SQL Injection Login Bypass - PortSwigger Web Security Academy Series

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey greetings everyone and welcome back to my cyber security show and in today's episode we are bringing an end to our Apprentice track in the port swiger web Security Academy lab walkthrough series that we have been enjoying so very much I know I sure have hopefully you have as well but today is the last lab in The Apprentice series and we're going to get straight to it because it's another one of our favorite things which is a sequel injection and there it is another sequel injection and this time it allows for a login bypass you see a web login you're like hey I don't really have a username and password but it would be awesome if you'd let me log in as that admin that's what I'm talking about how you feeling huh and it goes well if you give me the right thing which could be a SQL injection you might be able to bypass that not knowing an actual credential thing you go well really how do I know whether or not that works well we test for it right as we do so let's see what they got here this lab contains a SQL injection spoiler alert right uh it's in the login function to test the lab perform a SQL injection attack that logs into the application as the administrator user as we see right there administrator user all right I've hit the lab this is one janky lab it does like to freak out on me so we're gonna kind of go through this as quickly as possible because I've had it just wig out on me a couple of times it's actually the third time I've tried to film this and it it just dies it's been dying so let's get through it quickly we have landed on the shop we want to go to the my account which is right around this uh area here click on that link it takes us to the fun stuff I'm already feeding this through burp by the way because we're going to get to that I'm not going to actually use burp here because I don't need to but we're going to get to burp in just a second for some extra little extra uh here we have the login form by the way yes you can use SQL injections to uh potentially bypass logins on web applications don't now take this information run out to every web login you find and try SQL injection attacks against them to see if you could bypass a login that's that's not how this works don't do that we only use these skills to test on machines we own or we have permissions to test on like the web Security Academy lab here okay there's bug Bounty programs out there there's you know large scoped uh responsible disclosure programs go find those if you want to work in real lifel land with permission but you got to have permission okay we're good right got i't got to go any further don't run with scissors and don't hack on stuff that you don't have permission to hack on all right now that that's said said I did this one time and somebody was like my boyfriend saw what you did and was was trying to like log into Instagram using a squl inject I'm like no no do not do that all right so uh username obviously they said administ stor trayor and you can kind of see that the uh login here is already kind of filled out giving you the uh spoiler alerts there at the bottom but let's just kind of take our way through it let's let's work our way through it so we understand this so I know that the username is administrator it might be admin right I might have to do some further testing it might be something else root uh you know super user who knows right uh we've got the password we we don't have the password actually so I'm just going to lean on the keyboard I want to just see what this does I'm testing so I log in no I don't need you to save that thanks and uh no thanks there but I get an invalid username password okay no problem and I could try things like password one and so on so so forth that might be one of the first stages if I was actually testing against this thing try some lwh hanging fruit is administrator 1 2 3 4 56 going to work you know the top 15 or 20 um most commonly used passwords can I just easily guess my way through this if that doesn't work okay maybe now I'm looking for that SQL injection all right so let's try administrator and I'm going to throw a single quote on that come down here in the password field and I hit login CU my password might be nothing but it might complain about that oh it does please fill out this field right so there's probably you know it looked like JavaScript or something was causing that alert so it says no please fill out that field okay so I got to put something in there I don't really care at this point about the password let's just go hit log in all right I'm not going to save maybe I can hit never save that would that would be awesome and then oh I got this internal server error oo that's interesting I didn't get hey bad username Andor password a lot of times they get a little verbose and they're like hey that was the bad password for the administrator user oh it was the administrator not admin cool good to know they get a little verose from time to time and kind of uh tip the hand as it were what's going on but I I'm getting internal server error which lets me know that I'm probably injecting SQL when I put that single quote in there it probably went hey you just jacked up my SQL statement yeah I did yeah I did okay cool let's go back to lab home go back to my accounts and now we'll just try the good tried and true or one equals one you know easy peasy SQL statement yes I don't need you to do that I just want I wanted this to do this there we go so we'll put in administ administrator and then single quote and of course or 1 equals 1 and we'll give it a dash dash inline comment character that's what it's called might be an Octor might be a D- space Dash might be a D- space there's a couple of them that it very well may be okay so if that doesn't work in real lifeand you try the others lean on the keyboard for the password and log in and wait for it Cong congratulations we have solved the lab now we've reached the end of that now that's a simple way to do it right someone uh so graciously uh pointed out in the last SQL injection episode that I did wrote in the comments and I'm absolutely right they were 100% correct that it's usually not this easy it might be it could be right you might just but it usually is not that simple to because we have web appli firewalls that are looking for SQL injections or maybe it's just a little more robust or different of an environment than the just simple straight up easy peasy maybe they're using a different database in the back end and therefore you need a different inline comment character or you need a different way to do this maybe the statement is formed in such a way that that simple or one equals 1 isn't going to work maybe we can try something else and yeah you could do that manually but programmatically is so much better and that's where burp s's going to come back into play now I jumped out to uh GitHub this is a uh payload list a SQL injection payload list repository that I've used in the past with uh decent success it's just got a bunch of lists that kind of walk you um or allow you to feed into your automation SQL map or burp site Intruder for working your way quickly automatically through trying to do SQL injections for things like exploitation or detections or whatever right and it kind of gives you a really good rundown of what SQL injection is and how that works and the different types so it's a really good resource if you're wanting to learn more about SQL injections and it tells you some great tools for doing SQL injections and then here's some generic SQL injection payloads and you can just copy this and paste it I've actually already downloaded the generic list uh right here generic sqli text and I can just I'll just head generic and it'll give us the first few like we can see here that we're getting like uh one that has an x equals x another true false statement kind of thing going on and it's using some URL encoding for the spaces instead of just having them playing because you might run into that maybe you need to do URL encoding right but this I can just now feed this list into burp suet Intruder right and come in here grab that post for the login let me get my magn fire up [Music] here uh no it's down here uh what was it Magnus is that the one I like to use we'll see no that's not the one I like km mag I think is what it is K mag yeah this one's actually not too bad for a Linux magnifier works pretty well so let's get this out of the way am I not getting it out of the way hello hello km well you're in my way anyway so oh I'm grabbing the wrong spot there we go there's your login right there so post login and I would just right click on this and send to Intruder uh thank you K mag you can take a break go to Intruder and from there hit that you know find that spot where you'd want to hit this good stuff now we've already got it filled in right here but what I could do is just grab that and back it up and then just hit like a single quote and kind of fill that in and grab that hit add now I've got a place to do it like a parameter or position go to payloads and then just like load my file which is generic SQL hit open and now you notice I've got all these lovely SQL injections that I can now automatically hit start attack and see if they work right so just another way to do it a little more in depth using an actual tool that Port swiger obviously builds and uh you if you're using the Community Edition just get prepared to sit and wait quite some time because it's throttled if you got that burp Pro license though that's the ticket cuz that's going to run super fast and that'll be a whole lot better and you can look through that skim through the results and look for what might look like maybe there's a size difference and as far as the return and the data size or a response you know you get you know 403s versus a uh or not four like a yes 400s that give you like hey that's a that's a bad no no that that didn't work you just want to look for those differences maybe you get a 200 maybe there's a redirect who knows look for what the differences are and that could lead you to hey my see injection might have worked there let me try that in the login form and see if that goes you any further than you already got all right so there it is our last one this has been a lot of fun like I said I've really enjoyed it maybe I'll do more in the future it has been a lot of timec consuming effort though hopefully you've gotten a lot out of and if you did if you enjoyed the series and you enjoyed this episode do me a favor to increase the reach do that whole like And subscribe thing share it and let people know comment and give me some engagement and that will help the YouTube algorithms and all the other algorithms that take the stuff and try to give it to other people and you think hey you might you might like this hitting that thumbs up is one of the best things you can do for the channel thank you so much everyone for joining me and until next time keep hacking

Info

Channel: Daniel Lowrie

Views: 1,179

Rating: undefined out of 5

Keywords: portswigger, burpsuite, owasptop10, owasp, websecurity, webapplicationsecurity, bugbounty, hacking, hacker, cybersecurity, informationsecurity, infosec, kali, kalilinux, parrotos, pentester, pentesting, redteam, blueteam, cyber, cyberdefense, sql injection, sqli, login bypass

Id: VO1dIxidYTo

Channel Id: undefined

Length: 12min 17sec (737 seconds)

Published: Fri Jan 05 2024