Burp Suite User Forum

Login to post

Fuzzing SQL i

Marcos | Last updated: Mar 04, 2021 11:32PM UTC

I have a question on the intruder payload used for fuzzing SQLi. The payload has {base} in the prefix, example: {base}'#, {base} or 7=7#, and many others. I have never encountered {base} syntax for sqli payload before, therefore, would like to get more details on use case. Is there documentation or reference I can use?

Uthman, PortSwigger Agent | Last updated: Mar 08, 2021 02:04PM UTC

'{base}' is a placeholder. You will need to set up a payload processing rule for the Intruder to process the placeholder correctly. You can find out further information below: - https://portswigger.net/burp/documentation/desktop/tools/intruder/payloads/types

Jean-Sebastien | Last updated: Jul 08, 2021 12:08PM UTC

I have to admit, I amazed at the laziness PS has when it answers questions. I think it's about time you start answering questions correctly (in flow), and not simply push to some page that ultimately doesn't have the answers we're looking for. As a pro user and responsible for pentests in a major financial institution, I'm disappointed with similar answers. And this is a good one. Maybe simple, but a good one. Remember, if more people truly understand your product, the better chance they have using it... I think this has been forgotten a while ago at PS.

Liam, PortSwigger Agent | Last updated: Jul 08, 2021 12:58PM UTC

Hi Jean-Sebastien. We endeavor to provide a high level of support to all our users. This includes maintaining and updating our documentation and sharing it when we feel it would be helpful. What can we help you with?

SaS | Last updated: Aug 04, 2022 07:35AM UTC

Hi, Like Sabastien, We're waiting for an answer about "{Base}" usage in Payload. This link don't provide the answer : https://portswigger.net/burp/documentation/desktop/tools/intruder/payloads/types Thanks

Ben, PortSwigger Agent | Last updated: Aug 04, 2022 08:04AM UTC

Hi, The placeholder payloads are explained in the 'Predefined payload lists' section of the page previously linked to - can you confirm that you have read this documentation page? Essentially, if you are using a placeholder you then need to configure a payload processing rule within Intruder to replace the placeholders with a suitable value that you are interested in. The documentation page provides more specific details on how to set this up.

You need to Log in to post a reply. Or register here, for free.