you might remember my old question (here), it was about SQL Injection if the LIMIT was user input, now, things changed a little bit and I'm wondering if SQL Injection is possible with ORDER BY
If you're interested in why things changed, read this portion, if not, then skip it:
Apparently, I was mistaken to think LIMIT was injectable, even though it appeared as if it was, it really wasn't. With more tests, it appeared like ORDER BY was injectable
I also told my friend about the LIMIT and he told me it was sanitized, when I told him about ORDER BY he said that almost no damage could be done with SQL Injection after ORDER BY, I'm trying to prove him wrong.
Example of the query of the injection:
SELECT * FROM messages WHERE user_id = 10 ORDER BY **USER INPUT HERE** LIMIT 5
What have I tried?
With some research, it appeared that I cannot do a UNION after an ORDER BY unless I enclose the whole first query with brackets which is not possible, instead, I tried to work on some blind SQL Injection by doing for example, the following
SELECT * FROM messages WHERE user_id = 10 ORDER BY (SELECT IF(LEFT(@@version, 1) = 5, 1, 0))
and this goes on and on
Question
Is there a way to cause any damage with this or is it harmless?
Further information
My friend using the mysql extension of PHP so multiple queries are not possible.
Aucun commentaire:
Enregistrer un commentaire