February 14, 2019

OWASP SQL Injection – Authentication bypass using BurpSuite



SQL injection is a very common web application vulnerability, where hackers inject malicious SQL query to fetch sensitive information from the website’s database by modifying and requesting text field’s inputs.

Step1: Setup the vulnerable web application

In this example, we are using Mutillidae as a vulnerable web application and we will try to log in as an admin user using SQL injection attack. 

Firstly you need to create a local web server from where you can run the vulnerable web application. 

In this case, apache would be run as a web server and MySQL as a backend database.

We shall download XAMP and install it in our respective operating systems.

After the installation starts the servers from the XAMPP control panel.



Now download and place the Mutillidae application inside the server.

After the download and extraction of the file now place it in the appropriate position.



Now open Kali Linux OS placed in the same LAN, and configure the browser proxy so that you can pass every request and response through burp suit.

Open Firefox and type <your windows os ip>/mutillidae in the address bar


Open Firefox > Go to Options 



Under the General Tab search for Network settings


Select Manual proxy configuration and set up the proxy IP with your 127.0.0.1 (localhost) and also mark the checkbox to use the same proxy for other protocols as well.



Now open Burpsuite



Under the proxy tab go to Options and make sure the interface is selected. 



Now enable the intercept button to capture the ongoing request and response between client and server.


 
Now you are done with the setup part, consecutively start the attack.
Open Mutillidae login page > enter the user name as admin and press the login button.



Now look at BurpSuite and see what you have got there.

On the above screen, using POST method you are sending the username as “admin” and leave the password field blank. Now you must start trying to bypass the login.

  Now right click on the screen and select “Send to Intruder”


Go to Intruder Tab > Positions

Click on Clear and add the only field where we will start exploiting. Here we want to exploit the username value using SQL injection tokens so I will select the value of the username parameter.


After that come to Payload Positions to choose what type of payload we will use to exploit the credentials.

In this case, Simple List is selected as a Payload type. Click on Load to add the file where all possible injection tokens were already added.


Note: In Kali Linux, you can get a default SQL injection token list in the following path.
/usr/sare/wfuzz/wordlist/Injections/SQL.txt

After choosing the file click on Start attack and wait. It will take some time to finish depending upon the list count.


After the attack is performed, usually we check the status and the length if any changes are there as compared to other lists value.


In this case, we have different types of field lengths so we have to check one after another to see which one has successfully exploited the authentication.

As I have already checked which one is working, let’s come to the list number 40 and double click on it. Now click on the Response tab and under that come to the sub-tab Render. It will give you real-time results of the attack.


 Congratulation!! We have bypassed the login page and got the Admin privilege.
If you have any further doubts or need any help on this topic feel free to write in the comment box below. Happy Hacking!
















21 comments:

  1. Top Courses to learn

    Excellent blog with lots of information. I have to thank for this. Do share more.

    ReplyDelete
  2. I just couldn't leave your website before telling you that I truly enjoyed the top quality info you present to your visitors? Will be back again frequently to check up on new posts. 2k moulding

    ReplyDelete
  3. This knowledge.Excellently written article, if only all bloggers offered the same level of content as you, the internet would be a much better place. Please keep it up.
    great post guys
    Ai & Artificial Intelligence Course in Chennai
    PHP Training in Chennai
    Ethical Hacking Course in Chennai Blue Prism Training in Chennai
    UiPath Training in Chennai

    ReplyDelete



  4. The strategy you have posted on this technology helped me to get into the next level and had lot of information in it. The angular js programming language is very popular which are most widely used.



    Dot Net Training in Chennai | Dot Net Training in anna nagar | Dot Net Training in omr | Dot Net Training in porur | Dot Net Training in tambaram | Dot Net Training in velachery







    ReplyDelete
  5. The development of artificial intelligence (AI) has propelled more programming architects, information scientists, and different experts to investigate the plausibility of a vocation in machine learning. Notwithstanding, a few newcomers will in general spotlight a lot on hypothesis and insufficient on commonsense application. machine learning projects for final year In case you will succeed, you have to begin building machine learning projects in the near future.

    Projects assist you with improving your applied ML skills rapidly while allowing you to investigate an intriguing point. Furthermore, you can include projects into your portfolio, making it simpler to get a vocation, discover cool profession openings, and Final Year Project Centers in Chennai even arrange a more significant compensation.


    Data analytics is the study of dissecting crude data so as to make decisions about that data. Data analytics advances and procedures are generally utilized in business ventures to empower associations to settle on progressively Python Training in Chennai educated business choices. In the present worldwide commercial center, it isn't sufficient to assemble data and do the math; you should realize how to apply that data to genuine situations such that will affect conduct. In the program you will initially gain proficiency with the specialized skills, including R and Python dialects most usually utilized in data analytics programming and usage; Python Training in Chennai at that point center around the commonsense application, in view of genuine business issues in a scope of industry segments, for example, wellbeing, promoting and account.

    ReplyDelete
  6. Took me time to read all the comments, but I really enjoyed the article. It proved to be Very helpful to me and I am sure to all the commenters here! It’s always nice when you can not only be informed, but also entertained! aesthetic expert training

    ReplyDelete
  7. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. Primary care physician Katy tx

    ReplyDelete
  8. MAJOR168 is open for football betting today. There are many big camps together BTi SBOBET IBCBET CMD365 if you are looking for a football betting website. Do not miss this site, there is football, there are all sports in the world. คาสิโนออนไลน์. Betting is available 24 hours a day with the best odds per pair in Thailand. Guaranteed automatic deposit and withdrawal system 10 seconds.

    Live sports betting Online football betting Good price with every football match open for today online football betting SAGAME88 There are many big camps together, SBOBET IBCBET BTi CMD365, the only website complete in online football betting คาสิโนออนไลน์. There is every sport on the planet in here. With the automatic deposit and withdrawal system for 10 seconds, we have a live football system to watch every night.


    We offer a wide variety of services. Called him the only player to finish with everything else does not have to go to the web preview ufabet as online. Online casinos Baccarat online Online betting games, Slot online, and with new technology, you can play ufabet via mobile phone today. Mobile Baccarat, play online via the website


    Ufabet1688 of us again the way we are websites directly, not through a General Services, where customers will know it absolutely was extremely really no cheating possible on-site gambling online, it is ufabet1688 of us will hit prices.

    ReplyDelete
  9. Along with it also has a live casino 24 hours a day. สมัคร ufa Bet online gambling website is available to play with all casinos, baccarat, slots, roulette, dice and many other card games. We have gathered it here. With many promotions Apply for UEFA Bet now, we are happy to serve you all. With a professional team ready to solve problems And serve all of you There is a team to support the service. And answer your questions 24 hours a day.

    ReplyDelete
  10. I'm happy to bring you all this good news.. Contact thehackerspro.com or add @h4ckerspro on telegram to hack your partners phone,
    they are the best hacking team,they carry out various activities such as wire transfers,
    phone and email hacking,Facebook And other social media account hacking,clearing of criminal records,upgrading of school grades.
    Finally I can go on with my divorce with an upper hand after years of suspecting my partner,
    I finally have proof of my partner cheating thanks to them.

    ReplyDelete
  11. Internet slots (Slot Online) is the introduction of a gambling machine. Slot machine As stated above Used to make electronic games known as web-based slots, as a result of the development era, many people have turned to gamble with each other by computers. Will bring slot games to make web based gambling games Via the world wide web network process Which players can play throughout the slot routine or even will have fun with Slots with the service provider's website Which internet slots games are available in the form of participating in rules. It's similar to playing on a slot machine. Both practical photos and sounds are equally thrilling as they go to lounge in the casino ever.
    บาคาร่า
    ufa
    ufabet
    แทงบอล
    แทงบอล
    แทงบอล

    ReplyDelete
  12. Do you require expert assistance with any hacking? For assistance, contact Vladilen Niklas. He is presently one of Russia's most skilled hackers.
    They may be reached at alienmanhackers.xyz, and they actually saved my life. He assisted me in removing certain negative records that were keeping me from obtaining a decent job.
    I'm now employed, and it's a wonderful experience. I will be eternally thankful to him.
    He also offers services such as:
    -Website hack
    -Changing school grades without leaving traces
    -Bank account hack/funds transfer
    -Facebook and whatsapp hack
    -Email hack
    -Phone cloning
    -call tracking
    -Retrieval of lost documents and so many other services
    ☑️ CONTACT:
    ••• Email:
    alienmanh4cck@protonmail. com
    www.alienmanhackers.xyz
    Telegram @alienm4nhackers

    ReplyDelete
  13. i was lost with no hope for my wife was cheating and had always got away with it because i did not know how or
    always too scared to pin anything on her. with the help a friend who recommended me to who help hack her phone,
    email, chat, sms and expose her for a cheater she is. I just want to say a big thank you to
    HACKINTECHNOLOGY@GMAIL.COM . am sure someone out there is looking for how to solve his relationship problems, you can also contact him for all sorts of hacking job..he is fast and reliable. you could also text +1 213-295-1376(whatsapp) contact and thank me later
    telegram +16692252253

    ReplyDelete