Re: ORDER BY sql injection help

[arvind doraiswamy <arvind.doraiswamy () gmail com>]

The ORDER BY is to determine how many columns are referenced by that
part of the application. Only once you get the number of columns can
you use a UNION SELECT query to try and obtain more data from the
database from other more interesting columns. So say you kept putting
in 1 to X and something changed at 10... you know that there are 10
columns in that SQL query made by the application.

Now you start using the UNION SELECT and find out where data from
those 10 columns gets actually displayed on screen and put your
further detailed SQL queries in there. eg. @@version for MySQL or
user() to find the current user and so on.

There's tons of info on UNION SELECT and ORDER BY Injection though
online starting off with those cool Chris Anley papers. Hope this
helps.

Cheers
Arvind

On Fri, Jun 12, 2009 at 2:15 AM, <lister () lihim org> wrote:
> Requesting assistance.
>
> An application uses GET and one of the parameters translates to an ORDER BY
> in an Oracle SQL query.
>
> I can put in 1 through X where X is a column number to order the output up to X columns.
>
> I can also get ORA errors, so I know I have direct access to the SQL query.
>
> I'm looking for references on possible queries for a query with an injectable
> ORDER BY clause.  I'm not sure if it is possible to break out of the ORDER BY
> to query other data.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------