order by payload is used to find out the number of columns in the table. Before understanding order by payload, let’s go through the below pre-requisites and cautions.
Pre-requisites: Go through the below pre-requisites which are required for understanding this post.
- Install XAMPP on your machine, configure it and start Apache Server & SQL
- Host BWAPP in the server
- SQL Injection – The beginning – Part 1
- Security Testing – SQL Basics for understanding SQL Injection vulnerability
Caution: Look into the following steps before testing the application for SQL Injections:
- Don’t try the following example on other websites.
- Only perform these payloads on the application which are open for Penetration testing.
- If you perform Penetration testing on the application without a written statement from its owner, you have to face legal problems, face cyber police and even go to jail.
We enter single quote into the input fields to find out whether they are vulnerable to SQL Injection. If you don’t have any idea on how to use a single quote for guessing the possibility of SQL Injection, then go through the below posts:
order by Payload: Now let’s find out the number of columns available in the below movieTable. order by payload can be used to modify the default generated SQL Query with an intention of retrieving the number of columns in the table.
- SELECT * FROM movieTable WHERE title LIKE ‘%Iron Man%’ ‘ order by x–
Follow the below steps to find out the number of columns available in the movieTable of bWAPP:
Step#1 – Once the above-specified pre-requisites are ready, open the bWAPP application in the Firefox Browser using the URL http://localhost:8080/bwapp/login.php as shown below:
Step#2 – Login to the application by entering bee into the Login field and bug into the Password field and click on Login button as shown below:
Step#3 – Once the user is logged in, select SQL Injection (GET/SEARCH) option from the ‘Choose your bug’ drop-down field and click on ‘Hack’ button as shown below:
Step#4 – In the displayed ‘SQL Injection (GET/SEARCH)’ screen, enter valid search term say ‘Iron Man’ and click on ‘Search’ button as shown below:
Step#5 – Observe that the details related to the search term ‘Iron Man’ are displayed as results under 5 columns as shown below:
Step#6 – As from the above we know that there are at least 5 columns in the movieTable, let’s find out the exact count of columns in the table using ‘order by 10- – payload and click on ‘Search’ button as shown below:
Note: Provide a space after the – – in the above payload, before clicking on the Search button
Step#7 – Observer that an unknown error in ‘order clause’ will be displayed as shown below.
Using the above error, we can understand that there are less than 10 columns in the table.
Step#8 – Now let’s modify the order by payload to check whether there are 8 columns in the movieTable (i.e. lets pass ‘order by 8- – payload and click on ‘Search’ button as shown below):
Step#9 – Observer that an unknown error in ‘order clause’ will be displayed as shown below.
Using the above error, we can understand that there are less than 8 columns in the table.
Step#10 – So the columns may be in between 5 to 8. Now let’s modify the order by payload to check whether there are 7 columns in the movieTable (i.e. lets pass ‘order by 7- – payload and click on ‘Search’ button as shown below):
As we have not received any error when the above payload is searched, we can now understand that there are 7 columns in the movieTable.
Understanding in detail: Using the payload ‘ order by 7- – , we have tricked the interpreter at the Server in executing the below SQL query on the database.
- SELECT * FROM movieTable WHERE title LIKE ‘%Iron Man%’ ‘ order by 7- –
The purpose of the above SQL is to order the displayed results using the 7th column of the table. But we have used this query to find out where there are 7 columns in the table. As 10 and 8 provided in the payloads have resulted in an error and 7 has resulted in results, we have come to a conclusion that there are 7 columns in the table. Using this information on the number of columns, we can plan for better payloads and the next set of payloads will be explained in the upcoming posts.
Conclusion: Once the input fields on the application are found to be vulnerable to the SQL Injection using the single quote payload, we can use the next payload ‘ order by x- – to find out the number of columns in the database table. Once the number of columns in the table are guessed using the provided payload, the next set of payloads which I am going to explain in the upcoming posts can be planned. In this post, I have demonstrated an example for retrieving the number of columns in the table using order by payload.
Please leave your questions/comments/feedback below.
Happy Learning 🙂
Arun Motoori (www.QAFox.com)
