If you have detected that an application is vulnerable to SQL Injection vulnerability, then the next step to exploit the vulnerability is to know which type of SQL Injection it is. This will help you craft your SQL injection payloads as per the type. In this article, we are going to look at Error based SQL Injection which is a type of in-band SQL Injection attack.
We will also provide a live demo of an error-based SQL Injection attack using Acunetix. So, let’s get started.
The article will encompass the below sections. You can jump directly to any section if you want.
What is error based SQL Injection?
An Error based SQL Injection is an in-band type of SQL Injection attack in which attackers use a single channel to fire the SQL Injection payloads and also extract the results from the same channel. An example of an in-band attack is when an attacker hits any REST API request and immediately sees the desired results in the API response.
In error based SQL Injection, the attacker relies on error messages returned by the database server. The error messages help provide information about the structure of the schema and where exactly the error has occurred in the SQL query. Let’s look at the formal definition.
Definition of Error based SQL injection
Error based SQL Injection definition is as follows-
“Error based SQL Injection is a type of SQL Injection in which the attacker can see error messages thrown by the database server when any SQL Injection payloads are fired.”
The error messages contain sensitive information about the database schema, the vulnerable SQL query, and the database type. The attacker uses error information so as to accurately craft the SQL injection payloads for further penetration into the victim’s database system. It will be clearer to you when you see some live examples of error based SQL Injection in the next section.
Live example of Error based SQL Injection on Acunetix
Acunetix hosts a vulnerable web application online for testing purposes. It is freely accessible to all. The aim of the application is to demonstrate some of the severe web application vulnerabilities. You can access the Acunetix vulnerable web application here.
There are many vulnerabilities in this application. However, we will only demonstrate the Error based SQL Injection. To do this, you need to navigate as below :
Click on the Categories menu -> Click on any category displayed -> You will see posters in the category.
Now observe the URL in the address bar. It accepts a category ID as an input parameter as highlighted below.
http://testphp.vulnweb.com/listproducts.php?cat=1
This parameter is vulnerable to Error-based SQL Injection. Now, to test for SQL Injection on this parameter, just append a single quote (‘) in the URL right after the value of the category ID.
The resulting URL may be as below (You can copy and paste in address bar):
http://testphp.vulnweb.com/listproducts.php?cat=1'
Now as soon as you hit enter, instead of posters in the category you will see an Error message.
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in /hj/var/www/listproducts.php on line 74
This error message is thrown by the MySQL database server. This database-side error message is a first clue to an attacker that the entered parameter value is reaching to query as it is entered (along with possibly any junk characters entered).
We have highlighted the sensitive information in the above log. It clearly shows the underlying database is of type MySQL and there is an error at line 1.
You can now play around with parameter values and try to inject different variants of SQL Injection payloads from the payload list in the next section.
Error based SQL Injection payloads
Now we know the parameter named ‘cat‘ is vulnerable to Error based SQL Injection, we can now embed various SQLi payloads. Let’s inject the payloads now –
| SQLi Payload | Direct link to hit (Including payload) |
|---|---|
|
1 OR 1=1 |
Link - Shows posters from all categories |
|
1 AND (SELECT 2839 FROM (SELECT(SLEEP(10)))DtDN) |
Link - Make database thread to sleep for 10 seconds |
For a full list of thousands of Error-based SQL Injection payloads, visit this GitHub repository.
How to prevent Error based SQL Injection?
As with any SQL Injection attack, the attacker tries to exploit the input parameters in the application and injects the SQLi payload into the same. This is also applicable to error based SQL Injection attacks. Below we list down the 2 important prevention techniques.
Validate input parameters properly
As in the above Acunetix application’s example, the vulnerable parameter is ‘cat‘. It is a numeric field representing the category ID. Hence, on the server side we need to put a validation to check whether provided category ID is really an integer or not.
Use PreparedStatements
Do not create the SQL query using the string concatenation technique. You need to use PreparedStatements so that the query parameters do not alter the structure of the query being fired.
Conclusion
Out of all types of SQL Injection attacks, the error based SQL Injection is the most severe. It is severe because of the reduced turnaround time in seeing the results. And hence in a few minutes of time, the attacker will be able to download the entire database of victim applications.
BUZZ is an expert player in doing security assessments of SMBs and startups. We have found many instances of Error-based SQL Injection vulnerability in SMB’s internet-facing systems. Remember, a single vulnerable parameter is a doorway for an attacker to download the entire database. The endpoints look safe to the open eyes but upon security assessment, the full database gets exposed. Do your application’s endpoints also look safe to the open eyes? Contact Buzz for 1 free penetration test of your application and reduce your business risk.
For more insights, tutorials, and a community of security-aware developers, visit BUZZ. Together, we will make security accessible to all!
