Blind SQL Injection with Burp Suite

Hi readers, it’s been awhile since the last post. Today I will be talking about how can we get database (DB) user variable and version of SQL Server using Burp Suite, Intruder.

During an engagement, I found a blind SQL injection and unfortunately SQLMap doesn’t work therefore I was required to gain the DB variable name and version manually. The following payload was submitted in parameter “p” . The application took 12 milliseconds to respond to the request as shown in the figure below

' waitfor delay'0:0:12'--

Figure below shows that the application took 12 milliseconds to respond:

Application respond after 12 milliseconds.

Based on the above figure, it is believed the back end Database is MSSQL. The same request then was sent to Burp Intruder and the following payload was added at parameter “p” to gain USER variable length in SQL Server:

'if (len(user)=§1§) waitfor delay '00:00:10'--

The tester has marked “1” in above parameter for Burp Suite Intruder as shown in the figure below:

Marked “1” for burp suite intruder.

The author selected sniper as attack type and used number as payload type (From 1-30). We will be guessing the USER variable length from 1 to 30.

Selected payload

Before running burp intruder, please ensure that burp suite is configured (Project options – Connections – Timeouts) to timeout within 9 seconds and burp intruder is using 1 threads. This is important because if a correct payload is guessed the application will respond after 10 seconds. For example if application guessed “A”, it will respond after 10 seconds and by 9 seconds Burp will terminate the connection, which proves to us that “A” was correct.

Burp suite timeout changed from 120 to 9.
Burp Suite Intruder set to 1 thread.

Figure below shows that the length of USER variable is three (3):

User variable has 3 lengths.

Using the same method, the author changed the payload to the following payload. This time author marked 1 and 100 for burp suite intruder and used cluster bomb as attack type.

' if (ascii(lower(substring((user),§1§,1)))=§100§) waitfor delay '00:00:10'--

Since we know the USER variable length is 3, author set number for payload 1 from 1 to 3 while payload 2 is from 48 to 126 (Ascii). Figure below shows the marked value for burp suite intruder and payloads values:

Marked values for burp intruder.
Payload 1.
Payload 2.

Upon running the burp intruder, author got 3 request that has no response as shown in the figure below:

USER Variable.

Author then converted ascii value to text and the following is the result:
Payload2 = 100 = Ascii to Text = d
Payload2 = 98 = Ascii to Text = b
Payload2 = 111 = Ascii to Text = o

Which means that USER variable is dbo. Author then changed to the following payload to gain version of the SQL server and marked “1” and “a” for burp intruder:

'if+(((substring((@@version),§1§,1)))='§a§')+waitfor+delay'0:0:10'--

Number is chosen as for payload 1 from 1 to 40 while payload 2 contains alphanumeric values from a-z, A-Z and 0-9. Figure below shows the marked value for burp suite intruder and payloads values:

Marked value for burp intruder
Payload 1
Payload 2

The following is the result from Burp Suite Intruder. As can been seen in the figure below, the back end database is Microsoft SQL Server 2017:

Microsoft SQL Server 2017 used by the application.

Reference:
https://depthsecurity.com/blog/blind-sql-injection-burpsuite-like-a-boss
https://blog.yappare.com/2015/10/using-head-to-optimize-time-based-sql.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.