OWASP SQL Injection – Authentication bypass using BurpSuite

SQL injection is a very common web application vulnerability, where hackers inject malicious SQL query to fetch sensitive information from the website’s database by modifying and requesting text field’s inputs.

Step1: Setup the vulnerable web application

In this example, we are using Mutillidae as a vulnerable web application and we will try to log in as an admin user using SQL injection attack. 

Firstly you need to create a local web server from where you can run the vulnerable web application. 

In this case, apache would be run as a web server and MySQL as a backend database.

We shall download XAMP and install it in our respective operating systems.

Download link: https://www.apachefriends.org/download.html

After the installation starts the servers from the XAMPP control panel.

Now download and place the Mutillidae application inside the server.

 Download link: https://sourceforge.net/projects/mutillidae/

After the download and extraction of the file now place it in the appropriate position.

Now open Kali Linux OS placed in the same LAN, and configure the browser proxy so that you can pass every request and response through burp suit.

Open Firefox and type <your windows os ip>/mutillidae in the address bar

Open Firefox > Go to Options 

Under the General Tab search for Network settings

Select Manual proxy configuration and set up the proxy IP with your 127.0.0.1 (localhost) and also mark the checkbox to use the same proxy for other protocols as well.

Now open Burpsuite

Under the proxy tab go to Options and make sure the interface is selected. 

Now enable the intercept button to capture the ongoing request and response between client and server.

 

Now you are done with the setup part, consecutively start the attack.

Open Mutillidae login page > enter the user name as admin and press the login button.

Now look at BurpSuite and see what you have got there.

On the above screen, using POST method you are sending the username as “admin” and leave the password field blank. Now you must start trying to bypass the login.

  Now right click on the screen and select “Send to Intruder”

Go to Intruder Tab > Positions

Click on Clear and add the only field where we will start exploiting. Here we want to exploit the username value using SQL injection tokens so I will select the value of the username parameter.

After that come to Payload Positions to choose what type of payload we will use to exploit the credentials.

In this case, Simple List is selected as a Payload type. Click on Load to add the file where all possible injection tokens were already added.

Note: In Kali Linux, you can get a default SQL injection token list in the following path.

/usr/sare/wfuzz/wordlist/Injections/SQL.txt

After choosing the file click on Start attack and wait. It will take some time to finish depending upon the list count.

After the attack is performed, usually we check the status and the length if any changes are there as compared to other lists value.

In this case, we have different types of field lengths so we have to check one after another to see which one has successfully exploited the authentication.

As I have already checked which one is working, let’s come to the list number 40 and double click on it. Now click on the Response tab and under that come to the sub-tab Render. It will give you real-time results of the attack.

 Congratulation!! We have bypassed the login page and got the Admin privilege.

If you have any further doubts or need any help on this topic feel free to write in the comment box below. Happy Hacking!

Reactions: