⚠️

Error-Based SQL Injection Challenge ⚠️

Error-based SQL injection is a technique where an attacker extracts information from the database by forcing it to generate error messages that contain sensitive data. Unlike blind injection, error-based attacks can extract data much faster because the information is directly visible in error messages.

This attack works by crafting SQL queries that cause database errors, and then using SQL functions to extract data that appears in those error messages. Common techniques include:

Type conversion errors: Forcing type mismatches that reveal data
Aggregate function errors: Using COUNT(), MAX(), MIN() with GROUP BY to extract data
Mathematical errors: Division by zero or other operations that reveal values
Function errors: Using functions that cause errors with data in the message

WARNING: In many countries (including UK) it is illegal to use this attack.

Up to 6 months in jail for unauthorised access

I've set up a vulnerable test system here so that you can have a go.

I promise not to prosecute.

The challenge on this page is to extract database information using error messages. Try the examples below in the search box to see how error-based injection works.

Note: SQLite handles errors differently than MySQL. Some MySQL-specific error-based techniques may not work the same way, but we can still demonstrate the concept.

Try These Error-Based Attacks:

Trigger a basic error to confirm injection:
This should cause a SQL syntax error: ' AND 1=2 UNION SELECT 1,2,3,4,5 --

Extract table names using error:
Get table names from information_schema: mouse' UNION SELECT 1, table_name, 3, 4, 5 FROM information_schema_tables --

Extract column names using error:
Get column names from the users table: mouse' UNION SELECT 1, column_name, 3, 4, 5 FROM information_schema_columns WHERE table_name = 'users' --

Extract username using error:
Extract the first username from the users table: mouse' UNION SELECT 1, username, 3, 4, 5 FROM users --

Extract password using error:
Extract passwords from the users table: mouse' UNION SELECT 1, password, 3, 4, 5 FROM users --

Force a type error to reveal data:
Attempt to cause a type conversion error: mouse' AND CAST((SELECT username FROM users LIMIT 1) AS INTEGER) --

How Error-Based Injection Works

Error-based SQL injection exploits database error messages to extract information:

Type conversion errors: Attempting to convert incompatible types reveals the original value
Aggregate function errors: Using GROUP BY with aggregate functions can cause errors that include data
Mathematical errors: Division by zero or invalid operations reveal values

When a database throws an error, the error message often contains the data that caused the error, allowing attackers to extract sensitive information.

Note: SQLite's error handling is more restrictive than MySQL's, so some advanced error-based techniques may work differently. However, UNION-based extraction (which can trigger errors) still works effectively.

⚠️

Product Search

Error-Based SQL Injection Challenge ⚠️

Try These Error-Based Attacks:

How Error-Based Injection Works