Use SQL error help for SQL Injection

Use SQL error help for SQL Injection

We can use the SQL error help for SQL injection. Here we take SQL server as an example:

In SQL queries, if a group by clause is used, the fields in the clause must match exactly with the fields in the select condition (non-aggregate function). If the clause is select *, all column names in the table must be included in group by. If the column name is missing, an error is returned, and the following message is displayed;

The column 'column name' in the selected list is invalid because it is not included in the aggregate function or group by clause.

The column names in this prompt are in the order of the table. In this case, we can use this to enumerate all columns in SQL injection;

Use select * from table name first, having 1 = 1

The first column name is displayed in the error message,

Then select * from table name, group by first column name

The second column name is displayed in the error message,

And so on, we will enumerate all columns.

Similar to the error message, you can also know a lot of information. For example, if the type conversion fails when the query condition is different from the actual type of the column name, for example:

Select * from Classwhere name = 3

A message is displayed, indicating that an error occurred while converting the nvarchar value 'high number' to a data type int.

In this way, we can know the first row of the name column;

And so on.

Of course, database errors are generally not directly displayed on the application interface. The prompt displayed on the application interface is entirely determined by the program. (ps: presumably this is also the cause of the error page )!