This technique relies on manipulating any input (for example, query string) to the backend and waiting for an error message to appear.
Nothing is better than a real example, so let me show you one using Mutillidae:
- In the home page of Mutillidae, select the following item from the left menu: OWASP 2017 | Injection SQL | SQLi - Extract Data | User Info (SQL).
- In the User Lookup page, enter your credentials and hit the View Account Details button:
This page is executing a query in the backend to get our username and password. Let's enter a single quote ' in the name field and check the results (the single quote):
As you can see at the bottom, we have an error message telling us that the SQL server did not understand our single quote:
select * from accounts where username=''' and password=''
- In other words (in the hacker world), the SQL database has executed our single quote, hence, we can write our own query to extract data from the database. If we try to execute the magic query that we used to bypass the login page (admin' or 1=1 -- ), then guess what? The database will be happy to return all the records in the accounts table:
