SQL Injection Authentication Bypass

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:00
sequel injection authentication, bypass practical scenario are learning objective is one understand how to bypass authentication with a sequel injection
00:12
so your mind might be spinning right now if you're not used to looking at sequel injections and you just saw that demo and you might be like Clint, How did you even figure that out?
00:23
A lot of Googling? I'm not a master at sequel or my sequel database and a database administrator.
00:31
It just took a lot of research which is the basis of Oh SCP right is enumeration is figuring this stuff out is googling it.
00:40
So let's take a step back. You know I think we have a process down here and it all starts with scanning, right?
00:47
We scan our host,
00:48
we find a web server that we can go to with our browser.
00:54
Um We identify the possible version of the software, we use Apple Isar. Um We can enumerate things with cookies so remember to keep enumerating and figuring out what the underlying technology is
01:08
and then we try to find vulnerabilities for that software.
01:11
So that application that we did in the last block is a custom application, there's no C D E that I know for it.
01:19
But like I told you, I like to make labs. So in this case I downloaded some vulnerable software. Well I already know what the vulnerability is because I downloaded it. But for the sake of this example, let's say you come across this website. Free student management system. Free sms version 2.1 point two
01:38
free smS. We could curl this because you know, it's a nice pretty web web page. If we curled up we got we get more of the source
01:47
Of the page. Um but we can either Google for that exact now my Google's going off, we can google for that exact um you know, free sms student management system, version 2.1.2.
02:01
Or we can use exploit DB or search flight.
02:07
So if we use search exploit, I'm using searchlight here. I'm using free sms 2.1.2. And as we can see it's there's a sequel injection authentication bypass.
02:19
So you can see here I use the tack em option. It just copies it to the desktop because that's the directory I'm in.
02:25
So it will copy that python script to the desktop. Now we should always read what the script does. Right? So we wouldn't understand what it does. That's also very important for Oh SCP. We can see the password parameter has a bullying based blind sequel injection vulnerability. Right?
02:43
And
02:44
I I would encourage you to read the whole thing and it will tell you exactly what it does. So well the XY will create a new password for a known user.
02:55
If I don't know who the user is then it's not gonna work.
02:59
Yeah.
03:00
So I'm gonna guess I'm going to guess that there's an advent.
03:02
Um and in fact I think there is an admin by default in this database.
03:07
So I run the script. I do username admin,
03:13
I have a used password for password and it says authentication bypass was successful. Try trying to change the password and you can see that a new password was created for password
03:24
and using that I was able to successfully log in
03:30
as the admin with the pastor that I created
03:32
from that python script.
03:36
What happens if the script fails? This may happen to you. You might find a vulnerability on test day
03:43
and you find a really nifty script for it
03:45
and you realize that doesn't work. Well that's why it's important to understand what the script does.
03:51
So because I know that it's a form and that there are various bypasses. Can I manually bypass it without having to use the script?
04:00
So I did, I used this admin
04:03
double quote or one, you know another or statement or one equals one
04:11
and it worked.
04:13
I bypassed the login in the user name field
04:16
and logged in.
04:18
So here's a great sheet sheet for uh for authentication bypass, it gives you a whole bunch of them, you can make your own script, you can use burp suite like I showed you you can use intruder with sniper
04:31
and
04:32
enter that into these forms
04:36
or some of the other payloads I showed you as well. Not just sniper.
04:42
Okay,
04:43
so here's some tips
04:44
just in general for sequel injections, test everything that could be vulnerable parameters, fields, forms, logins,
04:51
like I told you enumeration is the key. What is the technology? What is the service? What is the you know, just take a look, take a look at that. We saw was SMS in the version and we and we found the vulnerability right there
05:05
are single quote is the main attack vector. If it's going to be an error based or in in band uh sequel injection vulnerability then we will see a verbose output saying there's an error, a sequel error
05:18
blinder obviously harder to find.
05:23
Also something of note is you saw or and and statements that I use. There are there are alternatives to that and and can be an alternative for and
05:33
and double pipe can be an alternative for or so keep that in mind because add that to your tool belt, add that to your fuzzing payload list as well, not just in an or statements.
05:47
So in summary uh we should now understand how to bypass authentication with a sequel injection.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By