sqli in a limit with an order

[Robin Wood <robin () digininja org>]

Hi
I'm trying to work out if it is possible to use this injection to extract
data:

select a,b,c from tab order by x limit <injection>

Normally with a limit I'd do a union but you can't do a union if there is
an order by unless the first query is wrapped in brackets

(select a,b,c from tab order by x limit 1) union select blah

would work but without the brackets it fails.

I tried a subselect to generate the number that goes in the limit

select a,b,c from tab order by x limit (select 2)

but that doesn't work either.

An "into outfile" works but unfortunately I can't find anywhere in the web
root to write the data to and there is no LFI to read the data out of other
directories.

Can anyone suggest anything else that I can try?

Robin

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com