I am trying to enumerate a database, created specifically for the purpose of learning SQL injections. I am trying to discover the number of columns a particular select statement might be using. I do this by "Ordinal" ordering the result set. So, I start with ORDER BY 1, .. BY 2, and so on until I get an error returning 'Unknown column'. Now, for an injection like so:
localhost/sqli?id=2' order by 7 AND '1
The resulting SQL statement is:
mysql> SELECT * FROM table_name where id='2' order by 7 and '1';
This returns a result set, but I was expecting it to throw an error returning "unknown column '7' in 'order clause' ".
Why does it not throw the error. The table that I am working with has only 3 columns.
Best Answer
Here is a sample in sqlfiddle-
The syntax for the select statment is the following
in the statement
7 and '1'
must be interpreted as expression by the parser:7
is the integer 7 and not a row position in the select list. The manual saysso the expresion evaluates to
1