2

I am testing an internal application and come across a page where if I am able to make the application display a SQL error because it does not recognize the payload for ORDER BY sort direction. The query is:

select xxx 
from something 
where xxx xxx xxx 
ORDER BY something 
ASC LIMIT..... 

I am able to control the ASC part and the application throws out SQL error and display the Select query that gets broken whenever I send anything other than ASC or DESC. The column name used with ORDER BY is not injectable. Is this injection exploitable in this case? I read from couple of places that if we can control the column used by ORDER BY, then it is exploitable, but if we can control only the sort direction parameter, it is not an exploitable injection.

There are related questions here and here, but they don't directly say whether the sort direction parameters are exploitable if user can control it.

The database is MySQL.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Sreeraj
  • 1,307
  • 1
  • 13
  • 21

1 Answers1

3

If you control the sort direction, then this might be exploitable by replacing it with a desc union select <other query>. I have not tried it though.
See this post.

You will have to specify the exact number of columns of the original query, which you can find out by looking at the SQL error. In case that you don't have that information, you can find out by trial and error. Types have to match too.

EDIT: As of MySQL version 8, it is very unlikely that the approach noted above will work, because the individual select queries have to be put between parentheses. See (https://dev.mysql.com/doc/refman/8.0/en/union.html ):

ORDER BY and LIMIT in Unions

To apply an ORDER BY or LIMIT clause to an individual SELECT, parenthesize the SELECT and place the clause inside the parentheses:

(SELECT a FROM t1 WHERE a=10 AND B=1 ORDER BY a LIMIT 10)
UNION
(SELECT a FROM t2 WHERE a=11 AND B=2 ORDER BY a LIMIT 10);

Use of ORDER BY for individual SELECT statements implies nothing about the order in which the rows appear in the final result because UNION by default produces an unordered set of rows. Therefore, ORDER BY in this context typically is used in conjunction with LIMIT, to determine the subset of the selected rows to retrieve for the SELECT... 
lab9
  • 494
  • 2
  • 7
  • 1
    Yes, turned out is is exploitable. I used the payload ,(select*from(select(sleep(10)))a) and the application took around 10 seconds to respond to this request. – Sreeraj Jul 16 '20 at 16:59
  • @Citylight, good catch! I overlooked the fact that '_order by_' will accept a list of columns, and you control that list (short of the first list item). – lab9 Jul 17 '20 at 12:28