Monday, October 17, 2016

Mutillidae OWASP Top 10: A1 Injection - SQLi Bypass Authentication

We have looked at a simple extracting data technique from our previous article

Now lets look at a simple bypassing authentication technique.

Head over to:
OWASP Top 10 > A1 Injection > SQLi - Bypass Authentication > Login

The page looks very similar to the previous article, except what this page does is it logs you in to the system instead of showing information. 

Follow the previous article on how to cause an error with an apostrophe ( ' ). And you can notice that the SQL query is the same as we have seen before. 



This means we can still use our previous string ( ' OR 1=1 -- ) here. 

Enter the string in the name field, 



and Voila! your logged in as admin. 

You are logged in as admin because that is the first record in the accounts table. In the real world, that may not be the case. So we need to target our attack a little bit to log in as a user of our choosing.

Lets try and log in as "john". We know that he is the 3rd user in the accounts table from our previous hack. 

The technique is still simple and similar with a slight change. 

Logging in as a specific user


We know that the below string is a TRUE statement and that it logs us in with the first user on the accounts table who is admin. 

SELECT * FROM accounts WHERE username= ' OR 1=1 -- 
TRUE Statement

We can modify this with one more operator. 

From the statement, we can see that the users under the "username" column and that everything after the OR operator should be TRUE for it to work. We can add an "AND" operator with the username specified. 

SELECT * FROM accounts WHERE username=' OR (1=1 AND username = 'john') -- 
Still TRUE statement

Breakdown:

  • The first apostrophe ( ' ) makes the username input blank. The statement is currently false.
  • But the "OR" operator tells the statement if anything after it is true, then the whole statement becomes true. 
  • "1=1" is a true condition. Just like 2 = 2 or 100 = 100. 
  • The "AND" operator allows to add another condition. Follow link for more info
  • ""username" = 'john'" is true because from our extract data tutorial, there is a "john" user account from the 16 accounts displayed. 
  • With both the conditions around the "AND" operator being true turns the whole statement to TRUE.  
  • The "--" tells the query to ignore out everything after it. 

Right click on the name field and click on Inspect Element. Here we will change the "Maxlength" to 50 so as to fit our new string.



And enter the new string on the name field. 



You've logged in a John! :)



If you got an error that means you dint leave a space at the end of your "--". So make sure to leave a single space character after it. 


-Jayesh Kerai (@secjay)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.