Thanks Miroslav, I'll give it a go!
On 3 August 2012 16:15, Miroslav Stampar <miroslav.stam...@gmail.com> wrote:
> Hi Chris.
>
> In those kind of cases UNION injection should be a solution.
>
> As LIMIT doesn't accept subquery as an operand you have to append a UNION
> ALL SELECT to the original value (foo in your case) and necessarily add a
> comment to the end (e.g. --) to neutralize that second operand of affected
> LIMIT part.
>
> To make it short, LIMIT doesn't accept subqueries and standard non-UNION
> based injection techniques should fail (as they "seed" their payload into
> the affected SQL form - in this case LIMIT).
>
> Kind regards,
> Miroslav Stampar
>
> On Fri, Aug 3, 2012 at 4:08 PM, Chris Oakley <christopher.oak...@gmail.com
> > wrote:
>
>> Hi All
>>
>> I have found that an application has a rewritten URL element that ends up
>> in a SQL query. The error message tells me that I'm injecting into the
>> LIMIT number at the end of the query. This appears to be the only point of
>> injection for now.
>>
>> A simplified version of the query that's being injected into is:
>>
>> SELECT * FROM posts WHERE site_id = '1' ORDER BY post_date DESC,
>> created_date DESC LIMIT foo, 10
>>
>> 'foo' is my injection and of course gives a syntax error.
>>
>> I know that apostrophes/ticks (as in the ' character) are blocked as a
>> minimum.
>>
>> Does anyone have any experience injecting this late in a query? Any
>> ideas would be greatly received.
>>
>> Regards
>>
>> Chris
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> sqlmap-users mailing list
>> sqlmap-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>>
>
>
> --
> Miroslav Stampar
> http://about.me/stamparm
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
