5.3.1 Error-Based SQLi
Exploiting Error-Based SQL Injection
Error-based SQL injections are an advanced technique to extract data from a database by triggering errors that reveal information within the error messages. This method is particularly fast and effective and is supported by various database management systems (DBMS) such as Oracle, PostgreSQL, and MS SQL Server.
MS SQL Server Error-based Exploitation
MS SQL Server Version Extraction: To begin, it's crucial to identify the version of the MS SQL Server, as different versions may have different default column names in the master database. The CAST
technique is employed to trigger a type conversion error, which reveals the database version. For example:
This payload, when injected into the vulnerable parameter, will cause an error message that includes the database version.
Enumerating Databases: After identifying the version, the next step is to enumerate the databases accessible to the current user. This is done using the db_name()
function within a loop:
Incrementing the argument of db_name()
allows iterating through the available databases.
Enumerating Database Tables: Once databases are enumerated, the next step is to find the tables in a particular database:
Here, the xtype='U'
condition ensures that only user-defined tables are considered.
Enumerating Columns: After identifying tables, the columns within those tables need to be enumerated:
This query retrieves the column names for a specific table in the specified database.
Dumping Data: Finally, with knowledge of the database structure, data can be dumped using a similar technique:
This query retrieves the actual content of the specified column in the specified table.
MySQL Error-Based SQLi Exploitation
To exploit error-based SQL injection on MySQL, the GROUP BY
statement is utilized. An example payload skeleton is as follows:
For example, to extract the database version:
Last updated