Authentication Bypassing Admin Panel
Hello everyone! Welcome back to my previous blog, I’m Divya . I hope all are doing well.
I’ll describe in this blog. How I was able to get around the admin login Panel and where it leads to complete admin access control.
About SQL injection
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself can access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.
In some situations, an attacker can escalate a SQL injection attack to compromise the underlying server or other back-end infrastructure or perform a denial-of-service attack.
SQL Injection Type
Classic SQL Injection: This involves manipulating an application’s input to inject malicious SQL queries. It often occurs when user input is not properly sanitized before being incorporated into SQL queries.
Blind SQL Injection: In this type, an attacker doesn’t receive direct responses from the application. Instead, they infer information by exploiting timing delays or errors in the application’s responses.
Time-Based Blind SQL Injection: Attackers can determine whether a given condition is true or false by inducing a time delay in the application’s response. This can help them extract data indirectly.
Error-Based SQL Injection: Attackers intentionally provoke errors in the application’s SQL queries to get information about the database structure or data.
Union-Based SQL Injection: Attackers exploit the UNION SQL operator to combine the result sets of two or more SELECT statements, potentially accessing data they shouldn’t have access to.
Out-of-Band SQL Injection: This type involves triggering a connection to an external server that the attacker controls, bypassing certain security measures.
vulnerability: SQLi- Authentication Admin Panel Bypass
Payload URL: https://github.com/payloadbox/sql-injection-payload-list/blob/master/Intruder/exploit/Auth_Bypass.txt
Step to reproduce
Step 1: Go admin login page
Step 2: Now enter the payload in the username or password field,
Payload Used: admin’ or ‘1’=’1'#
Step 3: Enter the payload and click the submit button.
Step 4 : Booooom!!! You Login successfully…
Thanks For Reading….!
