I exploited a SQLi vulnerability to enumerate the columns in a database by doing something like this:
/comment.php?id=738 order by 1;#
Column enumeration can be achieved in a manner indistinguishable from magic by using sqlmap.
It can also be achieved with Burp Suite's Intruder function.
- Attack Type: Sniper
- Payload: configure to use the position of 1 in the snippet above
- Payload Options:
- Payload Type: Numbers
- Type: Sequential
- Step: 1
- Max Fraction Digits: 0
- Grep - Match:
- Add "column" to the list of terms.
- Match Type: Simple string