Inserting an SQL injection via Burp Suite

We’ll often see websites which are supported by SQL databases, either built into the platform or on a backend server.

SQLmap is a key tool to use on these sites to identify the SQL server and to determine whether it’s exploitable. Burp Suite and SQLmap are often used together. Let’s see how we can use them as a tool set to gain access to an SQL database, using the Europa server which we have on our LinkedIn learning lab. 

Let’s make sure the Europa Corp admin portal, which we found using our previous reconnaissance, is in our host file.

 sudo nano /etc/hosts. And we’ll add 10.10.10.22, admin-portal.europacorp.htb. And we’ll save that. Okay. Now, in Burp Suite, let’s set the target scope, and we’ll add in https://admin-portal.europacorp.htb. Okay, and proxy intercept off.

 Open a browser, and visit https://admin-portal.europacorp.htb. The portal is looking for an email address and a password. Let’s send in a request with a test email address and then check the message exchanges in Burp Suite. So we’ll test@test.nz.

 And for the password, we’ll put in password and log in. Okay. In our target site map, we can see we’ve recorded our login post. And when we check it out, we can see that our credentials are at the bottom of the message. 

So let’s copy them. And we can use SQLmap to check the parameter string containing the credentials we’re posting on the login PHP form, and we can use the — data option to provide the data portion of the post and the -dbms option to force SQLmap to focus on the MySQL database. So we’ll use SQLmap -u, and we’re going to be going to

 https/admin-portal.europacorp.htb/login.php — data equals, and we’ll drop in the string from the message, and — dbms equals=mysql. 

Okay. And we’ll take the defaults. Okay, SQLmap’s finished, and we can see that we’ve now identified three ways to inject SQL. Let’s list out the databases. 

So we’ll reissue the command and we’ll ask it to list the databases. And we can see we have the information schema and the admin databases, and we can now see what tables are in the admin database. So we’ll select the database as admin… And request the tables. And we have a users table.

 So again, let’s set the table to users and just dump out the contents. And here we have our users and password hashes. Let’s take this one step further. We know from SQLmap that there are five columns in the login query table. Let’s select the login post request, right-click on it, and send it to the repeater.

 We’ll go to the repeater and use the knowledge we got from SQLmap to inject a union command into our request. 

Let’s insert, after the email address, “+or+1=1+limit+1+ — +%20, and let’s send that. And when we send this, we get to redirect. And if we follow the redirection… 

We can see that we’re logged in to the website admin. We can take the actions and request in the browser in the original session. And if we copy the URL and paste it in… 

We’ve got the admin portal. We’ve successfully used Burp Suite to inject an SQL union command to circumvent the authentication and deliver admin website access.

Leave a Comment

Your email address will not be published. Required fields are marked *