I am using the free version of Burp Suite
and the CO2
-Extension for sql injection attacks.
Using the extension offers you two possible attacking ways:
- Either you copy the command which is generated by clicking on the options available and paste this into the command line, or
- you run the command directly from the GUI.
However there is something I haven't understood. Running the sql statements directly from the GUI is not recorded by the http proxy listener. Why?
I wrote my own extension that manipulates some positions in all outgoing requests, but in this case I cannot find any outgoing requests.