SQL injection UNION attack, determining the number of columns returned by the query
https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns
Level: Practitioner
In the following, we need to enumerate the number of columns that are in the database in use.
We can do that by using the following union select payload.
After " 'union select " write NULL spaces followed by a coma, and when the server throws back an "Internal Server Error" it means that we passed through the number of columns, the number of columns is the number of NULL spaces.
Here we can see that the database that we are using haves 3 columns, thanks to the number of NULL spaces.
We can do the same with an "order by".
I create a simple python script that enumerates how many columns are in the DB by just passing the URL, retrieves the payload used.
This will be useful in case where the columns are a huge number.
Last updated