PortSwigger Academy is an excellent resourcing in getting to know the depths of and hands-on practice of web application pentesting. With digestible write ups and interactive labs it’s an excellent source to learn from when starting your web application pentesting journey.
PortSwigger is well known for their Burp Suite tool – an exceptional program for web app pentesting and encouraged to be used for their academy’s labs. However, it’s important for pentesters to know how to script when tools designed for general use cases are inefficient or impractical. This happens to be the case in PortSwigger Academy’s SQLi segment, particularly the Blind SQLi labs. Most of the labs are able to be done easily with the BurpSuite Community edition. However, when tasked to use blind SQLi methods,the time the time it takes for the Community edition to complete these become impractical. Even with Burp Suite Pro, the application isn’t is as efficient for the specific tasks as we can make it.
This writing will go through how to automate the Blind SQL injection with conditional responses vulnerability lab. We won’t get caught up in how SQLi (SQL injection) works (that’s what PortSwigger Academy is for). However, this will give you a basis to automate the rest of the PortSwigger’s BlindSQLi labs and provide as an intro for scripting in Python for your own web app pentesting tool. We’ll look at the method of the Blind SQLi being used specifically in this lab and how to automate it in Python.
If you go through the writings leading up to the Blind SQL injection with conditional responses lab and use the method described against the target, you’ll find you need to check each character of the possible password by submitting a payload-injected web request one-by-one for each character in the password. Sounds pretty tedious. Let’s automate this.
Burp Suite – You’ll need to install PortSwigger’s Burp Suite Community edition – or the Pro Edition if you wish for our proxy server.
Cookie Editor – This plugin for your browser (available for Firefox and Chrome) will help us get our session and Tracking Id values in order to properly execute our SQLi.
Once you’ve downloaded Burp Suite, open it up and navigate to the Proxy > Options tab. Under Proxy Listeners, click Add and configure a listener under 127.0.0.1:8080. Your settings should look like this with 8080 in Blind to port:
Then click OK and make sure the option is ticked under the Running column. Your proxy is ready!
1 - Setup
First import a few libraries,
Add the following to disable the intimidating warning display from urllib3,
And create a proxy variable to reference the proxy we created in Burp Suite
2 - Main Function
Now we define the main function. Create an if statement to test the number of arguments given to the command and provide an explanation to tell the user how to correctly use the script. This way there’s a human-readable explained on how the method should be used rather than error code. We’ll be assuming the inclusion of four argument when running the script…
…and define each of these variables, naming them according to their used in the script.
Call the sqli_password function (which we’ll get to next)…
…and then the main function (outside the main function of course)
3 - SQLi Payload Function
Now for the meat. First define the function with the four parameters we’re requiring for the script. Make sure to start this ABOVE the main function.
Make a variable to keep track of each of the password’s characters as they’re discovered one-by-one
Get started on the nested loop to go through the possible characters.The first layer going through the length of the password and the second for the possible ASCII chars.
Define the payload that will be submitted in each request with(the variables defined by the %s operator in this example) and url-encode it.
Then define the cookies based on the tracking id and session arguments and produce the request variable based on this.
Finally follow up with an if-else statement that defines whether or not the character being tested is correct. Define this legitimacy by whether or not “Welcome” is returned in the text of the webpage’s response. The reason behind this is found in the writings leading up to the lab. We’ll also add a break at the end of the else statement. This way once the character has been found, the loop will stop. If we’ve found it we don’t need to keep looking. This gives our script an edge over Burp Suite.
And that’s it! Get your Burp Suite Proxy up, launch the lab, and give your script a run! The command should look something like this in the terminal.
Again, you can use the url for your lab, the Session and Tracking Id values can be found with the Cookie Editor plugin (while on the current lab’s site), and the password length is found using the conditional response technique described in the write up leading to the lab. While there might be some tweaking in the script and payload, this automation is useful for the other Blind SQLi labs and other personal pentests!
Now you have an insight into pentesting automation with python scripting and an automated base for PortSwigger’s Blind SQLi labs! For more insights like this, check out our other posts and find new ones weekly!