MYSQL Error Based - Extractvalue Function

Context

This article focuses on exploiting MYSQL Error Based SQL Injection using the Extractvalue function. The objective is to leverage MYSQL's error messages that result from malformed XPath queries in order to extract sensitive information from a database. The reader is expected to be familiar with SQL syntax, XPath queries, error handling in MYSQL, and basic MYSQL Error Based injection techniques.

Theory

Extractvalue Function in MYSQL

The Extractvalue function in MYSQL is a utility for extracting XML data through XPath expressions. By crafting queries that result in errors, attackers can induce MYSQL to reveal information inadvertently. This capability makes Extractvalue particularly useful for exploiting error-based SQL injection vulnerabilities. The typical attack sequence involves injecting malformed XPath queries, prompting MYSQL to generate error messages that may include sensitive data from the database.

Error-Based SQL Injection

Error-based SQL injection is a technique whereby attackers exploit the error messages produced by a database to extract sensitive information. This is achieved by manipulating SQL queries in such a way that the database engine generates errors containing useful data. By carefully crafting these erroneous SQL statements, attackers can extract insights about the database structure and possibly access confidential data.

XPath Injection in MYSQL

XPath Injection targets the execution of XPath queries within SQL statements. The vulnerability arises when applications integrate user input into XPath queries without proper validation or sanitization. In MYSQL, this can lead to SQL statements that, when executed, allow attackers to exploit XPath processing errors.

Practice

MYSQL Error Based SQL Injection using Extractvalue

To perform an SQL injection using the Extractvalue function:

  1. Identify Injectable Parameters:

    • Begin by scanning the web application for parameters that might be vulnerable to SQL injection. These are often located in URLs, form fields, and HTTP headers.

  2. Extract Database Name:

    • Execute the following SQL query to induce an error message revealing the database name:
    SELECT EXTRACTVALUE(1, CONCAT(0x3a, (SELECT database())));

  3. Analyze the Error Message:

    • Carefully review the error message returned by MYSQL. The error should include details that allow you to ascertain the current database's name.

  4. List Table Names in the Database:

    • Use the following SQL query to extract the first table name from the current database schema:
    SELECT EXTRACTVALUE(1, CONCAT(0x3a, (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)));

  5. Map the Database Schema:

    • Repeat and adjust the query from step 4 to list additional table names and thereafter inspect each table's structure and data.

Result

By employing the Extractvalue function for error-based SQL injection, attackers can iteratively extract the database schema and potentially sensitive data. This demonstrates the power and risk of error-based vulnerabilities when compounded with poor input sanitization and error handling.

Tools

  • sqlmap: A popular tool for automating SQL injection attacks, including techniques using the Extractvalue function.
  • Burp Suite: Provides manual testing capabilities for identifying and exploiting SQL injection vulnerabilities.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.