Burp Suite/SQL Injection: Difference between revisions

From charlesreid1
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
This page covers how to perform [[SQL Injection]] attacks with Burp Suite.
This page covers how to perform [[SQL Injection]] attacks with [[Burp Suite]].


==Burp Suite Training Labs==
=Burp Suite Training=


Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
==SQL Injection Labs==
 
{{Main|SQL Injection}}
 
https://portswigger.net/web-security/sql-injection
 
Lab 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
* https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
* https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
* https://www.youtube.com/watch?v=alTceRdSxS0
* https://www.youtube.com/watch?v=alTceRdSxS0
Line 10: Line 16:




Lab: SQL injection vulnerability allowing login bypass
Lab 2: SQL injection vulnerability allowing login bypass
* https://portswigger.net/web-security/sql-injection/lab-login-bypass
* https://portswigger.net/web-security/sql-injection/lab-login-bypass
* https://www.youtube.com/watch?v=ML3aGaloczI
* https://www.youtube.com/watch?v=ML3aGaloczI
Line 16: Line 22:
* guessing <code>SELECT firstname FROM users WHERE username='admin' AND password='admin'</code>
* guessing <code>SELECT firstname FROM users WHERE username='admin' AND password='admin'</code>
* single quotes raising internal errors are a sign of [[SQL Injection]] vulnerability
* single quotes raising internal errors are a sign of [[SQL Injection]] vulnerability
* not taking failure as an option: admin, administrator, etc etc etc
* if at first you don't succeed, try, try again: admin, administrator, etc etc etc
* https://www.youtube.com/watch?v=fMPvCyD2v4w
* This is another version of the same lab, but using the Python requests library
 
==SQL Injection UNION Attacks==
 
{{Main|SQL Injection/UNION Attack}}
 
https://portswigger.net/web-security/sql-injection/union-attacks
 
Lab 3: SQL injection UNION attack, determining the number of columns returned by the query
* https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns
* this page covers a ton of information: [[SQL Injection/UNION Attack]]
* guide: https://www.youtube.com/watch?v=umXGHbEyW5I
 
Lab 4: SQL injection UNION attack, finding a column containing text
* https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text
* guide: https://www.youtube.com/watch?v=SGBTC5D7DTs
 
Lab 5: SQL injection UNION attack, retrieving data from other tables
* https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables
* guide: https://www.youtube.com/watch?v=6Dsj5SqR944
 
Lab 6: SQL injection UNION attack, retrieving multiple values in a single column
* https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column
* guide: https://www.youtube.com/watch?v=yRVYoqR9vrI
 
==Examining the Database==
 
Lab 7: SQL injection attack, querying the database type and version on Oracle
* https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-oracle
 
Lab 8: SQL injection attack, querying the database type and version on MySQL and Microsoft
* https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft
 
Lab 9: SQL injection attack, listing the database contents on non-Oracle databases
* https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle
 
Lab 10: SQL injection attack, listing the database contents on Oracle
* https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle
 
==Blind SQL Injection==
 
{{Main|SQL Injection/Blind}}
 
https://portswigger.net/web-security/sql-injection/blind
 
Lab 11: Blind SQL injection with conditional responses
* https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses
* https://www.youtube.com/watch?v=LBG_n9fr8sM
 
 
Lab 12: Blind SQL injection with conditional errors
* https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors
* https://www.youtube.com/watch?v=_7w-KEP_K5w
* this one takes a while, and is faster to do with the professional edition
* visit a page, capture request, and tamper with the cookie tracking ID parameter (per exercise instructions)
* step 1: prove parameter is vulnerable (sql injection is possible, but can we inject valid SQL?)
* step 2: confirm there is a "users" table in the DB
* step 3: confirm there is an administrator user in the users table
* step 4: check the length of the password by modifying the same query
* step 5: output admin password one character at a time
* step 6: automate with cluster bomb type attack
 
==SQL Injection with XML External Entities (XXE)==
 
{{Main|XXE}}
 
Lab 17: SQL injection with filter bypass via XML encoding
* https://portswigger.net/web-security/xxe
* https://www.youtube.com/watch?v=ELdyZm0nK4g
 
==Cheat Sheet==
 
https://portswigger.net/web-security/sql-injection/cheat-sheet

Latest revision as of 21:02, 4 June 2023

This page covers how to perform SQL Injection attacks with Burp Suite.

Burp Suite Training

SQL Injection Labs

Main article: SQL Injection

https://portswigger.net/web-security/sql-injection

Lab 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data


Lab 2: SQL injection vulnerability allowing login bypass

SQL Injection UNION Attacks

Main article: SQL Injection/UNION Attack

https://portswigger.net/web-security/sql-injection/union-attacks

Lab 3: SQL injection UNION attack, determining the number of columns returned by the query

Lab 4: SQL injection UNION attack, finding a column containing text

Lab 5: SQL injection UNION attack, retrieving data from other tables

Lab 6: SQL injection UNION attack, retrieving multiple values in a single column

Examining the Database

Lab 7: SQL injection attack, querying the database type and version on Oracle

Lab 8: SQL injection attack, querying the database type and version on MySQL and Microsoft

Lab 9: SQL injection attack, listing the database contents on non-Oracle databases

Lab 10: SQL injection attack, listing the database contents on Oracle

Blind SQL Injection

Main article: SQL Injection/Blind

https://portswigger.net/web-security/sql-injection/blind

Lab 11: Blind SQL injection with conditional responses


Lab 12: Blind SQL injection with conditional errors

  • https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors
  • https://www.youtube.com/watch?v=_7w-KEP_K5w
  • this one takes a while, and is faster to do with the professional edition
  • visit a page, capture request, and tamper with the cookie tracking ID parameter (per exercise instructions)
  • step 1: prove parameter is vulnerable (sql injection is possible, but can we inject valid SQL?)
  • step 2: confirm there is a "users" table in the DB
  • step 3: confirm there is an administrator user in the users table
  • step 4: check the length of the password by modifying the same query
  • step 5: output admin password one character at a time
  • step 6: automate with cluster bomb type attack

SQL Injection with XML External Entities (XXE)

Main article: XXE

Lab 17: SQL injection with filter bypass via XML encoding

Cheat Sheet

https://portswigger.net/web-security/sql-injection/cheat-sheet

Retrieved from "https://charlesreid1.com/w/index.php?title=Burp_Suite/SQL_Injection&oldid=29637"