That's an excellent question, and it's central to this step!
You can determine the correct column count by using the ORDER BY clause with increasing numbers, until you get a database error. Here’s how it works:
-
Start with
ORDER BY 1#:- Enter
1' ORDER BY 1#into the input field and submit. - If it returns data without an error, it means the query has at least one column.
- Enter
-
Increment the number:
ORDER BY 2#:- Enter
1' ORDER BY 2#into the input field and submit. - If it returns data without an error, the query has at least two columns.
- Enter
-
Keep incrementing until you get an error:
- For example, if you then enter
1' ORDER BY 3#and the application throws a database error (e.g., "Unknown column '3' in 'order clause'"), this tells you that the original SQL query only selects two columns. The error occurs because you're trying to order by a column that doesn't exist.
- For example, if you then enter
In summary: The highest number you can ORDER BY without getting an error indicates the total number of columns in the SELECT statement of the original query.
This method helps you discover the structure of the underlying SELECT statement, which is crucial for successful UNION SELECT attacks.
Have you tried entering 1' ORDER BY 1#, 1' ORDER BY 2#, and 1' ORDER BY 3# yet and observed the results? What did you find?
