This is a new payload that I'm hoping to incorporate into SQLMap soon (here's the feature request).
Assume a field is vulnerable to error-based SQL injection. SQLMap did a good job mapping out the column names and table names, but couldn't return any data rows. Through some trial and error, it becomes clear I can use a convert error and JOIN to display some data one record at a time (since multiple records will not display). Unfortunately, the WHERE and TOP clauses weren't working, so I had to find another way to integrate through the data rows, so I used LEAD() and LAG(). Hurray, I've got some varchar values coming through!
targetsite.com/vulnerablepage.do?badfield=select LEAD(CoolKeys,0,0) OVER (ORDER BY CoolKeys DESC) from CoolTableName join OtherTable on ArbitraryField=AnotherArbitraryField ...etc.
That was a good start...we get a conversion error on the value, so we get the value displayed, i.e.
Conversion failed when converting the varchar value 's3cretKey' to data type int
However, there was one thing I still needed. I really wanted to chain this with a privilege escalation vulnerability I'd found earlier, and if I could get all the GUID user IDs, including the administrators, then I could become a higher privileged user.
The problem was the SQL injection wasn't returning the GUIDs in my injected SELECT statement. It was a more generic SQL error, which isn't helpful. But I found I could use CONCAT to force the conversion error to show it!
targetsite.com/vulnerablepage.do?badfield=select concat(LEAD(GUIDData,0,0) OVER (ORDER BY GUIDData DESC),'hey') from CoolTableName join OtherTable on ArbitraryField=AnotherArbitraryField
Now the error will show: [GUID value]hey! Yay, I'm admin!
TL;DR:
1.) Use LEAD and LAG for situations where one row must be returned (and WHERE or TOP 1 etc. isn't working)
2.) Use CONCAT to force conversion errors to display uniqueidentifier-type data values through conversion errors
This all applies to bug bounty programs where SQLMap is not allowed, or if that kind of traffic gets you blocked too often.
