SQL Injection Authentication Bypass With Burp
Burp is a tool that can be used in every web application penetration test to perform a variety of activities and to automate tasks.As a penetration tester you might want to test some things automatically and effectively because this will reduce the amount of time that you will spend on specific checks and it will give you more time to focus on the tricky parts of your assessment.One of the checks that you must do in a web application that contains a login form is to examine whether or not this form is vulnerable to SQL injection and if it is to try to bypass it and to login as administrator.
In order to bypass authentication in a form that is vulnerable to SQL injection vulnerability we will need to understand how the query has constructed and to append to this query the appropriate parameters.If we want to do a fast test before starting exploiting this manually we can use Burp intruder and a cheat sheet that has created for this purpose.Burp intruder will send HTTP requests by passing each parameter from this list to a specific position in the request.This method is going to be examined in this article and for the demonstration needs we will use the mutillidae as the target application which contains this vulnerability.
The first thing that we have to do in this situation is of course to discover if the login form is vulnerable.We can simply insert a single ‘ on the username field and then we must watch for the response.If the application returns an error like the one in the image below then it is likely to be vulnerable.
Then we must capture the HTTP request with Burp proxy and we should send this to Intruder.In the Intruder there are two things that we need to check.The first is the attack type and the second is the payload position.For the attack type the choice must be sniper because in this mode Burp Intruder will take a single input from a list that we will provide later and it will send this input on the position that we specify in the HTTP request (each input at a time).For the position we choose the field that is vulnerable (in this case the username).
Next thing to do is to set the payloads.As a payload type for this attack a simple list will used.So in the payload options we have to load our .txt list.
Now the attack is ready to be launched.Burp Intruder will start passing these parameters from the list to the payload position and from the payload position to the web application as an HTTP request.When this process finishes the successful payloads will have different status code as it can be seen from the next image.
Now we can go back to the application and to use one of the successful payloads in order to bypass the authentication and to login with admin privilleges to the application.
This was a simple tutorial that showed the major capabilities of Burp against web applications as we managed to logged into the application as admin.The cheat sheet about SQL injection authentication bypass that we used in this article has developed by Dr. Emin İslam TatlıIf and all the credits goes to him.If you want to use the list or to expand it you can find it here.