Query

[jaikishantulswani]

@smxiazi What if a default check is also added by adding - just before the parameter value like:
test=1 to test=-1

[jaikishantulswani]

@smxiazi even it only test first 2 parameters on the json body and left the third one untested if the json body is like

{"id":1,"aid":"2","reg":["abc"]}

so it test id aid and left reg without tesitng

[smxiazi]

[smxiazi]

[jaikishantulswani]

@smxiazi if you put - in betwen abc with another string like the body

{"id":1,"aid":"2","reg":["abc-xyz"]}

it is not going to test abc-xyz

[smxiazi]

[smxiazi]

In order to reduce the number of duplicate packets sent, under the parameters of the same URL, if the parameter name does not change, but the value of the parameter changes, it will not be sent twice.

[smxiazi]

If you want to scan again, you can right click and send it to the plug-in.

[jaikishantulswani]

@smxiazi it is not working on my

[smxiazi]

I don't know. It may take me to get an English version to get rid of these problems, but I'm lazy and it will take a long time.

[jaikishantulswani]

@smxiazi would it be possible to append - before every parameter value

[smxiazi]

Why is there such a requirement? What is the situation in this scenario.

[jaikishantulswani]

@smxiazi there are also scenarios where the sql error got caught with - and -- before the parameter value. It would also be good if you also add feature to color the request which have sql error messages

[smxiazi]

In this scenario, does it only exist in digital type.

[jaikishantulswani]

what is digital type

[smxiazi]

Number type

[jaikishantulswani]

@smxiazi the post body is like :

{"Id":"12","hyp":"1.0."}

so it get caught at hyp parameter whenever we append - or --

[smxiazi]

In this case, it only applies to the "id" parameter, not the "hyp" parameter, right?

[smxiazi]

What is the difference between this case and -1 -0？

[jaikishantulswani]

@smxiazi it applied to hyp parameter because I use it like

{"Id":"12","hyp":"-1.0."}

and it got a sql issue

[smxiazi]

@jaikishantulswani The value of the parameter of hyp is "1.0." Is this still applicable? Isn't it a string?

[jaikishantulswani]

yes it is considered as string

[smxiazi]

So "- --" will it apply to integer type and string type?

[jaikishantulswani]

string type

[smxiazi]

I just went to test that the integer type is applicable, but the string type is not.

[jaikishantulswani]

@smxiazi here I am getting the error on string type

[smxiazi]

@jaikishantulswani Can you take a picture and show it to me? I feel that my understanding is not quite right.

[jaikishantulswani]

@smxiazi the request is like

POST /x HTTP/1.1
Host: xyz
Cookie: 
User-Agent: Mozilla/5.0 
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json

{"Id":"12","hyp":"-1.0.0"}

Response

You have an error in your SQL syntax

[smxiazi]

select user from admin where user="xxxx";
and
select user from admin where user="-xxxx";
select user from admin where user="--xxxx";

Then he won't error.

Do you know how to write his back-end statement?

[jaikishantulswani]

@smxiazi don't know about this side

[jaikishantulswani]

@smxiazi rekon to this SELECT user FROM admin WHERE user='xxxx';
SELECT user FROM admin WHERE user='-xxxx';

[smxiazi]

[smxiazi]

no error

[jaikishantulswani]

@smxiazi then why should I am getting this sql issue through the response any idea

[smxiazi]

I can't understand that adding "-" in front of the string, and then the response package will display the sql error statement. I haven't encountered this scenario. I especially want to know about this section. Is there any relevant article.

[jaikishantulswani]

@smxiazi may be doing negative to the value throwing the issue.

param = -5

sql = "SELECT * FROM table WHERE column = {}".format(-param)

[smxiazi]

Yes, I know that if the value of the parameter is of integer type, it will apply. What I can't understand now is the string type. How can it cause the return package to display the database error message.

[jaikishantulswani]

@smxiazi no idea about that meanwhile can you add color feature by grabbing the common sql error to show the affected request

[smxiazi]

This function has been added, but instead of highlighting it, "Err" has been added.

[jaikishantulswani]

@smxiazi Great, can you add error from this tool which are enough to detect the issue.

https://github.com/eslam3kl/SQLiDetector/blob/main/txt/sql_errors.txt

[smxiazi]

Very good content. I think we can choose some of them, otherwise it will consume too much CPU.

[jaikishantulswani]

@smxiazi some of the most common which can detect.

[smxiazi]

[jaikishantulswani]

@smxiazi looks good or can we also add custom error type like the payload text box

[smxiazi]

Good idea

[smxiazi]

You're really going to give me extra tasks

[jaikishantulswani]

@smxiazi 👍🏻

[smxiazi]

The update is completed, and you are also included in the thank you list.

[jaikishantulswani]

@smxiazi Thank you for this great tool. 💯

[jaikishantulswani]

@smxiazi It would be helpful if an export feature or filter feature is implemented like if we have thousands of request which are passing through this, so we need to check one by one on which the Err or time delay is happen.
So it is easy for user to export or filter the vulnerable requests to test them further.

[jaikishantulswani]

@smxiazi one request, can you please provide an unofficial version of the same to replace parameter value with provided payload to test outbound dns interaction like:

Request

GET /path/lame?one=test&two=rest HTTP/1.1
Host: example.com
Cookie:
Sec-Ch-Ua-Mobile: ?0
Connection: close

add outbound dns resource to every parameter one by one on both GET and POST

Mod Request

GET /path/lame?one=myserver.example.com&two=rest HTTP/1.1
Host: example.com
Cookie:
Sec-Ch-Ua-Mobile: ?0
Connection: close

Mod Request

GET /path/lame?one=test&two=myserver.example.com HTTP/1.1
Host: example.com
Cookie:
Sec-Ch-Ua-Mobile: ?0
Connection: close

[smxiazi]

diy payload can meet your needs.

[jaikishantulswani]

@smxiazi but on diy payloads it is not replacing the whole value as it is doing like ?test=one'
I want to replace whole value and add dns resource like ?test=myserver.example.com

or it would be good to add a checkbox option to test outbound dns interactions

[smxiazi]

Just today, I just updated the diy payload without default payload

[jaikishantulswani]

@smxiazi so does it work with dns resource too ?

[smxiazi]

There is no added dns resource from burp. You can fill in the domain name of your dns in the diy payload.

[jaikishantulswani]

Hi @smxiazi It is working good with GET values when we use to replace full parameter value with our dns resource but not working well with POST request as in POST request it is appending the dns resource with the value

POST /_ary HTTP/1.1
Host: example.com
Cookie: 
Connection: close

{"filter":"ValueFromOriginalRequesthttps://mydnsresourceexample.com"}

[jaikishantulswani]

Hi @smxiazi Waiting for an update specially for this as it is not replacing POST parameter with dns resource, it is working good with GET but with POST it is like:

POST /_ary HTTP/1.1
Host: example.com
Cookie: 
Connection: close

{"filter":"ValueFromOriginalRequesthttps://mydnsresourceexample.com"}

[jaikishantulswani]

Hi @smxiazi Waiting for an update specially for this as it is not replacing POST parameter with dns resource, it is working good with GET but with POST it is like:

POST /_ary HTTP/1.1
Host: example.com
Cookie: 
Connection: close

{"filter":"ValueFromOriginalRequesthttps://mydnsresourceexample.com"}

@smxiazi

[jaikishantulswani]

@smxiazi waiting for an update on this as this is still not working on json body parameters as you see above and not replacing every parameters, please check.

[jaikishantulswani]

Hi @smxiazi Waiting for an update specially for this as it is not replacing POST parameter with dns resource, it is working good with GET but with POST it is like:

POST /_ary HTTP/1.1
Host: example.com
Cookie: 
Connection: close

{"filter":"ValueFromOriginalRequesthttps://mydnsresourceexample.com"}

@smxiazi

@smxiazi Waiting for your response.