Testing for SQL Injection Auth Bypass

332
◾ 
Ethical Hacking and Penetration Testing Guide
We will insert an apostrophe (‘) in the “Name” field to look for a typical SQL injection and see 
if we are able to break the query.
We get an sql error, which means that we have successfully managed to break the query.
Next we would have to use true statements in order to bypass authentication. We will use sql 
comments to ignore everything after username. We will insert the following command:
' or '1'='1' #
This will help us completely bypass authentication, and we are logged in as an admin. The 
reason for logging in as an admin is that our sql statements would retrieve the first record, which 
is the administrator in most cases.
These true statements may vary according to the scenario and may not work in all cases. 
Luckily, OWASP’s board member Dr. Emin İslam TatlıIf’s SQLi authentication bypass cheat 
sheet makes our job much easier. We can load the list in burp intruder to automate this process.
Step 1
—We will intercept the request and send it to burp intruder (Ctrl+I). Under burp intruder, 
we will choose “Sniper” as an attack type and will choose to fuzz both username and pass-
word parameters.

Web Hacking
◾ 
333
Step 2
—Next, we will load the cheat sheet in burp intruder, which would be used to test the 
form against.
Step 3
—Finally, we will start the intruder attack and take a note of the content length to see 
where we have been able to bypass the authentication mechanism.

Yüklə 22,44 Mb.

Dostları ilə paylaş: