Latest revision as of 21:02, 4 June 2023

This page covers how to perform SQL Injection attacks with Burp Suite.

Burp Suite Training

SQL Injection Labs

Main article: SQL Injection

https://portswigger.net/web-security/sql-injection

Lab 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
https://www.youtube.com/watch?v=alTceRdSxS0
lab doesn't require burp suite, just tinkering with URL parameters
single quotes raising internal errors are a sign of SQL Injection vulnerability

Lab 2: SQL injection vulnerability allowing login bypass

https://portswigger.net/web-security/sql-injection/lab-login-bypass
https://www.youtube.com/watch?v=ML3aGaloczI
lab doesn't require burp suite, just feeding SQL queries into login form
guessing SELECT firstname FROM users WHERE username='admin' AND password='admin'
single quotes raising internal errors are a sign of SQL Injection vulnerability
if at first you don't succeed, try, try again: admin, administrator, etc etc etc
https://www.youtube.com/watch?v=fMPvCyD2v4w
This is another version of the same lab, but using the Python requests library

SQL Injection UNION Attacks

Main article: SQL Injection/UNION Attack

https://portswigger.net/web-security/sql-injection/union-attacks

Lab 3: SQL injection UNION attack, determining the number of columns returned by the query

https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns
this page covers a ton of information: SQL Injection/UNION Attack
guide: https://www.youtube.com/watch?v=umXGHbEyW5I

Lab 4: SQL injection UNION attack, finding a column containing text

Lab 5: SQL injection UNION attack, retrieving data from other tables

Lab 6: SQL injection UNION attack, retrieving multiple values in a single column

Examining the Database

Lab 7: SQL injection attack, querying the database type and version on Oracle

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-oracle

Lab 8: SQL injection attack, querying the database type and version on MySQL and Microsoft

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-querying-database-version-mysql-microsoft

Lab 9: SQL injection attack, listing the database contents on non-Oracle databases

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle

Lab 10: SQL injection attack, listing the database contents on Oracle

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-oracle

Blind SQL Injection

Main article: SQL Injection/Blind

https://portswigger.net/web-security/sql-injection/blind

Lab 11: Blind SQL injection with conditional responses

Lab 12: Blind SQL injection with conditional errors

https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors
https://www.youtube.com/watch?v=_7w-KEP_K5w
this one takes a while, and is faster to do with the professional edition
visit a page, capture request, and tamper with the cookie tracking ID parameter (per exercise instructions)
step 1: prove parameter is vulnerable (sql injection is possible, but can we inject valid SQL?)
step 2: confirm there is a "users" table in the DB
step 3: confirm there is an administrator user in the users table
step 4: check the length of the password by modifying the same query
step 5: output admin password one character at a time
step 6: automate with cluster bomb type attack

SQL Injection with XML External Entities (XXE)

Main article: XXE

Lab 17: SQL injection with filter bypass via XML encoding

Cheat Sheet

https://portswigger.net/web-security/sql-injection/cheat-sheet

@@ Line 71: / Line 71: @@
 Lab 11: Blind SQL injection with conditional responses
 * https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses
-* https://www.youtube.com/watch?v=LBG_n9fr8sM&themeRefresh=1
+* https://www.youtube.com/watch?v=LBG_n9fr8sM
@@ Line 78: / Line 78: @@
 * https://www.youtube.com/watch?v=_7w-KEP_K5w
 * this one takes a while, and is faster to do with the professional edition
-* visit a page, capture request, add a single quote to a cookie TrackingId parameter to raise a 500 error
+* visit a page, capture request, and tamper with the cookie tracking ID parameter (per exercise instructions)
+* step 1: prove parameter is vulnerable (sql injection is possible, but can we inject valid SQL?)
+* step 2: confirm there is a "users" table in the DB
+* step 3: confirm there is an administrator user in the users table
+* step 4: check the length of the password by modifying the same query
+* step 5: output admin password one character at a time
+* step 6: automate with cluster bomb type attack
-step 1: prove parameter is vulnerable
+==SQL Injection with XML External Entities (XXE)==
-* to prove the parameter is vulnerable to SQL injection, use concat operator <code>||</code>
-* <code><nowiki>' || (select '') || '</nowiki></code>
-* this is a well-formatted SQL query, but returns a 500 error
-* weird, because this should work, not return a 500 error
-* indication that this could be an oracle database, since it requires a FROM clause to be well-formatted
-* <code><nowiki>' || (select '' from dual) || '</nowiki></code>
-* Paste that SQL into the Cookie TrackingId, use Control + U to URL encode it
-* dual is a built-in Oracle database
-* this works, indicating this is, in fact, an Oracle database
-* but if we replace "dual" with "dualoiweuroqiurepoiquwer" then it fails
-step 2: confirm users table exists in database
+{{Main|XXE}}
-* <code>' || (select '' from users) || '</code>
-* this returns an internal server error
-* the problem may be with the number of fields returned (???)
-* modify query to the following:
-* <code>' || (select '' from users where rownum = 1) || '</code>
-* that returns a 200, indicating there is, in fact, a users table in the daatabase
-step 3: confirm the administrator user exists in the users database
+Lab 17: SQL injection with filter bypass via XML encoding
-* to do this: modify prior SQL query
+* https://portswigger.net/web-security/xxe
-* <code><nowiki>' || (select '' from users where username='administrator') || '</nowiki></code>
+* https://www.youtube.com/watch?v=ELdyZm0nK4g
-* the problem: either way, this will return a 200 (if there is no administrator user, just doesn't return anything)
-* solution: add conditional, and divide by zero if conditional is met
-* <code><nowiki>' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual) || '</nowiki></code> should cause an error
-* <code><nowiki>' || (select CASE WHEN (1=0) THEN TO_CHAR(1/0) ELSE '' END FROM dual) || '</nowiki></code> should NOT cause an error
-* now we can use that to check for the username:
-* <code><nowiki>' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator') || '</nowiki></code>
-* the FROM section is executed first. if it is true, then it executes the select portion of the query (which raises an error). if it is false, then it skips the select portion of the query, so it never outputs an error.
-* in other words, 200 response means user does not exist in database
-step 4: check the length of the password by modifying the same query
-* <code><nowiki>' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator' and LENGTH(password)>1) || '</nowiki></code>
-* the FROM section is executed first. if it is true (if password length > 1), it raises a 500 error. increment 1 until you get the final length of the password (whatever password length it returns 200 for).
-* to generate lots of requests, right-click request and choose Send to Intruder
-* Intruder > Positions > Clear
-* select "1" (password length) and choose Add
-* Intruder > Payloads > Numbers, sequential, from 1 to 50, step count of 1
-* when payload of 20 is sent, it returns a 200 status code
-* so, we know length of password is 20 (condition is not met when > 20)
-step 5: output the administrator password
-* we have 20 characters to enumerate
-* modify query from preceding, but use substring function
-* <code><nowiki>' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator' and SUBSTR(password,1,1)='a') || '</nowiki></code>
-* how does this work?
-* first thing that gets run is the FROM clause, which checks if there is a users table and a username administrator, and it checks if the first character is equal to a. if so, it will run the CASE statement, which will run the code that raises the error.
-* 200 response means first character of password is NOT a
-* 500 response means first character of password IS a
-* copy that SQL query and put it into Repeater:
-* copy and paste into TrackingId
-* Control + U to URL encode it
-* 200 response - meaning a is not the first character of the password
-* Intruder > Positions > Clear
-* select "a" and choose Add,
-* then go to Intruder > Payloads
-* Payload Type: Brute forcer (tries all the alphanumeric characters)
-* min length = 1, max length = 1
-* generates 36 requests,
-* looking for one 500 response ("w")
-* next, try for second, then third, and so on.
-* instead of doing that 20 times, automate it:
-step 6: automate the attack in burp suite
-* Intruder > Positions
-* Change Attack type to Cluster bomb
-* select substring position number "1" and choose Add. select character "a" being checked and choose Add.
-* Intruder > Payloads
-* payload parameter 1 - position - Numbers type (from 1, to 20, step 1) - iterates over each letter position.
-* payload parameter 2 - letter - Brute forcer (all alphanumeric characters, min length = max length = 1)
-* this will generate 720 requests total
 ==Cheat Sheet==
 https://portswigger.net/web-security/sql-injection/cheat-sheet

Burp Suite/SQL Injection: Difference between revisions

From charlesreid1