Burpsuite/SQL Injection: Difference between revisions
From charlesreid1
No edit summary |
|||
| Line 3: | Line 3: | ||
This page contains notes on how to use Burp Suite to perform SQL injection attacks. | This page contains notes on how to use Burp Suite to perform SQL injection attacks. | ||
= | =Union Attacks= | ||
{{Main|SQL Injection/UNION Attack}} | |||
==Determining Number of Columns Returned for an Attack== | |||
{{Main|SQL_Injection/UNION_Attack#Determining_Number_of_Columns_Returned_for_an_Attack}} | |||
===Example - Determine Number of Columns=== | |||
Fire up Burp Suite, switch to the Proxy tab, and open the browser. Log into the Port Swigger training site online. | |||
Here is a simple e-commerce website with a built-in SQL injection vulnerability: | |||
[[Image:SQL Injection UNION Attack Burp 1.png|500px]] | |||
Note the <code>category=xyz</code>, which is the insecure portion of the application - this value is substituted into an SQL query without being sanitized first | |||
[[Image:SQL Injection UNION Attack Burp 2.png|500px]] | |||
We use the UNION SELECT payloads in this case. Trying with 1 or 2 NULL values returns a server error: | |||
[[Image:SQL Injection UNION Attack Burp 3.png|500px]] | |||
But once we try with 3 NULL values, the server successfully renders the page | |||
[[Image:SQL Injection UNION Attack Burp 4.png|500px]] | |||
===Another Example: Order By, and Non-Microsoft SQL Server=== | |||
MS SQL databases accept <code>--</code> to start comments, but if it's not an MS SQL database, it may not accept the <code>--</code>. Instead, you need to use a hash sign to terminate the query early. | |||
In this case, the procedure covered above needs to change slightly. Let's also cover how to use ORDER BY instead of SELECT NULL. | |||
We start with the same vulnerable web application with its vulnerable "category" URL parameter: | |||
<pre> | |||
/filter?category=xyz | |||
</pre> | |||
Start out by browsing to that page in the Burp proxy. Turn on Intercept Traffic and refresh the page. You should now see the request for the /filter URL, with its "category" value set. | |||
Now right click on this request, and send to repeater. Then you can turn off Intercept Traffic, and switch over to Repeater. | |||
Here's what the un-tampered-with request might look like: | |||
[[Image:SQL Injection UNION Attack Burp 9a.png|500px]] | |||
Now we can use the following SQL query in place of the category: <code>' ORDER BY 1--</code> | |||
(This will try to order the results that are being returned by the /filter URL by the first column. Increment to 2, 3, 4, etc. to discover how many columns the SQL query being attacked is returning.) | |||
This request, when URL-encoded, is easy enough that we probably don't need Burp to do it for us: <code>'+ORDER+BY+1--</code> | |||
However, in some cases, this will still return a 500 error: | |||
[[Image:SQL Injection UNION Attack Burp 9b.png|500px]] | |||
In this case, we can try terminating the query string with a hash sign: <code>' ORDER BY 1 #</code> | |||
The hash sign must be URL-encoded, and Burp Suite will come in handy because it has built-in capabilities to obtain the URL-encoded version of a string. | |||
When in repeater, and modifying the request URL, you can type the SQL query in a way that is NOT URL-encoded, and then select the text, and click Command-U to URL-encode the text. | |||
Before: | |||
[[Image:SQL Injection UNION Attack Burp 9c.png|500px]] | |||
After: | |||
[[Image:SQL Injection UNION Attack Burp 9d.png|500px]] | |||
Once we send that request, we see the server return a 200 code, meaning we can continue on with our ORDER BY attacks to enumerate columns. | |||
[[Image:SQL Injection UNION Attack Burp 9e.png|500px]] | |||
==Determining Column Data Types== | |||
{{Main|SQL_Injection/UNION_Attack#Determining_Column_Data_Types}} | |||
===Example - Determine Data Type of Columns=== | |||
Start with the same vulnerable e-commerce application, and still using the un-sanitized "category" variable. Start by repeating the attack shown above, to verify we are still dealing with the same number of columns: | |||
<pre> | |||
/filter?category='+UNION+SELECT+NULL,NULL,NULL-- | |||
</pre> | |||
confirm that the page renders and does not return any error, indicating we are dealing with 3 columns: | |||
[[Image:SQL Injection UNION Attack Burp 5.png|500px]] | |||
Now we modify the query: | |||
<pre> | |||
/filter?category='+UNION+SELECT+'a',NULL,NULL-- | |||
</pre> | |||
This returns an internal server error, so the first column is not a string type: | |||
[[Image:SQL Injection UNION Attack Burp 6.png|500px]] | |||
When we try the second column, the web application successfully renders the page, which means the second column returned is a string type: | |||
<pre> | |||
/filter?category='+UNION+SELECT+NULL,'a',NULL-- | |||
</pre> | |||
[[Image:SQL Injection UNION Attack Burp 7.png|500px]] | |||
The last column is not a string type either, | |||
<pre> | |||
/filter?category='+UNION+SELECT+NULL,NULL,'a'-- | |||
</pre> | |||
[[Image:SQL Injection UNION Attack Burp 8.png|500px]] | |||
==Retrieving Data from Other Columns== | |||
{{Main|SQL_Injection/UNION_Attack#Retrieving_Data_from_Other_Columns}} | |||
===Example - Retrieve Data from Other Columns=== | |||
Start with the same e-commerce web application with the same SQL injection vulnerability in the category variable. | |||
[[Image:SQL Injection UNION Attack Burp 9.png|500px]] | |||
We start by repeating the two SQL injection attacks covered above, to verify that the products page is returning two fields, and that both fields are strings. | |||
Now, we know that the products category page is fetching two string columns, and so we can do a UNION attack and fetch two other string columns. In this case, the username and password columns of the users table. | |||
Craft the SQL injection query: | |||
<pre> | |||
/filter?category='+UNION+SELECT+username,password+FROM+users-- | |||
</pre> | |||
This will create a query that is the union of usernames/passwords with the (empty) products query: | |||
[[Image:SQL Injection UNION Attack Burp 10.png|500px]] | |||
==Retrieving Multiple Values in One Column== | |||
{{Main|SQL_Injection/UNION_Attack#Retrieving_Multiple_Values_in_One_Column}} | |||
===Example - Retrieving Multiple Values in One Column=== | |||
[[Image:SQL Injection UNION Attack Burp 11.png|500px]] | |||
=Examining the Database= | |||
{{Main|SQL Injection/UNION Attack#Examining the Database}} | |||
== | ==Querying the Database Type and Version== | ||
{{Main| | {{Main|SQL_Injection/UNION_Attack#Querying_the_Database_Type_and_Version}} | ||
===Example - Retrieving Database Version from Oracle=== | |||
== | ===Example - Retrieving Database Version from MySQL and MS SQL=== | ||
=Resources= | =Resources= | ||
| Line 30: | Line 186: | ||
==YouTube== | |||
Helpful video covering the MySQL and MS SQL version vulnerabilities: https://www.youtube.com/watch?v=MFTk_LNRW0g | |||
Revision as of 00:05, 15 March 2022
This page contains notes on how to use Burp Suite to perform SQL injection attacks.
Union Attacks
Determining Number of Columns Returned for an Attack
Example - Determine Number of Columns
Fire up Burp Suite, switch to the Proxy tab, and open the browser. Log into the Port Swigger training site online.
Here is a simple e-commerce website with a built-in SQL injection vulnerability:
Note the category=xyz, which is the insecure portion of the application - this value is substituted into an SQL query without being sanitized first
We use the UNION SELECT payloads in this case. Trying with 1 or 2 NULL values returns a server error:
But once we try with 3 NULL values, the server successfully renders the page
Another Example: Order By, and Non-Microsoft SQL Server
MS SQL databases accept -- to start comments, but if it's not an MS SQL database, it may not accept the --. Instead, you need to use a hash sign to terminate the query early.
In this case, the procedure covered above needs to change slightly. Let's also cover how to use ORDER BY instead of SELECT NULL.
We start with the same vulnerable web application with its vulnerable "category" URL parameter:
/filter?category=xyz
Start out by browsing to that page in the Burp proxy. Turn on Intercept Traffic and refresh the page. You should now see the request for the /filter URL, with its "category" value set.
Now right click on this request, and send to repeater. Then you can turn off Intercept Traffic, and switch over to Repeater.
Here's what the un-tampered-with request might look like:
Now we can use the following SQL query in place of the category: ' ORDER BY 1--
(This will try to order the results that are being returned by the /filter URL by the first column. Increment to 2, 3, 4, etc. to discover how many columns the SQL query being attacked is returning.)
This request, when URL-encoded, is easy enough that we probably don't need Burp to do it for us: '+ORDER+BY+1--
However, in some cases, this will still return a 500 error:
In this case, we can try terminating the query string with a hash sign: ' ORDER BY 1 #
The hash sign must be URL-encoded, and Burp Suite will come in handy because it has built-in capabilities to obtain the URL-encoded version of a string.
When in repeater, and modifying the request URL, you can type the SQL query in a way that is NOT URL-encoded, and then select the text, and click Command-U to URL-encode the text.
Before:
After:
Once we send that request, we see the server return a 200 code, meaning we can continue on with our ORDER BY attacks to enumerate columns.
Determining Column Data Types
Example - Determine Data Type of Columns
Start with the same vulnerable e-commerce application, and still using the un-sanitized "category" variable. Start by repeating the attack shown above, to verify we are still dealing with the same number of columns:
/filter?category='+UNION+SELECT+NULL,NULL,NULL--
confirm that the page renders and does not return any error, indicating we are dealing with 3 columns:
Now we modify the query:
/filter?category='+UNION+SELECT+'a',NULL,NULL--
This returns an internal server error, so the first column is not a string type:
When we try the second column, the web application successfully renders the page, which means the second column returned is a string type:
/filter?category='+UNION+SELECT+NULL,'a',NULL--
The last column is not a string type either,
/filter?category='+UNION+SELECT+NULL,NULL,'a'--
Retrieving Data from Other Columns
Example - Retrieve Data from Other Columns
Start with the same e-commerce web application with the same SQL injection vulnerability in the category variable.
We start by repeating the two SQL injection attacks covered above, to verify that the products page is returning two fields, and that both fields are strings.
Now, we know that the products category page is fetching two string columns, and so we can do a UNION attack and fetch two other string columns. In this case, the username and password columns of the users table.
Craft the SQL injection query:
/filter?category='+UNION+SELECT+username,password+FROM+users--
This will create a query that is the union of usernames/passwords with the (empty) products query:
Retrieving Multiple Values in One Column
Example - Retrieving Multiple Values in One Column
Examining the Database
Querying the Database Type and Version
Example - Retrieving Database Version from Oracle
Example - Retrieving Database Version from MySQL and MS SQL
Resources
Links
Port Swigger Burp Suite training material:
- What is SQL injection? https://portswigger.net/web-security/sql-injection
- SQL injection union attacks: https://portswigger.net/web-security/sql-injection/union-attacks
- Examining the database: https://portswigger.net/web-security/sql-injection/examining-the-database
- Blind SQL injection: https://portswigger.net/web-security/sql-injection/blind
- Cheat sheet: https://portswigger.net/web-security/sql-injection/cheat-sheet
YouTube
Helpful video covering the MySQL and MS SQL version vulnerabilities: https://www.youtube.com/watch?v=MFTk_LNRW0g