Burp Suite/SQL Injection: Difference between revisions
From charlesreid1
| Line 16: | Line 16: | ||
* guessing <code>SELECT firstname FROM users WHERE username='admin' AND password='admin'</code> | * guessing <code>SELECT firstname FROM users WHERE username='admin' AND password='admin'</code> | ||
* single quotes raising internal errors are a sign of [[SQL Injection]] vulnerability | * single quotes raising internal errors are a sign of [[SQL Injection]] vulnerability | ||
* | * if at first you don't succeed, try, try again: admin, administrator, etc etc etc | ||
Revision as of 16:13, 21 May 2023
This page covers how to perform SQL Injection attacks with Burp Suite.
Burp Suite Training Labs
Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
- https://www.youtube.com/watch?v=alTceRdSxS0
- lab doesn't require burp suite, just tinkering with URL parameters
- single quotes raising internal errors are a sign of SQL Injection vulnerability
Lab: SQL injection vulnerability allowing login bypass
- https://portswigger.net/web-security/sql-injection/lab-login-bypass
- https://www.youtube.com/watch?v=ML3aGaloczI
- lab doesn't require burp suite, just feeding SQL queries into login form
- guessing
SELECT firstname FROM users WHERE username='admin' AND password='admin' - single quotes raising internal errors are a sign of SQL Injection vulnerability
- if at first you don't succeed, try, try again: admin, administrator, etc etc etc