Penetration Testing mailing list archives
Re: ORDER BY sql injection help
From: arvind doraiswamy <arvind.doraiswamy () gmail com>
Date: Mon, 15 Jun 2009 18:12:37 +0530
The ORDER BY is to determine how many columns are referenced by that part of the application. Only once you get the number of columns can you use a UNION SELECT query to try and obtain more data from the database from other more interesting columns. So say you kept putting in 1 to X and something changed at 10... you know that there are 10 columns in that SQL query made by the application. Now you start using the UNION SELECT and find out where data from those 10 columns gets actually displayed on screen and put your further detailed SQL queries in there. eg. @@version for MySQL or user() to find the current user and so on. There's tons of info on UNION SELECT and ORDER BY Injection though online starting off with those cool Chris Anley papers. Hope this helps. Cheers Arvind On Fri, Jun 12, 2009 at 2:15 AM, <lister () lihim org> wrote:
Requesting assistance. An application uses GET and one of the parameters translates to an ORDER BY in an Oracle SQL query. I can put in 1 through X where X is a column number to order the output up to X columns. I can also get ORA errors, so I know I have direct access to the SQL query. I'm looking for references on possible queries for a query with an injectable ORDER BY clause. I'm not sure if it is possible to break out of the ORDER BY to query other data.
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- ORDER BY sql injection help lister (Jun 12)
- Re: ORDER BY sql injection help Trace (Jun 15)
- RE: ORDER BY sql injection help SuRGeoN (Jun 15)
- Re: ORDER BY sql injection help arvind doraiswamy (Jun 15)
- Re: ORDER BY sql injection help Robin Wood (Jun 15)