Re: Quite basic SQL injection question

[arvind doraiswamy <arvind.doraiswamy () gmail com>]

Hi Alexandre,
Have you looked at 'completing the syntax' of the SQL query itself
after injection? For e.g A sample query could eventually look like -
"select * from table1 m JOIN table2 t UNION SELECT 1,2,3 from
dual"--ORDER BY m.field1, t.field2";

Note the extra " after dual? I'm just saying - whatever your syntax is
- try and complete that AFTER you're done injecting.

Another thing that has often worked for me is validating my syntax at
a MySQL prompt itself. This helps me know that my SQL syntax itself
isn't wrong.

All the best!

Arvind

On Mon, Apr 18, 2011 at 1:21 PM, Alexandre De Dommelin
<adedommelin () tuxz net> wrote:
> Hi all,
>
> I'm evaluating PHP/Mysql code and I found a problem, in the following code :
> <?php
> $query="
> SELECT *
> FROM table1 m JOIN table2 t
> $condition
> ORDER BY m.field1, t.field2
> ";
> $db->query($query);
> ?>
>
> I'm able to inject everything I want into $condition, but I can't manage to
> make the ORDER clause to be ignored (using -- /* ...), which leads to an sql
> error.
> I'm sure it's quite stupid but I have to admit that i'm stucked ...
>
> Do you have an idea ?
>
> Bests,
>
> Alex
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAk2r7ZIACgkQRiuXGItTIgy72gCeKY8SQGwhm/BgtGFhT1gUFjwA
> 6eAAn10ex7ah3SHTjSD49sWHpqzJ47lz
> =4t0L
> -----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------