Home page logo
/

basics logo Security Basics mailing list archives

Re: SQL Injection ORDER BY plus DROP TABLE?
From: Pranay Kanwar <warl0ck () metaeye org>
Date: Wed, 15 Aug 2007 17:15:23 +0530

Separate the queries with a ;, i.e. ORDER BY 1; DROP TABLE A.
Don't know which database you are trying this on, but mysql
does not allow a straight query like ORDER BY 1 DROP TABLE A.

regards

warl0ck // MSG

wonderfulandromeda () gmail com wrote:
I remember, long back I tried SQL injection like this.

ORDER BY 1--

It worked. This proves that there was a select query towards the left of the injection point. This also worked

ORDER BY 1 DROP TABLE A

It spewed an output like it can not drop table A because it doesn't exist. I am wondering what kinda SQL query would 
that be which has a select query and accomodates DROP along with ORDER BY 1.

AFAIK, DROP should be a separate statement and it should cause a syntax error if combined with SELECT. Any 
suggestions?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault