Authentication Bypass and SQL Injection

A series of blogs having interesting and impactful cyber security vulnerabilities from real world assessments as well as a testing environment. Follow along!

Mritunjay Kumar
5 min readMar 1, 2023
Just a typical reverse shell and privilege escalation demo in a contained environment

A web application requires a user to get authenticated in order to maintain his session, this is similar to how you login to your Facebook or Instagram account. The login functionality has its fair share of weaknesses and flaws that gives a malicious minded user (attacker) an opportunity to attack it’s user base or the website itself.

One such thing is an authentication bypass. As the name suggests, an attacker (the malicious minded one) can bypass the authentication process and gain access to any other user on the portal. Yes, you heard that right. Some men just want to watch the world burn.

I am such men

Let’s see how this is humanly possible.

For demonstration, I have used the OWASP Juice Shop as a testing environment.

Basics of SQL:

A vulnerable backend SQL code may look something like this:

const query = 'SELECT * FROM users_table WHERE email = ${data.email} and password = ${data.pass}';

This simply means that the username and password that the user is giving input is getting concatenated in the SQL query. This SQL query gets executed in the backend database which gives rise to a serious vulnerability.

A normal user is supposed to enter his credentials like this:

Normal Request

But a psychopath would append special characters like ‘ — — (single quote and double hyphens) at the end of the email.

Psychopath’s Request

After the psychopath’s input, the backend code will generate the appropriate SQL query, which looks like:

const query = 'SELECT * FROM users_table WHERE email = marty@hello.world' -- and password = something';

Observe that the statement after the provided email gets commented out due to the trailing — — (double hyphens).

Logically, this will mean that the application will not validate the provided password and generate the user’s session after validating only the email.

Validating this theory, we see that we get a session token in response from the web application. BTW, The string provided in the password field is a random string and not the valid password.

Just a typical authentication bypass

Thus we can access literally anyone’s account on the web application.

Since this is a typical case of SQL Injection, we can escalate it to extract out the backend database information.

For beginners, SQL Injection is an attack where an attacker can inject SQL commands in the user input to extract out information from the database. If sufficient privileges, he can also update or delete the previously present data.

Upon enumeration through the order by clause I found out that there were 14 vulnerable columns, because the 15th one gave me an error.

Order by clause with 14 columns
Order by clause with 15 columns gave me an error

The error message shows that a SQLite instance is present in the backend.

I then tried the typical union based command to try extract data but it seems to be a blind boolean based injection.

union based SQLi payload

For beginners, a blind SQL injection is a scenario where no information can be retrieved in the web application’s response and boolean SQL injection is a scenario where if the input SQL command is wrong, the application will show an error, if it’s correct then the application will function normally, but will still not retrieve any data.

For this reason, I used SQLMap to extract the data. Since this is a POST request with a JSON body, I put this request in a text file and ran SQLMap on it.

sqlmap -r request.txt --level=5 --risk=3 --ignore-code 401 --tables --batch
The list of tables in the web application’s database

From the list, the Users table looks interesting, we can dump it by the following command:

sqlmap -r request.txt --level=5 --risk=3 --ignore-code 401 -T users --dump --batch
Users table dumped

The users table contains the user credentials of all the user accounts in the web application, including the admin of the site.

The issue originated at the point where the user input was getting concatenated in the SQL query. It could have been prevented there by the use of Parameterised Query.

Conclusion

In conclusion, authentication bypass and SQL injection are serious security vulnerabilities that can compromise the confidentiality and integrity of a website and put user data at risk. It is important for website owners and developers to be aware of these vulnerabilities and take appropriate measures to prevent them from being exploited. As users, it is important to be vigilant about the websites we interact with and report any suspicious activity to the website owners. By working together and taking proactive steps, we can create a safer and more secure cyber space.

Lets get in touch: Add me on Linkedin, or Instagram works too.

--

--

No responses yet