Error-based SQL Injection is a type of in-band SQL Injection attack that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database.
The ethical hacker is likely to use this type of SQL Injection attack because the application responds to logically incorrect queries with detailed error messages that divulge the underlying database’s structure. This means that the attacker can craft malicious SQL queries that trigger errors and reveal information such as table names, column names, data types, etc. The attacker can then use this information to construct more complex queries that extract data from the database.
For example, if the application uses the following query to display the username of a user based on the user ID:
SELECT username FROM users WHERE id = '$id'
The attacker can inject a single quote at the end of the user ID parameter to cause a syntax error:
SELECT username FROM users WHERE id = '1'
The application might display an error message like this:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' at line 1
This error message reveals that the database server is MySQL and that the user ID parameter is enclosed in single quotes. The attacker can then use other techniques such as UNION, subqueries, or conditional statements to manipulate the query and retrieve data from other tables or columns.
[References:, [CEHv13 Module 05: Sniffing], Types of SQL Injection (SQLi) - GeeksforGeeks, Types of SQL Injection? - Acunetix, , , , ]
