Saturday, May 7, 2011

Web Hacking Video Series #1 Automating SQLi with Burp Extractor

Why:
After speaking with many penetration testers I have realized that web application hacking is a mystery for many testers who typically perform network based penetration testing but have no prior development knowledge. This post is the first in a series of Web Hacking Video Training posts that will attempt to show various techniques that prove useful in situations where you realize all avenues of attack are running across http based protocols. This is typical on external tests.



Future topics
Will include subjects such as, Extensive coverage of the burp suite, handling large scale penetration tests where there are 100's of hosts running web ports with little else to attack. Extensive Burp Suite and Metasploit usage to solve common situations while attacking applications. Understanding the underlying code via code reviews, and recoding the application. Detecting and handling Web Application firewalls(WAFS) and setting up and coding your own rules for your applications using open source WAFS. Profiling Web Services and discovering hidden functionality. Attacking deployable services, upload fields, web shells, etc etc etc. Any other ideas??

Targets:
These are just a few ideas I have, I am going to try to use targets that are realistic yet everyone can follow along with. So i will look for available applications or code up my own application targets as a lab of sorts that I will make available for download. I hate seeing tutorials and not being able to try things out. So I feel your pain and will try to find legal targets or ways for you to practice what I post.

Burp Extractor Video:
This first video is on how to use Burps Extractor option to enumerate tables,columns and display the data on the Burp Intruder window. This technique is useful when you are trying to use SQLi tools but they are failing, however you know there is an injection point and need automation to get the job done. This is less about SQLi and more about using extractor during your testing. This is NOT a SQLi tutorial, this is a Burp Suite Tutorial on Burp Extractor ;) My friend Chris shot me an email awhile ago regarding Extractor vs MSSQL and thought it was pretty sweeeeet so expanded on the idea with some more burp examples and used it for mysql since php/mysql apps are commonly found for download. :)


Automating SQL Injection with BURP Suite Extractor from ficti0n on Vimeo.


Useful Links:

DVWA: http://www.dvwa.co.uk/
Havij(where I grabbed dictionaries from): http://www.itsecteam.com/en/projects/project1_page2.htm
MYSQLi Cheatsheet: (Try these out on DVWA replacing my injections) http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/

4 comments:

  1. Nice, I will be using this in the future. Glad you could expand this to Mysql, you know how much I dislike Mysql

    ReplyDelete
  2. You flipping love mysql :) :)

    Yea got more stuff in the works.... I actually got a decent mysqli understanding now... better then before but i hate SQLi in general it just kicks my ass.. haha

    ReplyDelete
  3. well i also made a small tool online
    its MYSQLI mass Values extrator :)

    you can test it at

    http://scan.subhashdasyam.com/dumper.php


    If the website contains login info to dump then

    use

    http://scan.subhashdasyam.com/dumper-with-login.php

    ReplyDelete
  4. Cool Cool i will give that page a try, but one problem when your penetration testing is that we cant use peoples online website tools because we dont know where that data is being sent when its retrieved if we cant view the sourcode :P :P

    ReplyDelete