Burp Suite offers multiple extensions to ease testing via automation.The Co2 extension has its own configuration tab with sub-tabs for each Co2 module. Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.
Navigate to the BAPP store in the extender and select the CO2 plugin. Click on the install button to load the plugin.
The plugin is now visible under the extensions tab as shown in the screenshot below.
This article explains how Co2 SQLMapper can be used to automate the SQL Injection in the burp suite proxy.
SQLMapper, a sqlmap helper. Simply right-click on any request in Burp and you will see a new menu option to send the request to SQLMapper. The SQLMapper screen will appear pre-populated with the URL, POST data (if applicable) and Cookies (if applicable) from the request. You can then set any other options you need and then copy/paste the SQLMap Command to sqlmap on your command line.
Download the latest version of sqlmap zip from the website https://sqlmap.org/
Extract the downloaded Sqlmap zip file . Configure the plugin with python and sqlmap in their respective path in order to do that click on the config button as shown in the below screenshot
Note: The prerequisite to run the plugin is to have python 3.x in the system.
Plugin configuration opens another window for configuring the path of sqlmap python file and python3 executable
If the plugin has been properly configured, click on the run button to check whether it’s working or not.
If it’s properly configured it will open the SQLMap in command prompt as shown in the below screenshot
Testing the Plugin:
http://testphp.vulnweb.com/ is a intentionally vulnerable web application which is vulnerable to SQL injection . Burp suite active scan shows that the application is vulnerable to SQL Injection as shown below:
As burp suite shows that the post parameter “uuname” is vulnerable to sql injection , where burp suite uses sleep conditions to check whether it responds to sql queries passed in the parameter.
Send the same request to the repeater tab to check if it is false positive or truly exists.
Observe the payload +(select*from(select(sleep(20)))a)+’ passed in the post parameter took 20252 milliseconds to give the response as in the below image
For further confirmation pass the payload +(select*from(select(sleep(30)))a)+’ in the post parameter and observe the application took longer time to respond than the previous request.
As Burp Suite already gave information about the backend being used in application is MySQL. Backend is configured with MySQL Database.
In the repeater tab remove the sqli payload from the “uuname” parameter in the request and replace the value with “*” in uuname parameter.
The “*” explains sqlmap to consider the variable “uuname”as an injection point and the remaining variables will be ignored by SQL Map for testing . Targeting the specific vulnerable variable for testing using SQLMap, also reduces the traffic load on the application.
The request is sent in the repeater to the CO2 extension by right clicking on the request and select CO2 extension and then select SQLMapper as shown in below image.
Observe the CO2 tab fills up the request which has been sent to automate the SQL Injection as shown in below image.
As Burp provided the backend details as MySQL , the DBMS option in CO2 can be chosen as MySQL
— level=LEVEL (Level of tests to perform (1–5, default 1)
— risk=RISK (Risk of tests to perform (1–3, default 1)
The “Techniques” tab in the sqlmapper shows the different types of injection techniques and these can be chosen as per the application requirements.
Note: For Time-based blind input should be given as 5 or 10 to see the delay in the application response.
The “Testable Parameters” option is used to check the injection on the parameters in the POST or GET request. So if user opting this then there is no requirement to give * value in the parameters as mentioned above.
The “Skip Parameters” option is used to skip the injection point on the parameters that user does not want to check for SQL Injection.
Once the injection is confirmed in the SQLmapper then the below table is useful to retrieve the data in an easy manner.
After setting up the values in Sqlmapper in the CO2 plugin to exploit the vulnerability click on the “ “Run” button as shown below.
Since * is given in the post parameter, sqlmap considers it as a custom injection pointer. Sqlmap prompts to check if other parameters can be considered for the injection point.
Give the “Y” as an option so that it limits to the post parameter where the value has been set to *
Sqlmap prompts as shown in the below two images where it can carry out different type of tests on the parameter and choose the options according to the application
Sqlmap clearly indicates that it the post parameter “uuname” is vulnerable as shown in the below image and it also prompts to check injection on other params in order to avoid malicious traffic on to the application consider the option to be “N”
SQLMapper in C02 successfully automated the SQL Injection and below is the proof that the post parameter “uuname” is exploitable.
Now it’s time for extracting the information from the database , then switch to Enumeration and check on the databases and it gives us how many databases are residing in the backend
Navigate back the main window and click on the run
As in the fraction of seconds it extracted two databases information that is being used in backend as shown in the below image
Uncheck the databases option as Sqlmapper in CO2 enumerated the databases, input the value of “ Pin to Database” field with acuart. It is pointing the Sqlmapper to extract data from the acuart database. And the task is to enumerate the tables from the “acuart” database in order to accomplish that check the “tables” option in the UI as shown in the below image. Again click on the “Run” to get the information from the database.
SQLMapper in CO2 successfully enumerated the tables from the “acuart” database as show in the below image
Now choose the “Users” table to extract columns (Check the columns filed) information from the “acuart” database as shown in the below image. Click on “Run” to retrieve the data from the backend
SQLMapper in CO2 successfully enumerated the columns from the “users”table in the “acuart” database as show in the below image
To extract the further information in the “columns” select the “dump” from the option in enumeration technique as shown in below image
The result looks likes as in below image
There are additional option in SQLMapper to dump the basic information about the backend by selecting the few options in “Enumeration” tab and then click “Run” as shown in the below image
SQLMapper in CO2 successfully retrieved all the selected options as shown in the below image
Headers option in the “ Request” tab is selected when the application has an API to test for SQL Injection vulnerability. In “Extra header” value can be input with the Authorization header of an API.
Extra params are the parameters to be defined for the SQLMapper for further tweaks. For instance if there is a waf on the application to bypass those it is recommended to use — -tamper-scripts. These options can supplied along with value in the text field shown in the below image
Please refer the options for tamper scripts as in the below link and try with the SQLMapper in CO2 plugin
https://medium.com/@drag0n/sqlmap-tamper-scripts-sql-injection-and-waf-bypass-c5a3f5764cb3
