Re: [sqlmap-users] Injecting into LIMIT ints

[Miroslav S. <mir...@gm...>]

Hi Chris.

In those kind of cases UNION injection should be a solution.

As LIMIT doesn't accept subquery as an operand you have to append a UNION
ALL SELECT to the original value (foo in your case) and necessarily add a
comment to the end (e.g. --) to neutralize that second operand of affected
LIMIT part.

To make it short, LIMIT doesn't accept subqueries and standard non-UNION
based injection techniques should fail (as they "seed" their payload into
the affected SQL form - in this case LIMIT).

Kind regards,
Miroslav Stampar

On Fri, Aug 3, 2012 at 4:08 PM, Chris Oakley
<chr...@gm...>wrote:

> Hi All
>
> I have found that an application has a rewritten URL element that ends up
> in a SQL query.  The error message tells me that I'm injecting into the
> LIMIT number at the end of the query.  This appears to be the only point of
> injection for now.
>
> A simplified version of the query that's being injected into is:
>
> SELECT * FROM posts WHERE site_id = '1' ORDER BY post_date DESC,
> created_date DESC LIMIT foo, 10
>
> 'foo' is my injection and of course gives a syntax error.
>
> I know that apostrophes/ticks (as in the ' character) are blocked as a
> minimum.
>
> Does anyone have any experience injecting this late in a query?  Any ideas
> would be greatly received.
>
> Regards
>
> Chris
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>


-- 
Miroslav Stampar
http://about.me/stamparm