The following are the different types of SQL Injections and Error Based SQL Injection is one of them.
- In-band SQL Injections (Classic SQL Injection)
- Error Based SQL Injection
- Union Based SQL Injection
- Inferential SQL Injections (Blind SQL Injections)
- Boolean Based SQL Injection
- Time-based SQL Injection
- Out-of-Band SQL Injections
For more details on the types of SQL Injections, you can refer to the following post:
Pre-requisites: Go through the below pre-requisites which are required for understanding this post.
- Install XAMPP in your machine, configure it and start Apache Server & SQL
- Host BWAPP in the server
- SQL Injection – The beginning – Part 1
- Security Testing – SQL Basics for understanding SQL Injection vulnerability
Caution: Look into the following steps before testing the application for SQL Injections:
- Don’t try the following example on other websites.
- Only perform these payloads on the application which are open for Penetration testing.
- If you perform Penetration testing on the application without written statement from its owner, you have to face legal problems, face cyber police and even go to jail.
Error Based SQL Injection is a type of SQL Injection, where the attacker inputs illegal SQL Expressions into the input fields available on the Application UI with an intention of expecting error message having the valuable information of the Application Database like Database type, Database version etc. Follow the below steps for understanding/demonstration of Error Based SQL Injection:
Step#1 – Once the above-specified pre-requisites are ready, open the bWAPP application in the Firefox Browser using the URL http://localhost:8080/bwapp/login.php as shown below:
Step#2 – Login to the application by entering bee into the Login field and bug into the Password field and click on Login button as shown below:
Step#3 – Once the user is logged in, select SQL Injection (GET/SEARCH) option from the ‘Choose your bug’ drop-down field and click on ‘Hack’ button as shown below:
Step#4 – In the displayed ‘SQL Injection (GET/SEARCH)’ screen, enter single quote (i.e. ‘ ) into the ‘Search for a movie:’ text box field and click on ‘Search’ button as shown below:
Step#5 – If we get an error by performing the above step, then we can confirm that the input field is vulnerable to SQL Injection and more advanced payloads to exploit the Application DB can be tried from the vulnerable input field:
If you notice the above error message, which has resulted on entering single quote into the ‘Search for a movie:’ text box field and clicks on ‘Search’ button, the SQL Syntax error message is revealing the DB details to the attacker like MariaDB database. This generally happens when the Application is not able to handle the input, as the single quote entered into the text box field will be converted into SQL query having the wrong syntax. i.e. When a proper input is provided in this input field, a proper SQL query to query the DB will be created by the application. But when the attacker intentionally enters single quote into the input field on the UI, the application will generate a SQL query with the wrong syntax, which when tried to be processed at Application DB will result in an error due to its wrong syntax. But when the error is displayed, the attacker will understand that the Application is allowing invalid SQL queries having the wrong syntax and hence will work on entering advanced malicious SQL queries having wrong queries with an intention of gaining access to the database.
For example, if we enter proper text into the ‘Search for a movie:’ text box field say Iron Man and search, the following SQL Query having correct syntax will be generated by the Application to query the database:
- SELECT * FROM movieTable WHERE title LIKE ‘%Iron Man%’
But, when we enter single quote into the ‘Search for a movie:’ text box field say Iron Man‘ and search, the following SQL Query having an extra single quote (i.e. wrong syntax) will be generated by the application as shown below:
- SELECT * FROM movieTable WHERE title LIKE ‘%Iron Man%’‘
The above SQL query having the wrong syntax will result in an error on querying the database and thereby let the attacker understand that the application is vulnerable to SQL Injections as it is processing the SQL Queries having wrong queries without validating the syntax. Hence from the above Error Based SQL Injection example, we have understood that the application page is connected to DB, retrieved few values information about DB from the displayed error message and also the input fields on the page are vulnerable to SQL Injection.
Conclusion: Error Based SQL Injection is a type of SQL Injection in which the attacker inputs illegal SQL Expressions into the input fields on the Application UI, which will generate SQL Queries having wrong syntax and get them processed by the Server, with an intention of resulting in errors on the Application UI having valuable DB details displayed as demonstrated in the above example.
Please leave your questions/comments/feedback below.
Happy Learning 🙂
Arun Motoori (www.QAFox.com)