Re: [sqlmap-users] Injecting into LIMIT ints

Fri, 03 Aug 2012 08:15:35 -0700 

Hi Chris.

In those kind of cases UNION injection should be a solution.

As LIMIT doesn't accept subquery as an operand you have to append a UNION
ALL SELECT to the original value (foo in your case) and necessarily add a
comment to the end (e.g. --) to neutralize that second operand of affected
LIMIT part.

To make it short, LIMIT doesn't accept subqueries and standard non-UNION
based injection techniques should fail (as they "seed" their payload into
the affected SQL form - in this case LIMIT).

Kind regards,
Miroslav Stampar

On Fri, Aug 3, 2012 at 4:08 PM, Chris Oakley
<christopher.oak...@gmail.com>wrote:

> Hi All
>
> I have found that an application has a rewritten URL element that ends up
> in a SQL query.  The error message tells me that I'm injecting into the
> LIMIT number at the end of the query.  This appears to be the only point of
> injection for now.
>
> A simplified version of the query that's being injected into is:
>
> SELECT * FROM posts WHERE site_id = '1' ORDER BY post_date DESC,
> created_date DESC LIMIT foo, 10
>
> 'foo' is my injection and of course gives a syntax error.
>
> I know that apostrophes/ticks (as in the ' character) are blocked as a
> minimum.
>
> Does anyone have any experience injecting this late in a query?  Any ideas
> would be greatly received.
>
> Regards
>
> Chris
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to