The syntax is strange when using the --sql-shell option.

[Nzoth9]

Hello! How are you?
During SQLi test, I needed to use GROUP BY and subqueries, so I used the --sql-shell option.

• sql-shell> SELECT idx,msg,send_num,rcv_num FROM DB.TB WHERE idx IN (SELECT MAX(idx) FROM DB.TB GROUP BY msg)

[02:40:41] [PAYLOAD] (SELECT (CASE WHEN (ORD(MID((SELECT *msg*,IFNULL(CAST(idx AS NCHAR),0x20),*send_num*,*rcv_num* FROM DB.TB WHERE idx in (SELECT MAX(idx) FROM DB.TB GROUP BY msg) LIMIT 2,1),1,1))>64) THEN 0x616464725f67725f6870 ELSE (SELECT 6153 UNION SELECT 5206) END))
[02:40:41] [PAYLOAD] (SELECT (CASE WHEN (ORD(MID((SELECT *msg*,IFNULL(CAST(idx AS NCHAR),0x20),*send_num*,*rcv_num* FROM DB.TB WHERE idx in (SELECT MAX(idx) FROM DB.TB GROUP BY msg) LIMIT 2,1),1,1))>32) THEN 0x616464725f67725f6870 ELSE (SELECT 6153 UNION SELECT 5206) END))
[02:40:41] [PAYLOAD] (SELECT (CASE WHEN (ORD(MID((SELECT *msg*,IFNULL(CAST(idx AS NCHAR),0x20),*send_num*,*rcv_num* FROM DB.TB WHERE idx in (SELECT MAX(idx) FROM DB.TB GROUP BY msg) LIMIT 2,1),1,1))>1) THEN 0x616464725f67725f6870 ELSE (SELECT 6153 UNION SELECT 5206) END))
[02:40:41] [INFO] retrieved:
[02:40:41] [DEBUG] performed 9 queries in 0.16 seconds

Odd parts are marked with *.

I think I need to get each column one by one, but when parsing the syntax, I don't seem to be parsing it properly. But one column is fetched just fine.

Sorry for adding to your work. Be careful of cold weather and flu.
Thank you! Dear @stamparm <3

[stamparm]

--sql-shell and --sql-query are just helpers for you to retrieve SQL query results via SQLi. Those are not able to squeeze every SQL query inside the SQLi. That's why you could see funky payloads on complex queries.

Please retry with something simpler and you'll see what i mean

[Nzoth9]

Thank you for answer. My guess is that --sql-shell or --sql-query doesn't rotate each single column on the assumption that it's reading the columns, it rotates all the columns in its entirety(when the GROUP BY clause is added).

On the other hand, counting the number of rows using GROUP BY works normally.(guess)

• SELECT COUNT(idx) FROM DB.TB WHERE idx in (SELECT MAX(idx) FROM DB.TB GROUP BY msg)

COUNTED: 13

However, when the following query statement is executed, the number of columns is not imported one by one.

• SELECT idx,msg,send_num,rcv_num FROM DB.TB WHERE idx IN (SELECT MAX(idx) FROM DB.TB GROUP BY msg)

SELECT (CASE WHEN (ORD(MID((SELECT msg,IFNULL(CAST(idx AS NCHAR),0x20),send_num,rcv_num FROM DB.TB WHERE idx in (SELECT MAX(idx) FROM DB.TB GROUP BY msg)

If you look at the query statement, CAST while getting idx, but all columns are attached.

Other exampless

• SELECT DISTINCT(msg),idx FROM DB.TB

(SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(DISTINCT(msg),idx AS NCHAR),0x20) FROM DB.TB

[idx] is appended after DISTINCT(msg).

I'm not sure what simpler you mean. isn't this a bug?
Thank you! dear @stamparm

[Nzoth9]

Fix, Is it right to do this? @stamparm 4638353

[Nzoth9]

Awesome!