Using Burp to exploit a Blind SQL Injection

Using Burp to exploit a Blind SQL Injection

Posted on June 07, 2012 by Roberto Salgado

Many times I find myself having to write my own tool in order to exploit a Blind SQL Injection which public tools normally would not be able to exploit. It may be because it is behind a WAF/IDS, or for a SQL challenge, or because it is Base64 encoded or some other peculiar situation where normal SQLi attack tools just will not work.

What I will demonstrate in this post is a way of taking a shortcut and avoiding having to create your own program by using Burp Suite which will hopefully save you valuable time. I highly recommend Burp for anyone that is serious about pen-testing. The Pro version is very affordable and has a great ton a features which makes auditing a breeze (the easter egg is hilarious too).

 

Once a target has been set in the scope and a SQL Injection has been located, we send the URL to Burp's Intruder.

Send to Intruder

 

Next step is to define the SQL Injection and the position where the character to be brute-forced will be. For this example, I will be extracting the database().

 

After setting the position, we need to define the payload. We select numbers as our payload and define a range from 32 to 126. If you look at the Ascii table, this range accounts for all the characters that we need.

 

The last step before launching the attack is to set a string to be matched when the query returns true, just like you would with any other SQLi tool. In this case, the string to be matched will be 'lightos'.

 

Now we can go to the menu under Intruder and select Start Attack. This will open a window that will display the results from each request. When the string is matched, it will clearly be displayed and that will indicate which is the correct character.

 

The string was successfully matched on number 84, which is the decimal representation of the letter T. This is the first letter of database(), which value is Test.

 

I have included the following video to better demonstrate the process:

 


Latest Blog Entries

Downloading an Application's Entire Source Code Through an Exposed GIT Directory
Website administrators sometimes inadvertently leave an exposed .git directory, from which it is possible to download the entire source code of the web application using just wget and a common server misconfiguration.

credmap: The Credential Mapper
An overview of credmap, an open source penetration testing tool that automates the process of testing for credential reuse. It does so by testing supplied user credentials on known websites and verifies if the password has been reused on any of these.

New publication: Mastering the Nmap Scripting Engine
We invite you to learn more about the latest publication from our team, "Mastering the Nmap Scripting Engine".

Latest News

Blackhat EU 2015
Websec participated with two tools at the Blackhat, EU Arsenal held in Amsterdam, NL from the 10-13 of November, 2015. During this event, we introduced our brand new tool "credmap: The Credential Mapper" and also presented an amped-up version of Panoptic.

BSides Vancouver 2015
Websec is proud to announce that we will be attending the 3rd annual edition of BSides Vancouver, a local non-profit information security conference held in the heart of Vancouver, BC on March 16 and 17.