ORDER BY does not play well with UNION query SQLi (related to issue #313)

2026-01-20 13:29:02 +00:00 · 2012-12-19 13:21:16 +00:00
parent 259b345f1f
commit 282aeb734f
3 changed files with 49 additions and 2 deletions
--- a/xml/livetests.xml
+++ b/xml/livetests.xml
@@ -283,11 +283,14 @@
            <item value="r'Database: testdb.+Table: users.+3 entries.+fluffy.+bunny.+wu.+ming'"/>
        </parse>
    </case>
-    <!-- TODO: this fails because of issue #305 -->
    <case name="MySQL boolean-based multi-threaded custom enumeration - substring">
        <switches>
            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <!-- TODO: this fails because of issue #305 -->
+            <!--
            <threads value="4"/>
+            -->
+            <threads value="1"/>
            <tech value="B"/>
            <dumpTable value="True"/>
            <db value="testdb"/>
@@ -632,5 +635,39 @@
            <item value="r'SELECT \* FROM users LIMIT 0, 2 \[2\].+1, luther, blissett.+2, fluffy, bunny'"/>
        </parse>
    </case>
+    <case name="MySQL boolean-based multi-threaded custom ordered SQL query enumeration">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <threads value="4"/>
+            <tech value="B"/>
+            <query value="SELECT * FROM users ORDER BY name"/>
+        </switches>
+        <parse>
+            <item value="r'SELECT \* FROM users ORDER BY name \[5\].+2, fluffy, bunny.+1, luther, blissett.+3, wu, ming'"/>
+        </parse>
+    </case>
+    <case name="MySQL error-based multi-threaded custom ordered SQL query enumeration">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <threads value="4"/>
+            <tech value="E"/>
+            <query value="SELECT * FROM users ORDER BY name"/>
+        </switches>
+        <parse>
+            <item value="r'SELECT \* FROM users ORDER BY name \[5\].+2, fluffy, bunny.+1, luther, blissett.+3, wu, ming'"/>
+        </parse>
+    </case>
+    <case name="MySQL UNION query multi-threaded custom ordered SQL query enumeration">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <threads value="4"/>
+            <tech value="U"/>
+            <query value="SELECT * FROM users ORDER BY name"/>
+        </switches>
+        <parse>
+            <!-- NOTE: it is not sorted on purpose because UNION does not play well with ORDER BY and it is stripped -->
+            <item value="r'SELECT \* FROM users ORDER BY name \[5\].+1, luther, blissett.+2, fluffy, bunny.+3, wu, ming'"/>
+        </parse>
+    </case>
    <!-- End of user's provided statement enumeration switches -->
 </root>