnerabel?
In JSP how do I get parameters from the URL?
For example I have a URL www.somesite.com/Transaction_List.jsp?accountID=5
I want to get the 5.
Is there a request.getAttribute( "accountID" ) like there is for sessions or something similar?
About the Implicit Objects of the Unified Expression Language, the Java EE 5 Tutorial writes:
Implicit Objects
The JSP expression language defines a set of implicit objects:
pageContext: The context for the JSP page. Provides access to various objects including:
servletContext: The context for the JSP page’s servlet and any web components contained in the same application. See Accessing the Web Context.
session: The session object for the client. See Maintaining Client State.
request: The request triggering the execution of the JSP page. See Getting Information from Requests.
response: The response returned by the JSP page. See Constructing Responses.
In addition, several implicit objects are available that allow easy access to the following objects:
param: Maps a request parameter name to a single value
paramValues: Maps a request parameter name to an array of values
header: Maps a request header name to a single value
headerValues: Maps a request header name to an array of values
cookie: Maps a cookie name to a single cookie
initParam: Maps a context initialization parameter name to a single value
Finally, there are objects that allow access to the various scoped variables described in Using Scope Objects.
pageScope: Maps page-scoped variable names to their values
requestScope: Maps request-scoped variable names to their values
sessionScope: Maps session-scoped variable names to their values
applicationScope: Maps application-scoped variable names to their values
The interesting parts are in bold :)
So, to answer your question, you should be able to access it like this (using EL):
${param.accountID}
Or, using JSP Scriptlets (not recommended):
<%
String accountId = request.getParameter("accountID");
%>
In a GET request, the request parameters are taken from the query string (the data following the question mark on the URL). For example, the URL http://hostname.com?p1=v1&p2=v2 contains two request parameters - - p1 and p2. In a POST request, the request parameters are taken from both query string and the posted data which is encoded in the body of the request.
This example demonstrates how to include the value of a request parameter in the generated output:
Hello <b><%= request.getParameter("name") %></b>!
If the page was accessed with the URL:
http://hostname.com/mywebapp/mypage.jsp?name=John+Smith
the resulting output would be:
Hello <b>John Smith</b>!
If name is not specified on the query string, the output would be:
Hello <b>null</b>!
This example uses the value of a query parameter in a scriptlet:
<%
if (request.getParameter("name") == null) {
out.println("Please enter your name.");
} else {
out.println("Hello <b>"+request. getParameter("name")+"</b>!");
}
%>
Use EL (JSP Expression Language):
${param.accountID}
If I may add a comment here...
<c:out value="${param.accountID}"></c:out>
doesn't work for me (it prints a 0).
Instead, this works:
<c:out value="${param['accountID']}"></c:out>
request.getParameter("accountID") is what you're looking for. This is part of the Java Servlet API. See http://java.sun.com/j2ee/sdk_1.3/techdocs/api/javax/servlet/ServletRequest.html for more information.
String accountID = request.getParameter("accountID");
www.somesite.com/Transaction_List.jsp?accountID=5
For this URL there is a method call request.getParameter in java , if you want a number here cast into int, similarly for string value cast into string. so for your requirement , just copy past below line in page,
int accountId =(int)request.getParameter("accountID");
you can now call this value useing accountId in whole page.
here accountId is name of parameter you can also get more than one parameters using this, but this not work. It will only work with GET method if you hit POST request then their will be an error.
Hope this is helpful.
example you wanted to delete the subject record with its subject_id
#RequestMapping(value="subject_setup/delete/{subjectid}",method = RequestMethod.GET)
public ModelAndView delete(#PathVariable int subjectid) {
subjectsDao.delete(subjectid);
return new ModelAndView("redirect:/subject_setup");
}
and the parameter will be used for input on your query
public int delete(int subjectid) {
String sql = "update tbl_subject set isdeleted= '1' where id = "+subjectid+"";
return template.update(sql);
}
page 1 :
Detail
page 2 :
<% String id = request.getParameter("userid");%>
// now you can using id for sql query of hsql detail product
I am attempting to learn how to use a querystring. My goal is to modify a servlet and from that be able to pull data from a querystring in my URL. I specifically need to show the "action". My URL querystring is to be entered as
?param1=val1¶m2=val2. I attempted to modify my servlets processRequest with the following line:
out.println("<p>" + request.getParameter("<p> Action is" [value] "</p>") +</p>);
Any ideas of where to go from here? I'm getting several errors.
You are retrieving invalid values from the request parameters.
More specifically, based on your querystring you should retrieve the parameters param1 and param2, which will contain values val1 and val2 respectively, like so:
String p1 = request.getParameter("param1");
String p2 = request.getParameter("param2");
System.out.println("params: 1:"+p1+" 2:"+p2);
How do I give data from one servlet to the next?
Anything after ? is part of the query string. In a Servlet, each key value pair in the query string becomes a request parameters.
If you have access to the HttpServletRequest, you can access them with HttpServletRequest#getParameter(String). For example
request.getParameter("myId");
I have a URL www.test.com/myshort/myapp/mypage.jsp, where myshort is a column value in my database.
I will later query for the id of this shortName (in this example it is 'myshort') which I am doing as
select id from mytable where shortName='myshort';
How can I extract the 'myshort' value from the entire URL? I can't do request.getParameter() since this is not a part of the url parameter. So I am trying to use request.getURI().
Can you please tell me how do I parse and get shortName using request.getURI()?
I suggest the use of Spring MVC framework for this type of server programming. It gives you the ability to map request patterns with the actual urls and extract such values from the URL.
I figured out a solution/alternative to my issue. I could go ahead and edit web.xml and specify the url format there.
But this is how I solved my issue. I took off the shortName coming from the url and sticked it as URL parameter. this is much more easier to access than what I was thinking earlier.