1

I am using the free version of Burp Suite and the CO2-Extension for sql injection attacks.

Using the extension offers you two possible attacking ways:

  1. Either you copy the command which is generated by clicking on the options available and paste this into the command line, or
  2. you run the command directly from the GUI.

However there is something I haven't understood. Running the sql statements directly from the GUI is not recorded by the http proxy listener. Why?

I wrote my own extension that manipulates some positions in all outgoing requests, but in this case I cannot find any outgoing requests.

Nazar Medeiros
  • 161
  • 8

2 Answers2

1

I don't know the extension you are using, but if you check, none of the default burp modules are recorded in the proxy history. If you send requests from the Repeater or the Intruder you won't see them either in the Proxy history.

I would guess this is a design decision. It also makes sense, because the history is the Proxy history, so it shows everything that has gone through the proxy. Requests sent by Burp don't go through the proxy.

gerion
  • 59
  • 3
  • Yes, that's right. You can't see them in the Proxy history. But in my own extension all outgoing requests are recorded. You even get the module name like Repeater, Intruder etc. But in this case the requests send by sqlmap don't appear in my log table. Are those requests really sent from Burp? – Nazar Medeiros Nov 30 '16 at 13:40
0

The Extension CO2 doesn't run sqlmap from inside the BurpSuite when you run it from the GUI. What it does is that it opens a terminal, that you can specify in the config, and runs the command from there. That is why your traffic is not recorded by burp.

If you want your traffic to be proxied by burp (and your extension to change certain things) you can add the "--proxy=http://localhost:8080" option (adjusted to your settings) to the command line. You can also change these settings in the "Connection" tab of the CO2 options.

You will have to copy the command to a terminal and run it from there as the "Run from GUI" option will hang for reasons unknown to me.

Denis
  • 3,653
  • 2
  • 17
  • 16
  • Thanks, but I already tried to use the proxy settings. I didn't work anyway.. no requests recorded. – Nazar Medeiros Mar 27 '17 at 10:38
  • Did you copy the full command to the command line? Because I just tried that with a fresh install and the CO2 extension and it worked. Could you post the command, that you used? – Denis Mar 27 '17 at 10:41
  • `-u 'http://localhost:8080/vaadin_vulnerabilities/UIDL/?v-uiId=0' --proxy='http://localhost:8082' --cookie='JSESSIONID=8364A0BEF50DF904724E0C8BBFAF554;'` This was the command I used. My Tomcat is running on port 8080, so I used 8082 in my web browser and in burp suite as well – Nazar Medeiros Mar 27 '17 at 10:56
  • Does the burp page appear if you visit: http://localhost:8082 – Denis Mar 27 '17 at 10:58
  • Yeah, it does! I receive something like a welcome message – Nazar Medeiros Mar 27 '17 at 10:59
  • Do the requests appear if you disable your extension? – Denis Mar 27 '17 at 11:07
  • No, sorry bro. They don't appear – Nazar Medeiros Mar 27 '17 at 11:08
  • Then I am out of ideas. I tried the above approach with a fresh install of Burp and sqlmap and it worked like expected. Sorry – Denis Mar 27 '17 at 11:19
  • thanks bro anyway. I am also out out ideas. In case I find something out, I will let you know :) – Nazar Medeiros Mar 27 '17 at 11:20