Open in app

Sign in

Write

Sign in

SQL Injection — Login form bypass

Niedam
5 min readFeb 27, 2024

--

Hello everyone. Today I would like to show you a few examples of how to bypass login panel using SQL injection.

We’ll take a look at three popular vulnerable applications, including:

  • PortSwigger Lab
  • Juice Shop
  • Mutillidea II

In these articles I’ll be using specific tools:

  • BurpSuite
  • Zap Proxy
  • SQLmap

Example 1. PortSwigger Laboratory / BurpSuite

SQL injection vulnerability allowing login bypass — link

This lab contains a SQL injection vulnerability in the login function.To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user.

To start, we need to run the lab and go to the My Account option.

As you can see there is a login form where we need to breach. I will enter the correct login parameter admnistrator and test password f.e. admin

Before you try to log in, first turn on the BurpSuite application. Go to the Proxy tab and turn Interception is on option . This will allow you to intercept the request to the server and see what parameters are being sent to the web application.

You should see a request like the one below. Look at the parameters: login/password/csrf. The vulnerable parameters are username and password.

To attack these parameters we will use very simple payload. The standard query for login form connected to DB check if needed parameters are true. In this situation we know that administrator is true. The only thing we need to change is to close the SQL statement and comment the rest of the query in that way that the password field will be ignored.

The comment options depend on the DB.

Oracle  
--comment
Microsoft  
--comment
/*comment*/
PostgreSQL:
--comment 
/*comment*/
MySQL : 
#comment 
-- comment [Note the space after the double dash] 
/*comment*/

In the previous article I explained how to close an SQL query. For more information, click here. Back to our login form. The correct payload for this vulnerabilitie is :

Login : administrator' --
Password : whateverYouWant

Request in BurpSuite should look like this

The Administrator account is take over.

Example 2 . JucieShop / ZAP

In this exercise I’ll show you how to break into a login form using a brute force attack. In this exercise I’ll be using Zap Proxy (alternative to BurpSuite).

Instructions on how to run the OWASP JuiceShop can be found here.

Let’s go to the login panel. Enter some sample credentials and check the request in ZAP.

The cached query can be used for a brute force attack. Right-click on this request and send it to Fuzz.

The next step is to configure our attack. Select the email parameter and add the payloads.

Payloads options:

Type : File (1)

Select File : /usr/share/seclist/Fuzzing/SQLi/quick-SQLi.txt (2)

If you don’t have this list, download it from kali repo:

sudo apt update && sudo apt install seclists

Next, start the Fuzzer attack

After a few seconds we can go to the analysis. If we sort the result of our attack by code value, we see that there are 200 (OK), which can suggest a successful attack.

Click on the one of the results (200). You will see:

  • Payload (1–2)
  • Response (3)
  • Authorization token (4)
  • Admin account (5)

Copy the payload and enter it into the login form. Enjoy the admin account.

Example 3. Mutillidea 2 / ZAP + SQLmap

In this last example of bypassing the login form, we will use the Mutillidea II web application and the SQLmap tool.

Selection of the correct attack options:

OWASP 2017 -> A1-Injection(SQL) -> SQLi-Bypass Authentication -> Login

Enter some sample credentials and interpret the request in BurpSuite or Zap Proxy. It should look like this (zap).

Save the request to a text file.

SQL Map

Run the SQLMap tool with the command

sudo sqlmap -r ~/Desktop/request -p username

sudo - admin permissions
sqlmap - name of application
-r - request mode
path/to/file/request
-p - name of parameters to check the vulnerability

After a few moments you will see the result of the test.

You can use one of the found payloads to bypass the login form.

And voula — Admin account is yours

Conclusion.

SQL injection is a serious vulnerability that can compromise the security of web applications, particularly login forms. By exploiting poorly sanitized input fields, attackers can manipulate SQL queries to bypass authentication mechanisms, gaining unauthorized access to sensitive information or even full control over the underlying database.

Preventing SQL injection requires a multi-layered approach, including input validation, parameterized queries, and regular security assessments. Developers must prioritize secure coding practices and stay informed about emerging threats to effectively safeguard against SQL injection attacks. Additionally, ongoing education and awareness among developers, administrators, and users are crucial in maintaining the integrity and security of web applications.

More on preventing SQL will be covered in the final article on SQL Injection.

Sql Injection
Portswigger Lab
Owasp
Cybersecurity
Bypass

--

--

Niedam

Written by Niedam

12 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams