SQL Injection Authentication Bypass

00:00

sequel injection authentication, bypass practical scenario are learning objective is one understand how to bypass authentication with a sequel injection

00:12

so your mind might be spinning right now if you're not used to looking at sequel injections and you just saw that demo and you might be like Clint, How did you even figure that out?

00:23

A lot of Googling? I'm not a master at sequel or my sequel database and a database administrator.

00:31

It just took a lot of research which is the basis of Oh SCP right is enumeration is figuring this stuff out is googling it.

00:40

So let's take a step back. You know I think we have a process down here and it all starts with scanning, right?

00:47

We scan our host,

00:48

we find a web server that we can go to with our browser.

00:54

Um We identify the possible version of the software, we use Apple Isar. Um We can enumerate things with cookies so remember to keep enumerating and figuring out what the underlying technology is

01:08

and then we try to find vulnerabilities for that software.

01:11

So that application that we did in the last block is a custom application, there's no C D E that I know for it.

01:19

But like I told you, I like to make labs. So in this case I downloaded some vulnerable software. Well I already know what the vulnerability is because I downloaded it. But for the sake of this example, let's say you come across this website. Free student management system. Free sms version 2.1 point two

01:38

free smS. We could curl this because you know, it's a nice pretty web web page. If we curled up we got we get more of the source

01:47

Of the page. Um but we can either Google for that exact now my Google's going off, we can google for that exact um you know, free sms student management system, version 2.1.2.

02:01

Or we can use exploit DB or search flight.

02:07

So if we use search exploit, I'm using searchlight here. I'm using free sms 2.1.2. And as we can see it's there's a sequel injection authentication bypass.

02:19

So you can see here I use the tack em option. It just copies it to the desktop because that's the directory I'm in.

02:25

So it will copy that python script to the desktop. Now we should always read what the script does. Right? So we wouldn't understand what it does. That's also very important for Oh SCP. We can see the password parameter has a bullying based blind sequel injection vulnerability. Right?

02:43

And

02:44

I I would encourage you to read the whole thing and it will tell you exactly what it does. So well the XY will create a new password for a known user.

02:55

If I don't know who the user is then it's not gonna work.

02:59

Yeah.

03:00

So I'm gonna guess I'm going to guess that there's an advent.

03:02

Um and in fact I think there is an admin by default in this database.

03:07

So I run the script. I do username admin,

03:13

I have a used password for password and it says authentication bypass was successful. Try trying to change the password and you can see that a new password was created for password

03:24

and using that I was able to successfully log in

03:30

as the admin with the pastor that I created

03:32

from that python script.

03:36

What happens if the script fails? This may happen to you. You might find a vulnerability on test day

03:43

and you find a really nifty script for it

03:45

and you realize that doesn't work. Well that's why it's important to understand what the script does.

03:51

So because I know that it's a form and that there are various bypasses. Can I manually bypass it without having to use the script?

04:00

So I did, I used this admin

04:03

double quote or one, you know another or statement or one equals one

04:11

and it worked.

04:13

I bypassed the login in the user name field

04:16

and logged in.

04:18

So here's a great sheet sheet for uh for authentication bypass, it gives you a whole bunch of them, you can make your own script, you can use burp suite like I showed you you can use intruder with sniper

04:31

and

04:32

enter that into these forms

04:36

or some of the other payloads I showed you as well. Not just sniper.

04:42

Okay,

04:43

so here's some tips

04:44

just in general for sequel injections, test everything that could be vulnerable parameters, fields, forms, logins,

04:51

like I told you enumeration is the key. What is the technology? What is the service? What is the you know, just take a look, take a look at that. We saw was SMS in the version and we and we found the vulnerability right there

05:05

are single quote is the main attack vector. If it's going to be an error based or in in band uh sequel injection vulnerability then we will see a verbose output saying there's an error, a sequel error

05:18

blinder obviously harder to find.

05:23

Also something of note is you saw or and and statements that I use. There are there are alternatives to that and and can be an alternative for and

05:33

and double pipe can be an alternative for or so keep that in mind because add that to your tool belt, add that to your fuzzing payload list as well, not just in an or statements.