Fuzzing for SQL injection with Burp Suite intruder
This article introduces Burp Suite Intruder and shows how it can be used for SQL injection fuzzing.
Burp suite intruder
It is a part of Burp Suite, which is an integrated platform for website security testing [1]. Burp Suite Intruder is helpful when fuzzing for vulnerabilities in web applications.
Let's assume that a penetration tester wants to find SQL injection vulnerabilities. First he needs to intercept the request with Burp Suite Proxy. Then the request is sent to Burp Suite Intruder. After that, the penetration tester needs to define the parameters that will be tested for SQL injection. The next step is defining the payloads and attack type (described later in the article). Then Burp Suite Intruder is launched. When fuzzing is finished, the penetration tester is expected to analyze the output to identify potential vulnerabilities.
Target
DVWA (Damn Vulnerable Web Application) is a web application that is intentionally vulnerable [2]. One can use it to play with web application security stuff.
Let's attack the website in DVWA that is vulnerable to SQL injection. The user is asked to enter User ID. Then the first name and surname of the user are displayed.
DVWA is a part of Metasploitable, which is an intentionally vulnerable Linux-based virtual machine [3]. It can be used to practice penetration testing skills. Please keep in mind that this machine is vulnerable and should not operate in bridge mode.
Request interception, payload position, attack type
Let's set the security level to low (it can be changed using DVWA Security) in DVWA. Then enter User ID, click submit and intercept the request with Burp Suite Proxy. The next step is sending the request to Burp Suite Intruder (click right on the request and choose "Send to Intruder"). Then use the "Add" button in Burp Suite Intruder to choose the parameter that will be fuzzed (it is called payload position in Burp Suite Intruder). User ID is sent in parameter id. That's why it is chosen as a payload position.
As can be seen on the screenshot, sniper was chosen as an attack type. Then a single set of payloads is used and the payloads are taken one by one. It starts from the first position. When all payloads from the set are used, the same procedure is executed for the next payload position if it's present. That's why the number of requests generated is a product of the payloads in the set and payload positions.
Set of payloads
A penetration tester can create his own list of payloads or use an existing one. Exemplary payloads can be found, for example, in Kali Linux (penetration testing distribution [4]) in the /usr/share/wfuzz/wordlist/Injections directory. Let's use SQL.txt from this location to test the parameter id for SQL injection vulnerability.
Then choose "Start attack" from the Burp Suite Intruder menu to start fuzzing.
Output analysis and exploitation
Let's see how the website responds to different payloads. As we can observe, the length of the response changes. It is 4699 bytes for baseline request (the one with id equal to 2) and 5005 bytes, when x' or 1=1 or 'x'='y is the payload.
It might suggest that more data was read from the database. Let's check the response for this payload.
As we can see, this payload can be used to extract first names and surnames of all users from the database.
Summary
Burp Suite Intruder was introduced. It can be helpful when fuzzing for vulnerabilities in web applications. Exemplary payloads can be found, for example, in Kali Linux in /usr/share/wfuzz/wordlist/Injections directory. It was presented how to use Burp Suite Intruder for SQL injection fuzzing.
Sources
- Burp Suite (access date: 25 October 2013)
- DVWA (Damn Vulnerable Web Application)(access date: 25 October 2013)
- Metasploitable (access date: 25 October 2013)
- Kali Linux (access date: 25 October 2013)