one2bla.me

< Back





3. SQL injection UNION attack, determining the number of columns returned by the query

Attacking a web application with a SQL injection vulnerability, we're asked to determine the number
of columns in the table with the vulnerable SELECT clause using UNION. We use a techinque with
UNION SELECT NULL...-- to iteratively brute force the number of columns. If we receive a 500
response from the server, we know that the number of columns is too low. We continue to increase the
number of colums until we receive a 200 response - indicating the number of columns present in the
vulnerable table.


Solution