332
◾
Ethical Hacking and Penetration Testing Guide
We will insert an apostrophe (‘) in the “Name” field to look for a typical SQL injection and see
if we are able to break the query.
We get an sql error, which means that we have successfully managed to break the query.
Next we would have to use true statements in order to bypass authentication.
We will use sql
comments to ignore everything after username. We will insert the following command:
' or '1'='1' #
This will help us completely bypass authentication, and we are logged in as an admin. The
reason for logging in as an admin is that our sql statements would retrieve the first record, which
is the administrator in most cases.
These true statements may vary according to the scenario and may not work in all cases.
Luckily, OWASP’s board member Dr. Emin İslam TatlıIf’s SQLi
authentication bypass cheat
sheet makes our job much easier. We can load the list in burp intruder to automate this process.
Step 1
—We will intercept the request and send it to burp intruder (Ctrl+I). Under burp intruder,
we will choose “Sniper” as an attack type and will choose to fuzz both username and pass-
word parameters.
Web Hacking
◾
333
Step 2
—Next, we will load the
cheat sheet in burp intruder, which would be used to test the
form against.
Step 3
—Finally, we will start the intruder attack and take a note of the content length to see
where we have been able to bypass the authentication mechanism.
Dostları ilə paylaş: 
