How to Know if It’s Error-Based or Union-Based SQL Injection

To determine whether a SQL injection vulnerability is Error-based or Union-based, you need to analyze the application’s behavior and responses after injecting malicious input. Here’s how you can figure it out:

Step 1: Test for SQL Injection

Start by injecting basic SQL payloads to see if the application is vulnerable.

Common Test Inputs

• Single quote ('):

  <http://example.com/products?id=1>'
  
  

• Boolean conditions (e.g., OR 1=1):

  <http://example.com/products?id=1> OR 1=1
  
  

• SQL comment (- or #):

  <http://example.com/products?id=1>' --
  
  

Observe the Response

• If the application returns a database error (e.g., You have an error in your SQL syntax), it may be vulnerable to Error-based SQL Injection.
• If the application displays additional data or behaves unexpectedly (e.g., shows all products), it may be vulnerable to Union-based SQL Injection.

Step 2: Determine the Type of SQL Injection

Based on the application’s response, you can determine whether it’s Error-based or Union-based.

1. Error-Based SQL Injection

• Signs:
  • The application returns detailed database error messages.
  • Errors may include information like:
    • Database type (e.g., MySQL, PostgreSQL, SQL Server).
    • SQL query snippets.
    • Sensitive data (e.g., database version, table names).
• Example:

  • Input:

    <http://example.com/products?id=1>'
    
    

  • Response:

    Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
    
    

  • This indicates Error-based SQL Injection.

• How to Confirm:

  • Inject payloads that force errors, such as:

    <http://example.com/products?id=1>' AND 1=CAST((SELECT @@version) AS INT) --
    
    

  • If the error message contains the database version, it’s Error-based.