This a quick blog off the back of numerous requests for an additional guide for a video we posted on YouTube. https://www.youtube.com/watch?v=cThifvgCcPc
In the above video we show how you can steal credit card numbers straight out of the database by using a legitimate web page request and feeding this into sqlmap.
If you want to know how to capture the web request then this tutorial will show you.
In order to capture the request we need a proxy which sits between the website and our browser which will see the raw data of the requests and responses. This not only gives us visibility, it also gives us the ability to manipulate the requests, but we shall save this for future blogs.
In our demo we are using Kali from here; https://www.kali.org/downloads/ which is a hackers operating system which comes with a browser proxy pre-installed, and so we shall be using Burpsuite. You can install Burpsuite separately if you wish from here; https://portswigger.net/burp/communitydownload
However if you are just starting out then I recommend downloading Kali and installing on Virtualbox; https://www.virtualbox.org/wiki/Downloads as Kali also includes sqlmap which is the other application you need to complete the full attack as shown across both videos.
There are plenty of guides on YouTube so we won’t be covering installation here.
Let’s get to into it;
The reason this method works so well is because you are providing a LEGITIMATE request to the web server, what does this mean? Well, if you are not a member of a web site and you try and login you will get denied access as you don’t have valid credentials to login, this is not a legitimate request. If you are a member you provide your username and password and you are permitted access to the website, this is legitimate.
How does this help? Well alot of webistes have a “manage your account section”, “search for past purchases”, or “my payment information” all of which allow you to search information in your own account. If the website is not coded correctly however, you may be able to use this same search in YOUR account to actually return information from OTHER users accounts. This is where the legitimate response comes in. You are using a legitimate request to the website, and seeing if this can be manipulated to allow the return of more information that expected. This technique is called SQL Injection.
In this demo we are using an account details lookup page to perform this attack.
We are logged in as canaryman, and submit a search for our own account, and this completes as expected.
Burpsuite is already running, but in order for it to be able to intercept the requests we need to configure our browser to use Burpsuite as a proxy. For our machine we go to the browser settings > network settings > then configure as below;
It will be very similar for all browsers, the thing to remember is you are using your localhost address 127.0.0.1, and Burpsuite runs on port 8080.
We now perform the same search again but this time we go to the PROXY and INTERCEPT tabs, and set “intercept” to on. This catches the request as it leaves the browser and before it hits the web server.
We save this to a file as shown, then forward the request so it completes. That’s it.
Watch https://www.youtube.com/watch?v=cThifvgCcPc to see how this request is used to get other users credit card details from the website.