[ToC] ## Extracting sensitive data via verbose SQL error messages (Error-based) :::info :bulb: Misconfiguration of the database sometimes results in verbose error messages. These can provide information that may be useful pto an attacker ::: ### PRACTITIONER Lab: Visible error-based SQL injection  By adding a single quotes we can see server response with status code 500 Internal Server Error and it also print all the failed query In this case, detecting syntax errors during payload writting will be much simpler #### 1. Comfirm the SQL injection vulnerable :heavy_check_mark: Just like previous exercise, server will not reponse result of the query, so we will try to check if the query is true or false by using CASE statement.  Hmmm there is an error :v We can notice that our payload is missing a little bit. May be it because `TrackingId` input string is limited.  Yup our theory was right :3 And with false condition the server will return an error.  #### 2. Figure out the database type and version To check database type, I will use UNION statement.   Error query => Not Oracle, Microsoft or MySQL  No error => Database type is Postgre SQL :::info :bulb: With visible error base message, we can potentially elicit error messages that leak sensitive data returned by our malicious query ::: In Postgre SQL we can using CAST statement. And it will work like this  #### 3. Guessing the table name  With the response from error message, we can confirm if the table exists  #### 4. Guessing the column name    In table `users` there are two interesting column `username` and `password` #### 5. Guessing username and password I try to extract data from the first row of table by using `LITMIT 1`  Fortunately, it administrator =))) Do the same with password column  Now let try to login #### 6. Login to admin account  :::success **Solved** :thumbsup: :::