According to OWASP, injection attacks are still a common attack vector. There are several tools which can be used to exploit a SQL vulnerability. A personal favourite is SQLmap. However, understanding how SQLi works is an important aspect of penetration testing. It is also crucial to understand how the underlying infrastructure works when conducting these types of attacks. PentestMonkey has a great cheat sheet for when conducting manual SQLi.
- Burp Scanner User-agent
- Burp Change User Agent
- Burp User Agent App
- Burp Spoof User Agent
- Burp User Agent Download
- Burp User Agent Login
Developing a vulnerable application
User-Agent, Cookie, Encoding, and Referer, etc. Are the things we can use or craft and make our forged requests. Head over to the CSRF tutorial to know more about crafting requests. Burp Suite Forward Tab. Burp Spider is a tool for automatically crawling web applications. While it is generally preferable to map applications manually, you can use Burp Spider to partially automate this process for very large applications, or when you are short of time.
ThemeForest Sandal 2.4.2 Sandal is an impressive finance and consultancy business Joomla template designed for professional services. Sandal business Joomla template is built on a solid framework, using the latest web techniques. Most Flexible Joomla Theme with Page Builder RTL Support and Mobile Friendly $ 48 (5). Templates for the best CMS like WordPress and Joomla, e-commerce templates for WooCommerce, Shopify and more A huge library with top-quality themes and templates. ThemeForest is part of Envato Market, the creative eco-system with over 35,000 designers creating every digital asset you’ll need for your projects. Aaika – is clean multipurpose Joomla Template. It is great, professional and easy to use. You can use it for Corporate, Creative, Fashion, Photo Studio, Freelancers, Portfolio Theme, etc. Aaika Customer’s Reviews And Comments. Themeforest joomla. Buy Pzaop - Multipurpose Joomla Template by saihoai on ThemeForest. Pzaop was created to works smoothly with the latest version of Joomla 3.x. It’s the perfect template for a small com.
When a client visits the web server, the User-Agent and IP address gets stored in the database and informs the user of the values. Exploitation The web request is sent to Burp Suite’s repeater. What is an agent? In Burp Suite Enterprise Edition, 'agents' are the virtual entities that perform your automated scans using their own embedded instance of Burp Scanner. Each agent can only perform one scan at a time. Therefore, to perform multiple scans simultaneously, you need multiple agents. Burpsuite provides three way to scan for vulnerabilites, Let the burp suite scanner to do an end-to-end managed scan. In this method, the burp suite will crawl the web app, discover contents and functionalities, and then audit for vulnerabilities. The second way is letting you select an individual request to be audited.
A vulnerable application was developed using
Python with its
Flask library. And yes, I am fully aware that the application might be a bit silly. However, these types of vulnerabilities are common due to poor coding practices – which is demonstrated in this example. The code snippet above shows how the application extracts the visitor’s User-Agent and IP address. The values are inserted into the
logging table under the
ip columns. From thereon, the newly logged information is shown to the visitor.
The code itself seems secure enough for many developers, as the SQL query is “properly” formatted and the quotes are prepared on forehand. The
format feature is widely used among other Python programmers. The same feature is used to insert the data directly into their specific value. This is (of course) secure! Right…?
The image above shows the application’s feature. When a client visits the web server, the User-Agent and IP address gets stored in the database and informs the user of the values.
The web request is sent to Burp Suite’s repeater. The User-Agent is modified to
Hello world!, which has successfully been stored in the database. Great! We can modify the User-Agent and modify the stored value. Now what?
Changing the value to a
' displays an Internal Server Error. This is a clear indication that the value was not understood by the server, which is also known as an insufficient SQL query.
INSERT INTO logging (user_agent, ip) VALUES ('', '192.168.0.51')
The query above is what was executed by the server. No wonder it threw an error! Three
' follow by a
, is bad news for the server. The SQL query is not complete. However, this is good news for an attacker, as it is vulnerable to SQLi.
Hello world!', (SELECT VERSION()))-- -
The payload above enters
Hello world! into the user_agent table. However, the following value
', is used to “break out” of the SQL query and continue the syntax. From thereon, a subquery is used to select the SQL version number. The version is
10.3.23-MariaDB-1, which is basically MySQL.
Furthermore, when attempting to enumerate the existing databases, the server throws the error
Subquery returns more than 1 row. This is because of the insert statement only inserts two values. The first value is used by the User-Agent, whilst the second for the IP address. If the requested output contains more than one value (such as listing the databases), these must be concatenated. Otherwise, the SQL query will not work. Listing the used database with
Hello world!', (SELECT database())-- - reveals that the database is named
platform. However, listing all the databases is preferred.
However, without all table and column names in the database, there is still “nothing” we can do. Therefore, the database’s contents must be enumerated further.
Hello world!', (SELECT GROUP_CONCAT(schema_name) FROM information_schema.schemata))-- -
The output displays that there are two databases:
platform. These are now concatenated together due to the output limitation.
Hello world!', (SELECT GROUP_CONCAT(table_schema, table_name, column_name) FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'))-- -
The query above enumerates all tables and columns in the
platform database. The output shows a series of interesting tables, such as usernames and passwords.
The table and column names in the platform database have now been discovered. The final step is to select these values.
The usernames were successfully extracted from the
usernames table. However, the values are still concatenated, as the query would not work without the
The passwords were also successfully extracted from the database. The hashes can now be appropriately formatted before being cracked with either
John the Ripper.
hashcat -D 2 -a 0 -m 3200 crack.txt /usr/share/seclists/Passwords/darkc0de.txt
The hashes can be cracked with
hashcat with the syntax shown above. Any wordlist will do for weak/common passwords (such as these. Feel free to crack them). However, ensure that the driver for your GPU is installed, as
hashcat supports GPU cracking, which is tremendously more powerful than CPU.
Fast track with SQLmap
sqlmap -u http://192.168.0.51:5000/ --dbms=mysql
The following syntax will automatically attempt to inject different payloads to exploit SQLi vulnerabilities. SQLmap will automatically detect injection points and attempt to exploit these, such as user agents, cookies, post data, etc. The level of testing can be adjusted with the
SQLmap noticed that the User-Agent parameter was injectable, and started to conduct further queries in depth.
sqlmap -u http://192.168.0.51:5000/ --dbms=mysql -D platform -T passwords -C user_password --dump
Burp Scanner User-agent
SQLmap can enumerate the databases (
--dbs), tables (
--tables), and columns (
--columns). After enumerating the tables and columns, the values can be dumped out using
--dump, as shown in the syntax above.
The passwords were successfully dumped by SQLmap. This demonstrates that the attacker does not require any advanced SQL knowledge to exploit a SQL vulnerability.
SQL vulnerabilities are very serious, as they could lead to exposure of the entire database. Prepared statements should be used to ensure that user input cannot “break out” and modify the SQL query.
Using automated tools can also be used to exploit this type of vulnerability, which could lead to remote access.
SQLmap has a feature called
--os-shell, which uploads a fully interactive web shell on the targeted system. The web shells are supported on ASP, ASPX, JSP, and PHP. Not only can SQLmap expose the entire database, but also grant a reverse shell. SQLmap allows an attacker with very little knowledge to exploit a SQL vulnerability.
User Agent中文名为用户代理，简称 UA，它是一个特殊字符串头，使得服务器能够识别客户使用的操作系统及版本、CPU 类型、浏览器及版本、浏览器渲染引擎、浏览器语言、浏览器插件等。
一些网站常常通过判断 UA 来给不同的操作系统、不同的浏览器发送不同的页面，因此可能造成某些页面无法在某个浏览器中正常显示。比如一些钓鱼站点，也会判断终端类型，推送不同的内容。比如下面这个钓鱼站，在PC上访问，只会给你一句提示，而换在手机上访问，就可以看到它的完全内容了。
safari 5.1 – MAC
User-Agent:Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us)AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50
safari 5.1 – Windows
User-Agent:Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us) AppleWebKit/534.50(KHTML, like Gecko) Version/5.1 Safari/534.50
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101Firefox/38.0
User-Agent:Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C;.NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729;InfoPath.3; rv:11.0) like Gecko
User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0;
User-Agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)
User-Agent:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Firefox 4.0.1 – MAC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1)Gecko/20100101 Firefox/4.0.1
Firefox 4.0.1 – Windows
User-Agent:Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Opera 11.11 – MAC
User-Agent:Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131Version/11.11
Opera 11.11 – Windows
User-Agent:Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11
Chrome 17.0 – MAC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.11(KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon 2.0)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; TencentTraveler4.0)
世界之窗（The World） 2.x
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
世界之窗（The World） 3.x
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; The World)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SE2.X MetaSr 1.0; SE 2.X MetaSr 1.0; .NET CLR 2.0.50727; SE 2.X MetaSr 1.0)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser)
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
safari iOS 4.33 – iPhone
User-Agent:Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us)AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2Safari/6533.18.5
safari iOS 4.33 – iPod Touch
User-Agent:Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us)AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2Safari/6533.18.5
Burp Change User Agent
safari iOS 4.33 – iPad
User-Agent:Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9(KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.7; en-us; Nexus One Build/FRF91)AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Android QQ浏览器 For android
User-Agent: MQQBrowser/26 Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; MB200Build/GRJ22; CyanogenMod-7) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0Mobile Safari/533.1
Android Opera Mobile
User-Agent: Opera/9.80 (Android 2.3.4; Linux; Opera Mobi/build-1107180945; U;en-GB) Presto/2.8.149 Version/11.10
Android Pad Moto Xoom
User-Agent: Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39)AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13
User-Agent: Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1+(KHTML, like Gecko) Version/126.96.36.1997 Mobile Safari/534.1+
WebOS HP Touchpad
User-Agent: Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.0; U; en-US)AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/233.70 Safari/534.6TouchPad/1.0
User-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/20.0.019;Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko)BrowserNG/7.1.18124
Windows Phone Mango
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5;Trident/5.0; IEMobile/9.0; HTC; Titan)
Burp User Agent App
User-Agent: NOKIA5700/ UCWEB188.8.131.52/28/999
Burp Spoof User Agent
User-Agent: Openwave/ UCWEB184.108.40.206/28/999
Burp User Agent Download
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; ) Opera/UCWEB220.127.116.11/28/999返回搜狐，查看更多
Burp User Agent Login