SQL Injection - Lab #2 SQL injection vulnerability allowing login bypass

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone welcome back to another video in the web security academy series in today's video we'll be covering lab number two of the sql injection module this lab will show us how to exploit a sql injection vulnerability in order to bypass authentication all right let's get started this lab contains the sql injection vulnerability in the login functionality all right so we've got a sql injection vulnerability and it's in the login functionality to solve the law perform a sql injection attack that logs into the application as the administrator user so the end goal is to perform a sql injection attack and log in as the administrator user okay so let's access the lab this might take a few seconds in the meantime we'll create our analysis section okay so it looks like it's a shopping application which allows you to log in so let's click on login over here and based on the exercise this login functionality is vulnerable to a sql injection attack so let's try admin admin so maybe a default username password or a common username password and click on login and we get the error invalid username or password so this is what we call a non-verbal generic error message and it's always good to use a non-verbals one when it comes to functionality like this one and the reason is because if you said that the username was invalid that means the attacker would be able to enumerate usernames on the system and so that's a vulnerability on its own however in this application it actually takes that into account because if we put just a random username and again a random password it doesn't actually tell us which one of the input vectors is invalid although we know for sure that that was an invalid username because we just put random characters there okay perfect all right so let's try exploiting this sql injection vulnerability so let's put a sql character into the username field and see how the application reacts and i'm just going to put anything in the password field and click login all right so this gives us an internal server error which means something happened at the back end that broke the application and so this is a good indication that this is vulnerable to a sql injection unlike the previous exercise we are not given the sql query so we're going to have to figure it out by fuzzing the application however before we do that since this is a login functionality chances are that sql query is something similar to this so select a certain number of rows from a table so let's say it outputs the first name from the table say users and then where username would be equal to the username that we give it so remember over here the first thing that we did was admin admin so username is equal to admin and password is equal to admin so it's likely that the query at the back end is something similar to this now it will be probably different because passwords are not or it's unusual that passwords are stored in clear text anymore so there must be a hashing functionality over here but what we're trying to do with the sql injection is put in sql characters into the username in order to get the application to ignore ever checking the password so it doesn't matter if the password is hashed or not anyways so this is likely to be what the query is at the back end and so let's try and figure out how we could exploit it all right so when we put a quote character over here we got an internal server and the reason behind that is because this quote character interfered with the query so what happens is it closed the single quote over here and now you were left with a single quote on its own and the rest of the query string and so it likely threw a syntax error which resulted in an internal server at the application and so what we're going to try to do is log in as a user and have it ignore the password field so let's go back here now if i want to log in as the admin user and i wanted to ignore the password what i can do is add the comment characters in sql and what that means is ignore the rest of the query so when this gets processed the query that it'll process is this one over here select first name from users where the username is equal to admin and if the username is equal to admin then it'll log myself in and it'll ignore the password completely so let's try that out and that won't work and we'll see why in a bit so password could be anything random it doesn't matter because it'll get ignored over here and we click login and we still get an invalid username and password error and the reason behind that is because the admin user is not actually a user in the system so what it's doing is it wants me to log in as the user where the username is equal to admin but admin is not a user in the system and so i don't get logged in now we know from the exercise description that the user that we want to log in to is the administrator user so let's use that that's the user on the system and we copy our payload and then again the password could be anything because it gets ignored and hit login and here we go we got redirected and you could see you're logged in because you have a logout button to log out from the administrator users account you can see it says congratulations you've solved the lab okay perfect so we successfully completed the exercise by manually exploiting a sql flaw in the authentication component of the application if you would like to see a detailed version of the video where we both exploit the vulnerability manually and then script it in python check out the video linked on the screen also make sure to hit the subscribe and share button so that the video reaches a wider audience thank you and see you in the next video

Info

Channel: Rana Khalil

Views: 70,414

Rating: undefined out of 5

Keywords: security, web security, owasp, open web application security project, sqli, sql injection, portswigger, web security academy, python, offensive security, bug bounty, scripting, burp, burp suite, oswe, offensive security web expert

Id: ML3aGaloczI

Channel Id: undefined

Length: 7min 0sec (420 seconds)

Published: Sat Mar 20 2021