Error Based SQL Injections

An in-band injection technique allows hackers to take advantage of the database’s error output. Databases are manipulated into generating an error that informs the hacker about the structure of the database. Hackers utilize one of the communication channels of the server to launch an attack and retrieve information using in-band injections. Force data extraction requires using a vulnerability. Usually, the vulnerability allows code to show an SQL error from the server in place of the required data. Hackers can understand the structure of the database from this error.

Understanding the Error-Based SQL Injection

Error-based SQL injection allows attackers to extract sensitive database information by exploiting database error messages and it is also a critical SQL injection vulnerability. When the database or application server is not handles the SQL errors than the attackers can manipulate the queries which show the errors on the page and on the basis of that attackers can retrieve data, revealing database structure, column names, and sensitive records

Why is Error-Based SQL Injection Dangerous?

• Direct Data Extraction: If the server is not properly configured than the error messages leak crucial information regarding the database.
• Automated Exploitation: We can also use the tools like SQLMap which can help us to exploit it quickly.
• Used for Advanced SQL Attacks: Error-based SQL Injection attacks can help in blind SQL injection and out-of-band SQL injection (OAST).
• Affects Multiple Databases: Vulnerabilities also exist in MySQL, MSSQL, PostgreSQL, and Oracle.

How Error-Based SQL Injection Works

1. Identifying Vulnerable Parameters

Firstly we need to find the vulnerable parameter. Injecting a single quote (') to cause an error:

' OR 1=1 --         # If an error occurs, the system is vulnerable.

2. Extracting Database Version

If the error occurs than we need to find the database version use the below commands

' UNION SELECT @@version, NULL, NULL --

3. Finding Current User

We can also find the current user in the database use the below commands:

' UNION SELECT user(), NULL, NULL --

4. Extracting Database Name

After getting the version number find the database name use the below command:

' UNION SELECT database(), NULL, NULL --

5. Listing All Tables

Using the database name find the number of tables inside the database

' UNION SELECT table_name FROM information_schema.tables --

6. Extracting Column Names from a Specific Table

After getting the table name extract the all columns name in it so that we get the information of the user

' UNION SELECT column_name FROM information_schema.columns WHERE table_name='users' --

7. Dumping User Credentials

Next we dump the user credentials use the below command

' UNION SELECT username, password FROM users --

Time-Delay Error Injection

In this the attacker injects malicious SQL queries that force the database to delay execution because in this the application does not display error messages so that we can’t the result on the screen by doing this they allows attackers to infer database information based on response times

Example Payload:

' OR IF(1=1, SLEEP(5), 0) -- 

• In this the injected query forces the database to pause for 5 seconds if the condition (1=1) is true if this can work we can confirm that the server is SQL injection vulnerable.
• Attackers use this method to extract sensitive data by checking conditions iteratively.

Error Message Extraction using Data Type Mismatch

In this the attacker exploit the SQL errors which give by the database by forcing it and they reveal the information through data type mismatches. This technique works when the application concatenates user input directly into an SQL query

Example Payload:

' UNION SELECT 1, 2, 'a' + 1 --

By using the ‘a’ + 1 operation it triggers an SQL error because the database cannot add a string and an integer

The error message shows the information about:

• Database type (MySQL, MSSQL, Oracle, PostgreSQL).
• Data types in columns used in database.
• Application vulnerabilities in handling user inputs.

Why This is Dangerous:

• It is dangerous because the attackers can map the database structure without needing administrator access.
• Attackers can also chain the attacks with Boolean-based SQL injection and Union-based SQLi to extract user credentials which make the high impact vulnerability.

Example of Error-based SQL Injections

Adding SQL syntax to user input: In this SQL injection, a hacker inserts a malicious query to get an error that displays a message containing sensitive information about the database. A hacker might try writing a SQL command in any input field like a single quote, double-quote, or any other SQL operator like OR, AND, NOT.

For Example, for a URL of a site that takes a parameter from the user,

 then in that case: https://www.example.org/index.php?item=123

Then here attacker can try inserting any SQL command or operator in the passes value,

 as: https://www.example.org/index.php?item=123′

In this case, a database could return some error like this, If you have an error in your SQL syntax, check the manual corresponding to your MySQL server version for the right syntax to use near “VALUE.” This message gives the attacker information like the database used in SQL, the syntax that caused an error, and where the syntax occurred in the query. For a professional hacker with experience, this will be enough to tell him that the server is insecurely connected to a database and can plan additional SQL injection attacks that will cause damage. An attacker can try several queries using commands like grep extract in input fields and see adding which commands return an error.

Real-World Examples of SQL Injection Attacks

1. 2012 Yahoo Voices Breach

In July 2012, approximately 450,000 usernames and passwords were leaked by attackers via SQL injection on Yahoo Voices. Initiating this breach enabled them to unencrypt sensitive data, which showcased the consequences of not encrypting perfectly and insufficient input control.

2. Sony Pictures Hack (2014)

In 2014, Sony has fallen victim to a group called “Guardians of Peace”, when the latter injected a malicious SQL code into Sony’s databases. Personnel records, emails, and even unreleased movies were taken in bulk. This incident underscored the severe impact of SQL injection vulnerabilities on corporate data security.

3. 7-Eleven Breach

Utilizing SQL injection, hackers have penetrated the corporate databases of numerous companies, such as the retail 7-Eleven chain. These actions led to the theft of around 130 million credit card numbers, which set a new record for the largest data breach at the time.

4. HBGary Federal Hack (2011)

Members of the Anonymous group hacked the HBGary Federal website, a cybersecurity company, using SQL injection. By doing so, thousands of company emails were stolen, which were then publicly posted, making the breach of the security company more ironic – and infuriating.

5. TalkTalk Data Breach (2015)

In October 2015, the TalkTalk company sustained a data breach due to an SQL injection attack which allowed criminals to gain personal information of about 156,959 users. This breach was costly to the company both financially and in terms of their reputation.

Prevention from Error-Based SQL Injection:

1. Prepared statements: The most secure way to write the database queries is using prepared statements with variable bindings. It is better because it uses parameterized queries, as working with dynamic queries is tricky. The developer must define all the SQL code beforehand, and then each parameter must be passed to the query. This method prevents almost all SQL injection attacks, as it stops hackers from changing the query’s intent and creates a separation between user input and data. This withstands better against the malicious queries entered by the users. In sporadic cases, this method will affect the server’s performance; in that case, other methods can be used.

2. Stored Procedures: This is another way to stop the attackers from attacking the system, and if it is implemented correctly, it can completely erase the possibility of SQL injections. For the stored procedure, whenever an application needs SQL queries, then they are fetched from the database itself as the SQL queries are defined and stored there for implementing the stored procedure.

3. Least Privilege: All the permissions given to the Bluetooth devices must be checked; only the necessary ones should be allowed by the device. For Example, an application must be permitted to access the database to manipulate the stored data. This reduces the risks related to SQL injection. Many normal-looking apps sometimes request access to the sensitive data present in the database. So it is better to reduce the apps’ permissions and allow only the important ones.

Also Read:

• SQL Injection Cheat Sheet
• Types of SQL Injection (SQLi)
• Mitigation of SQL Injection Attack

Conclusion

Error Based SQL Injection is a critical variety of SQL injection with hacks or exploits database error messages so that they can extract sensitive data, such as database structure, column names, and user credentials. Attackers use in-band SQL injection techniques based on data-type mismatch error and time delay injections to obtain sensitive information. Breaches in Yahoo Voices within 2012, Sony pictures in 2014, and Talk Talk in 2015 were made possible due to exploits in MySQL, MSSQL, PostgreSQL, and Oracle databases.

To protect against the Error Based SQL Injections attack, security policies must include the use of prepared statements, stored procedures, parameterized queries, and least privilege principles. Exploitation is effortless, thus the need for robust security checks and web application firewalls (WAF) is mandatory. Properly concealing error messages while simultaneously monitoring them can immensely cut down the chances of risks.