Trying SQL injection in Bitcoin Core

1. Run bitcoind with below bitcoin.conf and a descriptor wallet loaded:

testnet=1
server=1
test.rpcport=YOUR_RPC_PORT
rpcuser=YOUR_RPC_USERNAME
rpcpassword=YOUR_RPC_PASSWORD

2. Create a POST request in Postman with URL: http://127.0.0.1:RPC_PORT/wallet/WALLET_NAME

3. Select ‘Basic Auth’ in authorization and enter RPC credentials

4. Body(raw):

{"jsonrpc: "1.0", "id": "curltest", "method": "listdescriptors", "params": [false]}

5. Click on “send” and wait for the response. You should see few descriptors in the results.

6. Copy POST request as HTTP by clicking on </> code symbol on right. We will use this request in Burp Suite.

Run Burp Suite and paste request in Intruder

Insert payload marker for things that should be replaced with SQL statements in attack. Select Fuzzing -SQL Injection in payloads options, add more from SQLite cheat sheets and according to the code used in Bitcoin Core.

Start the attack and check requests:

I couldn’t find anything interesting but these are the basics of of trying to find bugs in Bitcoin Core by fuzzing (using JSON-RPC API and Burp Suite).

Andrew Chow answered a related question on stackexchange: https://bitcoin.stackexchange.com/q/107926/