Exploit SQL injection To Bypass Login

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
login bypass is one of the impacts of sql injection where an attacker can log in into the vulnerable application without having valid credentials during this video we look at the simple scenario when an attacker exploits sql injection to bypass login function and access the admin account without having a valid password for this exercise we use a sql injection lab from web security academy lab series and you can find the link to this lab in the video description based on the lab description the web application contains a login function which is vulnerable to sql injection to solve this lab we need to exploit this vulnerability to login into the application as the administrator user without having the valid password alright let's get started by clicking on access the lab we are now in the homepage of the application from the top right corner of the webpage we click on my account as we see we have been redirected to the login page so we need a valid user account to access this page we already know that there is an admin account on the application and the username for this account is administrator since we don't have the password for the administrator user we need to exploit the sql injection vulnerability to bypass login and get access to the admin account first let's submit the request using administrator for user name and a random password and then click on login in burp we see a login request with the provided username and password let's forward the request the application returns 200 http response code which is a normal behavior and in the web browser we see the application message that the provided credentials were invalid let's try again and this time add a single code to the end of the username value and fill out the password field with a random input ensure burp intercept is on and then click on login we see the username along with the url encoded value of single code let's forward this request as we see unlike the previous attempt this time the application returned an error message and the request was not completed by the web application indicating the provided username containing a single code interfered with the sql query used by the application and triggered a server error we turn the intercept off and we go back to the web browser before we proceed let's take a look at a simple sql query to get a better understanding of the error that just happened this simple query searched a table called users on the database to check if it contains an entry where username is administrator and the password is mypass and if it finds an entry that matches both these values then the application would allow the user to log in into the application and access his account looking at this query we can see the username and password values are placed inside single quotes so if the username or password value contain a single code and the application puts them directly into the sql query without processing the received data then the sql query should look like this as we see there is an extra single code next to the username value which will trigger an error when this query gets executed and the application will return an error in the http response this is the behavior that we just saw in the login function of this application indicating that the username input is vulnerable to sql injection now that we know we can inject data into the sql query that is used by the login function we need to use a payload to ensure that the sql query would only check for the username and does not check if the password value is valid to achieve this goal we can take advantage of two hyphens which is used in sql query for comments so if we use this value for the username then the sql query should look like this this sql query will search the users table to check if it contains an entry where the username is administrator and it will not check the password since it is in the comment section and it won't be executed as part of the sql query now let's see if our assumptions are correct and we can actually bypass the login by using this payload we go back to the web browser and we go to my account in the login form for the username we enter administrator following by a single code and two hyphens and then we fill out the password field with the random value and click on login we see the message that we have solved the lab and we can also see that we have managed to login into the administrator user account without having a valid password and only by using a simple payload to exploit the sql injection vulnerability in the user field of the login function if you enjoyed watching this video please give it a like and also be sure to subscribe to the channel as i upload new videos every week
Info
Channel: TraceTheCode
Views: 60,721
Rating: undefined out of 5
Keywords:
Id: sXhcz2YQa3s
Channel Id: undefined
Length: 5min 24sec (324 seconds)
Published: Thu Mar 17 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.