Back

Error based SQL Injection (SQLi)

By
Manieendar Mohan
Published on
04 Jul 2018
SQL Injection

Error-based SQL injection is an In-band injection technique where the error output from the SQL database is used to manipulate the data inside the database. In In-band injection, the attacker uses the same communication channel for both attacks and collect data from the database. This is the easiest and common intrusion technique used by an attacker. You can force data extraction by using a vulnerability in which the code will output a SQL error rather than the required data from the server. This method can be easily automated using grep extract functionality. In many cases, the error generated by the database is enough for the attacker to understand the database entirely.

Example

        https://www.example.beaglesecurity.com/gallery.php?id=6'

If the server responds to this URL with an SQL error, it proves that, the server is connected to the database in an insecure manner. The quote(‘) breaks the SQL syntax. Now, its just a matter of running a few SQL commands to completely collapse/destroy the database.

Impact and Fixes

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.
Product tour
Written by
Manieendar Mohan
Manieendar Mohan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.
Product tour