< Back





11. Visible error-based SQL injection

The target contains a SQL injection vulnerability in its cookies. It provides a TrackingId cookie to
keep track of visitors for analytics purposes. The queries to search for this TrackingId are
injectable. When this web application encounters an error in a SQL query, debugging information,
including the SQL query being executed, is returned in the response.

Forcing a type mismatch with the CAST operator, we can leak the administrator password by trying to
cast the password string to an integer. This will cause the SQL query to return an ERROR,
complaining that the string cannot be cast to an integer. We can then extract the password from the
error message.


Solution