SQLi Walkthrough
A walkthrough of one of the Burp Academy Labs
One thing to note that is not explained here is the process to identify which DBMS is being used, MSSQL, MySQL, Oracle etc... This is usually carried out first when finding out the injection point by using different comments and verbose error messages, nmap scans.
SQL UNION SELECT
When we enter the room are presented with a web page:
Injection Point
From here we search for our parameter that is injectable, clicking on one of the product categories we find an injection point:
Counting Columns
First we need to craft a statement that will identify how many columns are in the table:
The page loads with 2, and errors at 3, so there are 2 columns we have discovered. we can double check this with the following:
Strings?
Next we have to discover if any of these columns can take a string value, we can add 'a' in place of the null to test this:
Find Table Names
Next we should discover which tables are located within the database.
From the list displayed we can find any interesting tables:
Find Column Names
We now need to discover which columns are within this table, using the following:
Sweet Sweet Data
Now we have the column names we can get the data!
Blind SQL - Conditional Responses
Visit the front page of the shop, and use Burp Suite to intercept and modify the request containing the TrackingId cookie. For simplicity, let's say the original value of the cookie is TrackingId=xyz
Find True
Modify the TrackingId cookie, changing it to: TrackingId=xyz' AND '1'='1. Verify that the "Welcome back" message appears in the response.
Find False
Now change it to: TrackingId=xyz' AND '1'='2 Verify that the "Welcome back" message does not appear in the response. This demonstrates how you can test a single boolean condition and infer the result.
Check Table Exists
Now change it to: TrackingId=xyz' AND (SELECT 'a' FROM users LIMIT 1)='a Verify that the condition is true (welcome back message should appear), confirming that there is a table called users.
Check User Exists
Now change it to: TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator')='a Verify that the condition is true, confirming that there is a user called administrator.
Find length of password
The next step is to determine how many characters are in the password of the administrator user. To do this, change the value to: TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a. This condition should be true, confirming that the password is greater than 1 character in length.
Send a series of follow-up values to test different password lengths. Send: TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>2)='a. Then send: TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>3)='a. And so on. You can do this manually using Burp Repeater, since the length is likely to be short. When the condition stops being true (i.e. when the "Welcome back" message disappears), you have determined the length of the password.
Determine character in each position.
After determining the length of the password, the next step is to test the character at each position to determine its value. This involves a much larger number of requests, so you need to use Burp Intruder. Send the request you are working on to Burp Intruder, using the context menu.
In the Positions tab of Burp Intruder, clear the default payload positions by clicking the "Clear §" button.
In the Positions tab, change the value of the cookie to: TrackingId=xyz' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='a. This uses the SUBSTRING() function to extract a single character from the password, and test it against a specific value. Our attack will cycle through each position and possible value, testing each one in turn.
Place payload position markers around the final a character in the cookie value. To do this, select just the a, and click the "Add §" button. You should then see the following as the cookie value (note the payload position markers): TrackingId=xyz' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='§a§
To test the character at each position, you'll need to send suitable payloads in the payload position that you've defined. . Go to the Payloads tab, check that "Simple list" is selected, and under "Payload Options" add the payloads in the range a - z and 0 - 9.
To be able to tell when the correct character was submitted, you'll need to grep each response for the expression "Welcome back". To do this, go to the Options tab, and the "Grep - Match" section. Clear any existing entries in the list, and then add the value "Welcome back".
Launch the attack by clicking the "Start attack" button or selecting "Start attack" from the Intruder menu.
Review the attack results to find the value of the character at the first position. You should see a column in the results called "Welcome back". One of the rows should have a tick in this column. The payload showing for that row is the value of the character at the first position.
Now, you simply need to re-run the attack for each of the other character positions in the password, to determine their value. To do this, go back to the main Burp window, and the Positions tab of Burp Intruder, and change the specified offset from 1 to 2. You should then see the following as the cookie value: TrackingId=xyz' AND (SELECT SUBSTRING(password,2,1) FROM users WHERE username='administrator')='a
Launch the modified attack, review the results, and note the character at the second offset.
Continue this process testing offset 3, 4, and so on, until you have the whole password.
It is possible to use 2 payloads and a cluster bomb attack to test all combinations at once.
Last updated
