Burp dumping database through injection point

Source: Internet
Author: User

From: http://www.bhst.org & http://nightx.info/
Web security testing often encounters some poor injection points. However, for various reasons, injection cannot obtain website management accounts or have website management permissions, but it is too late to upload a shell, it may weigh the web permission and database information, which is what we need.
When we only need data from a table in a database, such as member information, but we do not have the database management permission to export data directly, we can consider using injection to export data one by one, the small method shared here is to use burp to simplify the process.
There are many restrictions after detecting dump database information such as Pangolin and sqlmap after injection. Pangolin can run one by one, but the program is easy to crash. As for sqlmap, I feel that sometimes the speed is not good, while burp solves this problem.
Take the local environment as an example. The injection point is
Http: // 192.168.191.155/dvwa/vulnerabilities/sqli /? Id = 1' union select user, password from users limit 0, 1-+ & Submit = Submit #
Here, we can use the dvwa platform to directly union select user and password from users to expose all accounts. The addition of limit 0, 1 only simulates the dump data environment.
The basic usage of Burp is no longer mentioned here. For more information, refer to relevant articles written before xiaoice kids shoes and use burp to intercept data packets submitted by browser.

Right-click Send to intruder. Cancel all $ symbols at position. Because we dumped data one by one, payload only modifies limit $1 $, 1.

Payload. Here we will demonstrate setting payload to the 11 numbers 0-10.
Set the grep section under the options tab to facilitate data storage. Switch to the extract subtab and add grep.
We can see that the First name: and Surname: can be interpreted as the text of the feature character, and then changed to <after the stop capturing. Www.2cto.com

Feature characters must be modified on their own in different environments. You should know the methods,

If there are no special characters, only
, And
If multiple feature characters exist in the source code, you can add multiple feature characters
,

In this way, there will always be one thing we need to return data.
After completing the preceding process, start attack.

The last step is to save the dump data. For example, select a valuable column and save it to a file.

The following is an example of a dump file.

Finally, WSExplorer can be used to directly capture data packets for injection points running out by tools such as pangolin.
My personal feeling is that the advantages of using burp to remove data are nothing more than two. One is that burp can be quickly customized based on different test environments, with a high degree of freedom. The other is that burp has a relatively high efficiency, in this regard, tools such as pangolin can be defeated. Of course, this process can also be implemented using scripts.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.