In the Using Burp to Detect Blind SQL Injection Bugs article, we examined a few possible means of detecting blind SQL injection vulnerabilities. In this article we go one step further and exploit the vulnerability we discover in the Boolean Condition Injection section of the preceding article. Additionally we explain how to use SQLmap with Burp and escalating a database attack to achieve command injection.
Using Burp Intruder to Exploit Blind Bugs
Previously we had detected a blind SQL injection bug in a intentionally vulnerable training web application.
In the example we are looking for the pin number that corresponds with the cc_number in the screenshot.
To find the pin we could alter the number in the SQL statement and wait for the application to produce a positive "True" response.
To help speed to this task, we can use Burp Intruder to automate the process.
Right click anywhere on the request and click "Send to Intruder".
In the Intruder "Positions" tab, use the buttons on the right of the panel to clear any existing payload position markers and add markers around the pin number.
In the Intruder "Payloads" tab, set the appropriate payload type and payload options.
In this example we wish to inject each possible pin number from 0000-9999.
Then click the "Start attack" button in the top right of the Intruder console.
Starting the attack will open the "Intruder attack" window.
We can use the Grep – Match function in the "Options" tab.
We are looking for an indication that the application has procuced a "True" response.
In this example a "True" response would be signified by the application showing us the "Account number is valid" message.
After applying the "Grep – Match" we can see that the payload "2364" produces a "True" response from the application.
We can confirm the payload is correct and that we have found the correct pin number by submitting the payload in to the form on the page.
Using Burp with SQLMap
SQLMap is a standalone tool for identifying and exploiting SQL injection vulnerabilities.
First, you need to load the SQLiPy plugin by navigating to the Extender "BApp Store" tab, selecting SQLiPy, and clicking the "Install" button.
You can find more about installing extensions and the required environments on our how to install an extension tutorial page.
With the SQLiPy extension installed, go to the SQLiPy "SQLMap API" tab.
Fill out the form with the appropriate details.
In this example we have used the default IP and port configuration.
The other and better option would be to manually start the SQLMap API server on your system (or any other system on which SQLMap is installed).
The command line options are as follows:
python sqlmapapi.py -s -H <IP> -p <Port>
Ensure that the API is running correctly as a server.
Return to Burp and go to the intercepted request you wish to scan.
Right click to bring up the context menu.
The plugin creates a context menu option of “SQLiPy Scan”.
Click "SQLiPy Scan" to send the request to SQLMap.
This will take the request and auto populate information in the SQLiPy "Sqlmap Scanner” tab.
In the same tab, configure the options that you want for the injection testing.
Then click the "Start Scan" button.
Progress and informational messages on scans and other plugin activities are displayed in the extensions SPLiPy “SQLMap Logs” tab.
If the tested page is vulnerable to SQL injection, then the plugin will add an entry to the Target “Site map” tab.
Injecting System Commands Via SQL Injection
A successful exploit of a SQL injection vulnerability often results in the total compromise of all application data.
You may suppose, therefore, that owning all the application’s data is the finishing point for a SQL injection attack. However, there are many reasons why it might be productive to advance your attack further.
One of the most dangerous methods of escalation is command injection.
In this example we explain the xp_cmdshell function in Microsoft SQL Server.
As shown above, it is essential to understand the database you are attacking when attempting to escalate a vulnerability, as every database contains various ways to escalate privileges.
xp_cmdshell allows users with DBA permissions to execute operating system commands in the same way as the cmd.exe command prompt.
You should first confirm the presence of an SQL injection vulnerability using one of the methods prescribed in theprevious tutorial.
You can then attempt to use a stored procedure to execute operating system commands.
However, most instances of Microsoft SQL Server encountered on the Internet will be version 2005 or later. These versions contain numerous security features that lock down the database by default, preventing many useful attack techniques from working.
However, if the web application’s user account within the database has sufficiently high privileges, it is possible to overcome these obstacles simply by reconfiguring the database.
If xp_cmdshell is disabled, it can be re-enabled with the sp_configure stored procedure .