Wednesday, September 2, 2009

Burp Suite Tip of the Day (BToD) Intruder > Using recurvsive grep for SQLi


This post was inspired by both @portswigger book entitled "The Web Application Hacker's Handbook" and reminded and reiterated to me by @jack_mannino. Portswigger is obviously a legend in the community and Jack is a just a really really experienced Appsec/Pen-test/SE so I encourage you to add/follow both on twitter!

Anyways, accolades aside, lets begin shall we?

So it is pretty simple. You have SQL Injection. Its in the USER_ID field. This value is actually a string value which equates to a user name. So for instance, the value might be 'jdoe' (first initial, last name). Your SQLi looks like: ‘ or 1 in (select min(username) from users where user_id > ‘j’)-- and this returns

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07’
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value 'jdoe’ to a column of data type int.

Okay, so we know we can do this alphabetically!

Essentially the next command you would inject would be

‘ or 1 in (select min(username) from users where user_id > ‘jdoe’)--

This returns

Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07’
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value ‘jdos’ to a column of data type int.

Alrighty, we don't want to continue this process manually do we? It is like. we want to extract all of the user names in a beautifully automated fashion right? Okay, here we go.

Capture the SQLi request in the intercepting proxy of burp. Right click on it and send to intruder.


Now the next part is important. We are actually using the server RESPONSES as input for the payload. Pretty awesome right? Navigate over to Intruder > Options tab. You need to select the portion of the response that gives you valuable information as the input. So in our case, anything after the varchar value ' is what we will use. This will be where the username is extracted. We want to end the string at ' as well because the string is returned between two single quotations. This is how it should look for your options:


Now you just need to choose the payload. Navigate to Intruder > payloads. Choose the payload 'recursive grep' from the drop down list. I've created my first payload at 'j'. It looks something like this.


At this point you are almost ready. Just choose your position. I've shown you how in this pic (clicked 'add' and placed j as the position to use the payload)


Now you are set. Go to the very top of Burp Suite, drop down from Intruder and click 'start'.

Comments and suggestions for the next post are welcome.

As always, enjoy and happy hacking!
cktricky

No comments: