This page contains notes on how to use Burp Suite to perform SQL injection attacks.

Burp Suite for SQL Injection

Burp Suite Workflow

The usual workflow when looking for SQL injection vulnerabilities looks something like this:

• start burp suite and open target site in burp proxy browser
• find a page or request containing a parameter that could be vulnerable to SQL injection
• turn on intercept, and intercept the request
• send the request to repeater

Now that you have the request in repeater, you can craft SQL queries and see the response from the server.

Repeater also has the ability to easily URL-encode plain text (Command-U will URL-encode the selected text), making SQL queries easier to craft.

Finding a Vulnerable Site

Here is an example of an e-commerce website that is vulnerable to SQL injection:

The category=xyz parameter in the URL is the insecure portion of the application because it is not sanitized before being used in an SQL query.

Shortcut method to check if a parameter is vulnerable to SQL injection: try setting it to a single quote and see if the server returns an error.

(If so, it indicates that the underlying SQL query may have failed because of a syntax error, meaning user input is not escaped.)

Union Attacks

Link: https://portswigger.net/web-security/sql-injection/union-attacks

Procedure for carrying out a UNION attack:

• Determine the number of columns
• Determine the data types of columns
• Use this information to craft an attack

A UNION attack starts like most SQL injection attacks - with a single quote.

Start by finding the number of columns, by using ' UNION SELECT NULL, NULL-- or ' ORDER BY 1--'

You'll probably need to run this one a few times, with different numbers of NULL or column numbers, to figure out how many columns are returned by the vulnerable parameter.

Next, find columns with useful data types by modifying the SELECT query above to include a string type instead of a NULL type: ' UNION SELECT 'a',NULL,NULL,NULL--

Now, use that to craft a query. For example, suppose the injection-vulnerable query returns 5 columns, 3 of them are text. Further suppose that we are after usernames and passwords, and we know we can find them in the "users" table. Then we need to craft a query that will result in two columns of text (one column is usernames, other column is passwords) and UNION that with the 5 columns the injection-vulnerable query returns.

If the query returns columns of type string, number, string, string, number, then we could use this value for the category variable:

' UNION SELECT username, NULL, password, NULL, NULL from users--

This would UNION the two columns username/password with the first and third columns returned by the SQL query being injection-attacked.

Note, if a query that can be injected only returns one field, and you want to retrieve multiple fields from another table with a single UNION query, you can use string concatenation to combine multiple fields into a single column, and perform the UNION on single columns.

Examining Databases

In this section we cover some strategies for using UNION attacks to obtain information about the database.

• Perform the above steps to determine how many columns are returned by an injectable query and what their types are

• Determine what character is the comment character, -- or #
  • This is a pretty easy way to get some info on the type of server
  • List of SQL server comment styles: https://portswigger.net/web-security/sql-injection/cheat-sheet
  • -- is Oracle, MS SQL, PostgreSQL
  • # is MySQL

• Determine what version the server is (this will require crafting a UNION attack)
  • See cheat sheet for list of SQL version functions: https://portswigger.net/web-security/sql-injection/cheat-sheet

• Obtain a list of all tables in the database (also requires crafting a UNION attack)
  • See cheat sheet for list of SQL server list-all-tables functions: https://portswigger.net/web-security/sql-injection/cheat-sheet
  • This one can be tricky, mainly because the SELECT *, and the variable number of columns returned
  • Can concatenate different columns together, but that requires knowing the names of fields
  • Is there a way to get names of fields in a given table??
  • Columns returned by SELECT * FROM information_schema.tables include the following:
    • TABLE_CATALOG
    • TABLE_SCHEMA
    • TABLE_NAME
    • TABLE_TYPE

GET /filter?category='+UNION+SELECT+TABLE_NAME,NULL+FROM+information_schema.tables-- HTTP/1.1

GET /filter?category='+UNION+SELECT+NULL,NULL+FROM+users_bbdvzx-- HTTP/1.1

GET /filter?category='+UNION+SELECT+*+FROM+users_bbdvzx-- HTTP/1.1

Resources

Links

Port Swigger Burp Suite training material:

• What is SQL injection? https://portswigger.net/web-security/sql-injection
• SQL injection union attacks: https://portswigger.net/web-security/sql-injection/union-attacks
• Examining the database: https://portswigger.net/web-security/sql-injection/examining-the-database
• Blind SQL injection: https://portswigger.net/web-security/sql-injection/blind
• Cheat sheet: https://portswigger.net/web-security/sql-injection/cheat-sheet

YouTube

SQL injection lab 7 - querying db type/version on oracle: https://www.youtube.com/watch?v=neeY0iVa_0A

SQL injection lab 8 - querying db type/version on mysql and ms sql: https://www.youtube.com/watch?v=MFTk_LNRW0g

YouTube

Helpful video covering the MySQL and MS SQL version vulnerabilities: https://www.youtube.com/watch?v=MFTk_LNRW0g