Now we are going to talk about the determination of the number of columns in SQL Injection. This is of current importance in a normal SQL injection and especially blind SQLi vulnerabilities.
Identification of number of columns in the current request is need for union queries. Under normal SQL Injection information on the number of columns can be obtained from official tables MySQL (for versions 5 and above) and it will help only if the query displays all columns from a table. But if the version of MySQL less than 5 or when blind SQLi it does not work. And you must manually select a long number of columns - and more complex SQL query, the longer the process.
To speed up the process of identification of number of columns you can use a simple and convenient method. This is operator order by.
It is a well-known operator for programmers using the language SQL, but it has an interesting feature. In order by operator it is possible to specify not only the name of the column or expression (for sorting), but its serial number. It can be used in SQL Injection attacks.
Syntax operator is following: order by 5. For example, for SQLi attacks you can use the following code: -1 or 1 = 1 order by 5. If the query executed successfully then there are at least five columns are in this inquiry. Maximum value at which the SQL query will be executed will be the number of columns in this query (or in this table).