Sql Injection Exploitation with Sqlmap and Burp Suite (Burp CO2 Plugin)

Burp CO2 is an extension for the popular web proxy / web application testing tool called Burp Suite, available at Portswigger. You must install Burp Suite before installing the Burp CO2 extension. The CO2 extension includes a variety of functionality to enhance certain web penetration test tasks, such as an interface to make interacting with SQLMap more efficient and less error-prone, various tools for generating lists of users, a Laudanum exploitation shell implementation, and even a word masher for generating passwords.

For more details read from here burpco2.com
In this is article I will show you how to obtain sqlmap command through burp suit for sql injection.
Start burp suit andClick on Extender tag then click on BApp store which cantains burp extensions  to extend burp’s capabilities.


Now select CO2 and click on install button available on the right sideof the frame.

From the given screenshot you can see the extension CO2 has added on menu bar now click on CO2 and then choose SQLMapper tool.


Now open the DVWA in your pc and login with following credentials:

Username – admin
Password – password

Click on DVWA Security and set Website Security Level low

From the list of vulnerability select SQL Injection for your attack. Type user ID: ‘in text box.  Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.  


Go to burp suite click on proxy in menu bar and go for intercept is on button. Come back and click on submit button in dvwa. The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers.

Now right click on its window and you will see a list of many actions will have been opened then select option send to SQLMapper.


When the fetched data will sent to sqlmapper it will automatically itself generates sqlmap command using referrer and cookie.


Here you can see options box at the end of burp suite frame. Now click on enumeration tag and select the checkboxes for database, tables, columns, users and passwords.

Now copy the sqlmap command from text field and run this command manually on terminal using sqlmap.


Open the terminal and paste above command in front of “sqlmap” as shown in the screenshot. Now run this command to fetch information of database.


From this tutorial it is clear how to generate sqlmap command through burp suit for sql injection. Now from last image you can see it starts dumping the data.

0 comments:

Post a Comment