June 23, 2017, 01:42:33 AM
Welcome, Guest. Please login or register.

THS Promising Student Scholarship has been introduced! Full and partial scholarships available. See http://www.top-hat-sec.com/scholarships.html for more details

Author Topic: How To Use Burp And SQLMap Together For SQLi  (Read 1368 times)

Offline Grey-Matter

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 112
  • Internets: +57/-0
How To Use Burp And SQLMap Together For SQLi
« on: July 27, 2016, 12:45:50 PM »
 So this is just a quick guide to using Burp and SQLMap together for SQLi.

What You Need:

Burp
SQLMap
Firefox (Optionally with Firebug and FoxyProxy to make life easier)
Optional: Metasploit/nc/ncat. One of my favorite things about sqlmap is that after it exploits the injection, it gives you the option for a shell or a meterpreter session


Step 1
Starting Burp and getting it setup

Once you start burp and click past the opening screens, the first thing you're gonna need is SQLMapper, which is a feature of the CO2 Plugin

So Click on the Extender Tab, and then the BApp store



 This is the plugin we're gonna install



 After you install it, you'll see a new tab labeled CO2 in burp. And SQLMapper is inside there. You can right click on any request and choose to just send it over to it.

Now there's actually 3 legitimate ways i know of to collaborate Burp and SQLMap together. Im only gonna go over 2 of them. The kinda manual way, and CO2/SQLMapper plugin. There's also an SQLiPy plugin that you can install. I don't use this much myself. You open an sqlmap api listener in another terminal, and sqlipy kinda just ships everything over to that session. Im always ctrl+c'ing and changing stuff, so i prefer the other ways.

Ok so im using Mutillidae for this tut, so im just gonna be putting my virtual network into my burp scope. But you can set this up however u want. You can only allow certain ips/subnets like im doing, you can allow everything except specific things, you can just allow everything. Burp's extremely useful for alot more than this, so there's plenty of reasons to set it up any which way.

Here's a simple scope of my virtual net



 You'll most likely see alot more than just ur subnet showing up in ur site map, cuz the way burp finds things is by spidering and scraping all the pages, looking for links and references to links. When a site in ur Site Map is like a little faded, or not as dark as the ip ur attacking, this is because burp is only acknowledging its existance and showing it to you. But its hasn't attempted to connect to it. So don't think you're unintentionally spidering 100 extra links.

Next, click on the proxy tab, and click on the Options sub-tab
Double check that the proxy is listening on the ip/interface and port you want it to
For the purposes of this tut, just ignore the rest of that page. Click on the Intercept tab next and if it doesn't say "On", hit the button, so it does.



 Now you have a transparent burp proxy filtering anything you send to that ip and port.

Next
If you don't already have Foxy Proxy installed in ur browser, we're gonna install FoxyProxy Basic. I chose basic, cuz if this is the only thing you're gonna use it for, it's easier just to have "On" or "Off" then different profiles and stuff.



 When you first open it, you need to click "Add New Proxy". then Click "Manual" and input the ip and port you set in burp.



 From now on, you'll just need to right click in any webpage and turn it on or off whenever u need to. It's pretty convenient for stuff like this



 OK, All Prepped!!!!!!

Now time to pick a target. I still have my bwapp vm installed from raven's great THS-SQLi course, so it was easy for me to just open that and choose Mutillidae. I strongly urge you use SOME sort of virtual or lab environment. But please don't think you need to choose an intentionally vulnerable webapp vm for this to work. I promise that's not the case.

 

 So the 2 main ways that sqlmap reads input are from the command line and from input files you specify on the command line. The SQLMapper plugin is nice because it kinda gives you a gui to set everything up with perfect syntax, and just copy and paste onto the command line. The manual(ish) way, is intercept the request when you submit the login form,  or post the comment, or do something that is gonna end up interacting with the sql database. Then you create a text file from your request, add like 2 small things, and then feed it to sqlmap. This is real useful, cuz you can just keep a leafpad or whatever open and keep saving it as u make changes, and it's always open in ur workspace. Also, you'll quickly figure out how to create post and get requests on ur own (if you don't already know how), understanding how webservices communicate with each other is a pretty big deal if ur interested in pentesting. 

If you're actually reading this tut to learn how to do these things, i definitely recommend using both of these methods because they both have their own benefits.

For Example. SQLMapper, is both incredibly convenient, and also gives you the bonus of being able to send a perfectly formed Post or GET to sqlmap directly on the command line. After you click all your checkboxes and set all your options, all you need to do is right click in the main txt box right under "SQLMap Command", choose copy all. Then find a terminal, type sqlmap and paste the command.

Also you can right click on any request inside burp and send it straight to SQLMapper.

Here's some screenshots to explain it better






 That was a full attack from right clicking in the site map thru to sql injection, control of the database, and a good chance at pwning the machine


On the other hand, sometimes sqlmap performs better with input files, and SQLMapper is missing some really good sqlmap options (such as os-shell, os-pwn,os-cmd & fingerprint off the top of my head), and also still has a few deprecated ones in the menu. Of course you can still add these yourself. But keep in mind that sqlmapper only exists as a burp plugin. And there's a million ways to copy a post request like the other method. Netcat, Firebug/Inspect Element, Tamper-Data, ZAP & every proxy that works similar, wireshark, tcpdump, etc.

Finally, we get to my favorite method

This is what a standard POST request looks like when i try to login to that page with random creds.



 And this is what it looks like when i send it into sqlmap



 Notice the only differences are where i put the arrows.
The asterisks "*" are basically bullseye's for sqlmap, telling it where to inject
And the rest is just making sure it has a stable url to work with regardless of how the post request is arranged

Just copy the entire POST request, open a text file, and paste it. Add the URL: field at the top and seperate it from the POST with the
Request:
Put **'s after the value's of the parameter's you want injected, and save the file under like post.txt or something.
I recommend just leaving the file open on ur desktop while your testing. So you can change details and paste new requests as they come up. Just remember to save the file before u try a new injection



 And that's how u send it to sqlmap. just sqlmap -r FILE. the --flush-session i put there is just because sqlmap keeps session progress in a db file after you close close it, then it resumes when it recognizes the ip.  So i was just getting rid of the progress i made with the sqlmapper method. --fingerprint is similar to --banner, it just does a little better job of enumerating IMO.



 As you can see, both methods work. :)

Anyway, hope this helps somebody.....

===================================

As always, this is  meant for testing purposes and learning security the legal way. I take no responsibility for anybody's bad ideas except my own.
« Last Edit: July 27, 2016, 01:18:37 PM by Grey-Matter »

Offline H4v0K

  • Administrator
  • Elite
  • *****
  • Posts: 1017
  • Internets: +986/-1
Re: How To Use Burp And SQLMap Together For SQLi
« Reply #1 on: July 27, 2016, 01:16:50 PM »
That's that good shit right thurrr.   Thanks for sharing and  keep them coming :)  +1 

Offline ch3rn0byl

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 186
  • Internets: +1337/-0
  • Grumpy Old Man with Mounds of Salt
Re: How To Use Burp And SQLMap Together For SQLi
« Reply #2 on: July 27, 2016, 01:35:29 PM »
Too sick dude!! Fuck yea!! This is the shit I like to see!
I'm actually bookmarking this for future references when I have to move on to webapp, unfortunately blehhh
well put together man :)
The quieter you become, the more you are unlikely to sound stupid.

Offline Grey-Matter

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 112
  • Internets: +57/-0
Re: How To Use Burp And SQLMap Together For SQLi
« Reply #3 on: July 27, 2016, 01:38:02 PM »
Thanx guys :).  Glad you like it

Offline TAPE

  • Top Hat Member Moderator
  • Elite
  • ********
  • Posts: 1247
  • Internets: +192/-0
Re: How To Use Burp And SQLMap Together For SQLi
« Reply #4 on: February 17, 2017, 02:29:05 PM »
A belated acknowledgement of an awesome post!

[/size][size=78%]dude.. job well done [/size]
Take all the advice you like and then tell everyone to **** off and do your own thing -- Gitsnik

Offline Grey-Matter

  • Top Hat Member
  • Experienced
  • ********
  • Posts: 112
  • Internets: +57/-0
Re: How To Use Burp And SQLMap Together For SQLi
« Reply #5 on: March 08, 2017, 06:55:22 PM »
Y thank you my good man.  I aim  2 please.
Praise Xena