Burp Suite/SQL Injection: Difference between revisions
From charlesreid1
No edit summary |
|||
| (20 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
This page covers how to perform SQL | This page covers how to perform [[SQL Injection]] attacks with [[Burp Suite]]. | ||
=Burp Suite Training= | =Burp Suite Training= | ||
| Line 64: | Line 64: | ||
==Blind SQL Injection== | ==Blind SQL Injection== | ||
{{Main|SQL Injection/Blind}} | |||
https://portswigger.net/web-security/sql-injection/blind | https://portswigger.net/web-security/sql-injection/blind | ||
Lab 11: Blind SQL injection with conditional responses | |||
* https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses | |||
* https://www.youtube.com/watch?v=LBG_n9fr8sM | |||
Lab 12: Blind SQL injection with conditional errors | |||
* https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors | |||
* https://www.youtube.com/watch?v=_7w-KEP_K5w | |||
* this one takes a while, and is faster to do with the professional edition | |||
* visit a page, capture request, and tamper with the cookie tracking ID parameter (per exercise instructions) | |||
* step 1: prove parameter is vulnerable (sql injection is possible, but can we inject valid SQL?) | |||
* step 2: confirm there is a "users" table in the DB | |||
* step 3: confirm there is an administrator user in the users table | |||
* step 4: check the length of the password by modifying the same query | |||
* step 5: output admin password one character at a time | |||
* step 6: automate with cluster bomb type attack | |||
==SQL Injection with XML External Entities (XXE)== | |||
{{Main|XXE}} | |||
Lab 17: SQL injection with filter bypass via XML encoding | |||
* https://portswigger.net/web-security/xxe | |||
* https://www.youtube.com/watch?v=ELdyZm0nK4g | |||
==Cheat Sheet== | ==Cheat Sheet== | ||
https://portswigger.net/web-security/sql-injection/cheat-sheet | https://portswigger.net/web-security/sql-injection/cheat-sheet | ||
Latest revision as of 21:02, 4 June 2023
This page covers how to perform SQL Injection attacks with Burp Suite.
Burp Suite Training
SQL Injection Labs
https://portswigger.net/web-security/sql-injection
Lab 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
- https://www.youtube.com/watch?v=alTceRdSxS0
- lab doesn't require burp suite, just tinkering with URL parameters
- single quotes raising internal errors are a sign of SQL Injection vulnerability
Lab 2: SQL injection vulnerability allowing login bypass
- https://portswigger.net/web-security/sql-injection/lab-login-bypass
- https://www.youtube.com/watch?v=ML3aGaloczI
- lab doesn't require burp suite, just feeding SQL queries into login form
- guessing
SELECT firstname FROM users WHERE username='admin' AND password='admin' - single quotes raising internal errors are a sign of SQL Injection vulnerability
- if at first you don't succeed, try, try again: admin, administrator, etc etc etc
- https://www.youtube.com/watch?v=fMPvCyD2v4w
- This is another version of the same lab, but using the Python requests library
SQL Injection UNION Attacks
https://portswigger.net/web-security/sql-injection/union-attacks
Lab 3: SQL injection UNION attack, determining the number of columns returned by the query
- https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns
- this page covers a ton of information: SQL Injection/UNION Attack
- guide: https://www.youtube.com/watch?v=umXGHbEyW5I
Lab 4: SQL injection UNION attack, finding a column containing text
- https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text
- guide: https://www.youtube.com/watch?v=SGBTC5D7DTs
Lab 5: SQL injection UNION attack, retrieving data from other tables
- https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables
- guide: https://www.youtube.com/watch?v=6Dsj5SqR944
Lab 6: SQL injection UNION attack, retrieving multiple values in a single column
- https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column
- guide: https://www.youtube.com/watch?v=yRVYoqR9vrI
Examining the Database
Lab 7: SQL injection attack, querying the database type and version on Oracle
Lab 8: SQL injection attack, querying the database type and version on MySQL and Microsoft
Lab 9: SQL injection attack, listing the database contents on non-Oracle databases
Lab 10: SQL injection attack, listing the database contents on Oracle
Blind SQL Injection
https://portswigger.net/web-security/sql-injection/blind
Lab 11: Blind SQL injection with conditional responses
- https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses
- https://www.youtube.com/watch?v=LBG_n9fr8sM
Lab 12: Blind SQL injection with conditional errors
- https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors
- https://www.youtube.com/watch?v=_7w-KEP_K5w
- this one takes a while, and is faster to do with the professional edition
- visit a page, capture request, and tamper with the cookie tracking ID parameter (per exercise instructions)
- step 1: prove parameter is vulnerable (sql injection is possible, but can we inject valid SQL?)
- step 2: confirm there is a "users" table in the DB
- step 3: confirm there is an administrator user in the users table
- step 4: check the length of the password by modifying the same query
- step 5: output admin password one character at a time
- step 6: automate with cluster bomb type attack
SQL Injection with XML External Entities (XXE)
Lab 17: SQL injection with filter bypass via XML encoding
Cheat Sheet
https://portswigger.net/web-security/sql-injection/cheat-sheet