coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [#3208] No subject

Browse Source
This commit is contained in:
CPol 2022-05-17 08:41:30 +00:00 committed by gitbook-bot
parent 58dcfa7486
commit 8b93971883
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pentesting-web/login-bypass/README.md
View File

@ -26,7 +26,9 @@ If you find a login page, here you can find some techniques to try to bypass it:
* Check the **PHP comparisons error:** `user[]=a&pwd=b` , `user=a&pwd[]=b` , `user[]=a&pwd[]=b`
* Check nodejs potential parsing error (read [**this**](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4)): `password[password]=1`
* Nodejs will transform that payload to a query similar to the following one: ` SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` `` `**`password=password=1`**`;` which makes the password bit to be always true.
* Adding `"stringifyObjects":true` option when calling `mysql.createConnection` will eventually block all unexpected behaviours when `Object` is passed in the parameter.
* If you can send a JSON object you can send `"password":{"password": 1}` to bypass the login.
* Remember that to bypass this login you still need to **know and send a valid username**.
* **Adding `"stringifyObjects":true`** option when calling `mysql.createConnection` will eventually b**lock all unexpected behaviours when `Object` is passed** in the parameter.
* Check credentials:
* [**Default credentials**](../../generic-methodologies-and-resources/brute-force.md#default-credentials) of the technology/platform used
* **Common combinations** (root, admin, password, name of the tech, default user with one of these passwords).