SQL Injection : Bypassing Javascript Authentication

Monday, October 07, 2013 2 nhận xét
Share:

                                     Hey Hackers! after a short break, I'm back with an interesting post SQL Injection : Bypassing JavaScript Authentication, Guys! recently I've gave an amazing guide : How to become Web Programmer (Special beginners Guide) - Thanks for your good response, So here we go with SQL Injection.


Requirements :

How to Bypass JavaScript Authentication to Inject SQL Commands :
  
You might don't know that many website uses JavaScript to bypass SQL statements such as single quote, Hyphen ' - % etc, this all can be bypassed using Fire Bug or Burp Suite (Data Tampering). So lets take one case here and elaborate it more deeply. As a Good learner always use Pen-testing lab so here I'm using NOWASP Mutillidae


  • Start Mutillidae, Go to login page -> Click on Toogle Security and Security level will change to - (1 Arrogent) means little tough, 0 means total insecure & 5th is Secure.
    Click on Image to enlarge it

  • Now, here try to inject simple SQL command ' or 1=1-- ,it will pop up JavaScript error saying Dangerous character detected. Little tough challenge for beginners.
    Click on Image to enlarge it
Now use some logic : There is Web Application - Login Page which doesn't allow anyone to inject SQL Statements that contains single quote, hyphen etc, because it is protected with JavaScript. Here is the flaw guys listen carefully -> It is using JavaScript protector which is not allowing any user to send malicious command to server through client (Web Browser), So it's simply that JavaScript validates user input until we use Web Browser. What if we send SQL statement after Input parameter leaves the Web browser - (Data Tampering) you can use Tamper Data or Burp Suite.

Using Burp Suite, or Tamper Data to bypass JavaScript validation :


  • Well, I'm using Tamper Data - Again reload Login Page.
  • Start Tamper Data [Start Tamper]. Feed any bogus credential details and click on login, Tamper Data will popup asking for Tampering. Click on Tamper and Change username, Password parameter value with SQL Injection commands

    Click on Image to enlarge it
You can also bypass JavaScript validation using Fire Bug, Burp Suite - This is the simple method used to bypass JavaScript Validation. So here we hacked into mutillidae using SQL Injection on second level of security.


Click on Image to enlarge it

Thank you for reading my post, if you've any kind of doubt feel free to comment and share your thoughts regarding my post. Hey! you can also join my official facebook page for direct Post update in your news feed.
Nhãn:
Share:

2 comments:

Subscribe to: Post Comments ( Atom )