Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Burp --payload options

olek | Last updated: Sep 27, 2021 08:47PM UTC

Hi my questions is about Burp payload embedded.If I use this payload Fuzz sql injection .How I will be know website is Vulnerable for sql.What I see is only length And respond. But payload as -sleep(5) What I should looking for .???

Ben, PortSwigger Agent | Last updated: Sep 28, 2021 08:42AM UTC

Hi Olek, Are you trying to perform this using Burp Intruder? If so, there are a couple of non-default columns that can be added to the attack results entitled 'Response received' and 'Response completed' (once your attack has completed and the results table is being displayed you should have a new 'Columns' menu item at the top of the screen - within here you can configure which columns are being shown in the results table). These two columns provide information on the length of time a response is taking (response received being the time taken to begin receiving a response and response completed being the time taken for the response to complete) and should provide some indication of whether your target is potentially vulnerable to time based SQL injection.

olek | Last updated: Sep 28, 2021 01:48PM UTC

Status,Error.Timeout,Length,error,except,illegal,invalid .....etc You are say my about this .But which one """Timeout"or ""Sql"" section . payload as -sleep(5)

Ben, PortSwigger Agent | Last updated: Sep 29, 2021 07:34AM UTC

Sorry Olek - I do not quite understand what you are trying to do, are you able to clarify?

olek | Last updated: Sep 29, 2021 09:48AM UTC

When you cheek server of sql Vulnerability use for example payload (select(0)from(select(sleep(25)))v) You just put for repeater and wait for respond if is delay you can say this is sql issue. But used more payload then only one for example 100 you can put all for intruder do this automatically. Now Where I should looks to know which payload works for sql Vulnerability. Which section ,which bar . Status,Error.Timeout,Length,error,except,illegal,invalid

Ben, PortSwigger Agent | Last updated: Sep 30, 2021 08:54AM UTC