Latest revision as of 21:02, 4 June 2023

This page covers how to perform SQL Injection attacks with Burp Suite.

Burp Suite Training

SQL Injection Labs

Main article: SQL Injection

https://portswigger.net/web-security/sql-injection

Lab 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
https://www.youtube.com/watch?v=alTceRdSxS0
lab doesn't require burp suite, just tinkering with URL parameters
single quotes raising internal errors are a sign of SQL Injection vulnerability

Lab 2: SQL injection vulnerability allowing login bypass

https://portswigger.net/web-security/sql-injection/lab-login-bypass
https://www.youtube.com/watch?v=ML3aGaloczI
lab doesn't require burp suite, just feeding SQL queries into login form
guessing SELECT firstname FROM users WHERE username='admin' AND password='admin'
single quotes raising internal errors are a sign of SQL Injection vulnerability
if at first you don't succeed, try, try again: admin, administrator, etc etc etc
https://www.youtube.com/watch?v=fMPvCyD2v4w
This is another version of the same lab, but using the Python requests library

SQL Injection UNION Attacks

Main article: SQL Injection/UNION Attack

https://portswigger.net/web-security/sql-injection/union-attacks

Lab 3: SQL injection UNION attack, determining the number of columns returned by the query

https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns
this page covers a ton of information: SQL Injection/UNION Attack
guide: https://www.youtube.com/watch?v=umXGHbEyW5I

Lab 4: SQL injection UNION attack, finding a column containing text

Lab 5: SQL injection UNION attack, retrieving data from other tables

Lab 6: SQL injection UNION attack, retrieving multiple values in a single column

Examining the Database

Lab 7: SQL injection attack, querying the database type and version on Oracle

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-oracle

Lab 8: SQL injection attack, querying the database type and version on MySQL and Microsoft

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft

Lab 9: SQL injection attack, listing the database contents on non-Oracle databases

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle

Lab 10: SQL injection attack, listing the database contents on Oracle

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle

Blind SQL Injection

Main article: SQL Injection/Blind

https://portswigger.net/web-security/sql-injection/blind

Lab 11: Blind SQL injection with conditional responses

Lab 12: Blind SQL injection with conditional errors

https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors
https://www.youtube.com/watch?v=_7w-KEP_K5w
this one takes a while, and is faster to do with the professional edition
visit a page, capture request, and tamper with the cookie tracking ID parameter (per exercise instructions)
step 1: prove parameter is vulnerable (sql injection is possible, but can we inject valid SQL?)
step 2: confirm there is a "users" table in the DB
step 3: confirm there is an administrator user in the users table
step 4: check the length of the password by modifying the same query
step 5: output admin password one character at a time
step 6: automate with cluster bomb type attack

SQL Injection with XML External Entities (XXE)

Main article: XXE

Lab 17: SQL injection with filter bypass via XML encoding

Cheat Sheet

https://portswigger.net/web-security/sql-injection/cheat-sheet

@@ Line 1: / Line 1: @@
-This page covers how to perform [[SQL Injection]] attacks with Burp Suite.
+This page covers how to perform [[SQL Injection]] attacks with [[Burp Suite]].
-==Burp Suite Training Labs==
+=Burp Suite Training=
+==SQL Injection Labs==
+{{Main|SQL Injection}}
+https://portswigger.net/web-security/sql-injection
 Lab 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
@@ Line 19: / Line 25: @@
 * https://www.youtube.com/watch?v=fMPvCyD2v4w
 * This is another version of the same lab, but using the Python requests library
+==SQL Injection UNION Attacks==
+{{Main|SQL Injection/UNION Attack}}
+https://portswigger.net/web-security/sql-injection/union-attacks
+Lab 3: SQL injection UNION attack, determining the number of columns returned by the query
+* https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns
+* this page covers a ton of information: [[SQL Injection/UNION Attack]]
+* guide: https://www.youtube.com/watch?v=umXGHbEyW5I
+Lab 4: SQL injection UNION attack, finding a column containing text
+* https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text
+* guide: https://www.youtube.com/watch?v=SGBTC5D7DTs
+Lab 5: SQL injection UNION attack, retrieving data from other tables
+* https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables
+* guide: https://www.youtube.com/watch?v=6Dsj5SqR944
+Lab 6: SQL injection UNION attack, retrieving multiple values in a single column
+* https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column
+* guide: https://www.youtube.com/watch?v=yRVYoqR9vrI
+==Examining the Database==
+Lab 7: SQL injection attack, querying the database type and version on Oracle
+* https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-oracle
+Lab 8: SQL injection attack, querying the database type and version on MySQL and Microsoft
+* https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft
+Lab 9: SQL injection attack, listing the database contents on non-Oracle databases
+* https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle
+Lab 10: SQL injection attack, listing the database contents on Oracle
+* https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle
+==Blind SQL Injection==
+{{Main|SQL Injection/Blind}}
+https://portswigger.net/web-security/sql-injection/blind
+Lab 11: Blind SQL injection with conditional responses
+* https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses
+* https://www.youtube.com/watch?v=LBG_n9fr8sM
+Lab 12: Blind SQL injection with conditional errors
+* https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors
+* https://www.youtube.com/watch?v=_7w-KEP_K5w
+* this one takes a while, and is faster to do with the professional edition
+* visit a page, capture request, and tamper with the cookie tracking ID parameter (per exercise instructions)
+* step 1: prove parameter is vulnerable (sql injection is possible, but can we inject valid SQL?)
+* step 2: confirm there is a "users" table in the DB
+* step 3: confirm there is an administrator user in the users table
+* step 4: check the length of the password by modifying the same query
+* step 5: output admin password one character at a time
+* step 6: automate with cluster bomb type attack
+==SQL Injection with XML External Entities (XXE)==
+{{Main|XXE}}
+Lab 17: SQL injection with filter bypass via XML encoding
+* https://portswigger.net/web-security/xxe
+* https://www.youtube.com/watch?v=ELdyZm0nK4g
+==Cheat Sheet==
+https://portswigger.net/web-security/sql-injection/cheat-sheet

Burp Suite/SQL Injection: Difference between revisions

From charlesreid1