Wednesday, June 18, 2014

Combining sqlmap and Burp for the win



We recently had a vulnerability assessment performed by a vendor who reported a possible SQL injection in a web application. I reviewed their results and agreed SQLi was likely due to the application returning a SQL error message under certain conditions.

Through manual testing, I was able to confirm the application was vulnerable to SQLi. When I attempted to use sqlmap to automate enumeration and dumping of the database, however, sqlmap would initially report the parameter was likely vulnerable, but then later report SQLi was not possible. I tried setting the --level and --risk parameters to various settings as well as manually specifying the database type – Microsoft SQL in this case.

While reviewing these results I realized the reason sqlmap was unable to successfully identify and exploit the SQLi was due to how the vulnerable parameter was constructed and how sqlmap operates. The application took several parameters, all enclosed in brackets, a la:
     url.asp?x=[value]&y=[value].

Sqlmap operates by appending SQLi code to the end of the parameter or replacing the parameter entirely. For example, sqlmap may send the following string to determine if parameter x was vulnerable to a time-based blind SQLi:
     url.asp?x=[value' WAITFOR DELAY '0:0:5'--&y=[value].

Manual testing had shown that a single quote appended to the parameter value within the brackets would result in a SQL error message. No matter what I tried, however, sqlmap was unable to successfully exploit the SQLi and extract the database. As I mentioned earlier, the application took several parameters enclosed in brackets. In reviewing my logs, I found that sqlmap wasn’t terminating the parameter with a bracket, as shown above. This resulted in the application throwing an error because the parameter wasn’t in the right format, thus the request never made it to the SQL server, and this is why sqlmap wasn’t able to exploit the SQLi.

I spent some time researching how to append a ] to sqlmap’s queries, but I couldn’t find any solution. Back to the drawing board. I’ve used the Match and Replace functionality in Burp’s proxy to manipulate cookie values to my needs in the past. What if this same functionality could be used to insert a ] at the end of sqlmap’s attack string?

Since I knew the URL for this particular part of the application always took the same parameters in the same order, this would be easy to accomplish. Using the Match and Replace function, I created a new rule using the Request header type. Since I was testing the x parameter, I needed to append the ] to sqlmap’s input  before y parameter. To do this, I matched on &y= and set the replace to ]&y=. 




A test request from the browser through Burp showed the rule was now inserting the ] before the y parameter, allowing sqlmap to work correctly.

The original request:


The modified request:



  

I fired up sqlmap one more time. This time, sqlmap was able to properly detect and exploit the SQLi and extract the database banner and records.

back-end DBMS operating system: Windows 2003 Service Pack 2
back-end DBMS: Microsoft SQL Server 2005
banner:
---
Microsoft SQL Server 2005 - 9.00.5057.00 (Intel X86)
        Mar 25 2011 13:50:04
        Copyright (c) 1988-2005 Microsoft Corporation
        Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
---


This was the solution I found to my problem, although I’m sure there are other ways it could have been solved. If you know of a way to accomplish this using only sqlmap, I’d love to hear about it.

--------------------------------------------------
UPDATE

 Bernardo Damele (@inquisb) pointed out that --suffix would have accomplished the same effect. After reviewing, I agree.  Protip: --suffix doesn't show up when using -h to see the options, you need to use -hh to see all options.