ORDER BY does not play well with UNION query SQLi (related to issue #313)

2025-11-04 09:57:38 +03:00 · 2012-12-19 13:21:16 +00:00 · 2012-12-19 13:21:16 +00:00 · 282aeb734f
commit 282aeb734f
parent 259b345f1f
3 changed files with 49 additions and 2 deletions
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -661,6 +661,9 @@ def filePathToString(filePath):

    return strRepl

+def singleTimeDebugMessage(message):
+    singleTimeLogMessage(message, logging.DEBUG)
+
 def singleTimeWarnMessage(message):
    singleTimeLogMessage(message, logging.WARN)

--- a/lib/techniques/union/use.py
+++ b/lib/techniques/union/use.py
@ -29,6 +29,7 @@ from lib.core.common import isNumPosStrValue
 from lib.core.common import listToStrValue
 from lib.core.common import parseUnionPage
 from lib.core.common import removeReflectiveValues
+from lib.core.common import singleTimeDebugMessage
 from lib.core.common import singleTimeWarnMessage
 from lib.core.common import wasLastRequestDBMSError
 from lib.core.convert import htmlunescape
@ -159,6 +160,13 @@ def unionUse(expression, unpack=True, dump=False):

    _, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(origExpr)

+    if expressionFieldsList and len(expressionFieldsList) > 1 and "ORDER BY" in expression.upper():
+        # Removed ORDER BY clause because UNION does not play well with it
+        expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I)
+        debugMsg = "stripping ORDER BY clause from statement because "
+        debugMsg += "it does not play well with UNION query SQL injection"
+        singleTimeDebugMessage(debugMsg)
+
    # We have to check if the SQL query might return multiple entries
    # if the technique is partial UNION query and in such case forge the
    # SQL limiting the query output one entry at a time
@ -301,7 +309,6 @@ def unionUse(expression, unpack=True, dump=False):
                kb.suppressResumeInfo = False

    if not value and not abortedFlag:
-        expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full union does not play well with ORDER BY
        value = _oneShotUnionUse(expression, unpack)

    duration = calculateDeltaSeconds(start)
--- a/xml/livetests.xml
+++ b/xml/livetests.xml
@ -283,11 +283,14 @@
            <item value="r'Database: testdb.+Table: users.+3 entries.+fluffy.+bunny.+wu.+ming'"/>
        </parse>
    </case>
-    <!-- TODO: this fails because of issue #305 -->
    <case name="MySQL boolean-based multi-threaded custom enumeration - substring">
        <switches>
            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <!-- TODO: this fails because of issue #305 -->
+            <!--
            <threads value="4"/>
+            -->
+            <threads value="1"/>
            <tech value="B"/>
            <dumpTable value="True"/>
            <db value="testdb"/>
@ -632,5 +635,39 @@
            <item value="r'SELECT \* FROM users LIMIT 0, 2 \[2\].+1, luther, blissett.+2, fluffy, bunny'"/>
        </parse>
    </case>
+    <case name="MySQL boolean-based multi-threaded custom ordered SQL query enumeration">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <threads value="4"/>
+            <tech value="B"/>
+            <query value="SELECT * FROM users ORDER BY name"/>
+        </switches>
+        <parse>
+            <item value="r'SELECT \* FROM users ORDER BY name \[5\].+2, fluffy, bunny.+1, luther, blissett.+3, wu, ming'"/>
+        </parse>
+    </case>
+    <case name="MySQL error-based multi-threaded custom ordered SQL query enumeration">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <threads value="4"/>
+            <tech value="E"/>
+            <query value="SELECT * FROM users ORDER BY name"/>
+        </switches>
+        <parse>
+            <item value="r'SELECT \* FROM users ORDER BY name \[5\].+2, fluffy, bunny.+1, luther, blissett.+3, wu, ming'"/>
+        </parse>
+    </case>
+    <case name="MySQL UNION query multi-threaded custom ordered SQL query enumeration">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <threads value="4"/>
+            <tech value="U"/>
+            <query value="SELECT * FROM users ORDER BY name"/>
+        </switches>
+        <parse>
+            <!-- NOTE: it is not sorted on purpose because UNION does not play well with ORDER BY and it is stripped -->
+            <item value="r'SELECT \* FROM users ORDER BY name \[5\].+1, luther, blissett.+2, fluffy, bunny.+3, wu, ming'"/>
+        </parse>
+    </case>
    <!-- End of user's provided statement enumeration switches -->
 </root>