Webverselabs Gatekeeper Challenge SQLi
Summary :
Gatekeeper Corp presents a web application with a login portal vulnerable to SQL Injection Authentication Bypass. The login form fails to properly sanitize user input, allowing an attacker to manipulate the underlying SQL query and gain unauthorized access without valid credentials.
Solution :
If we visit the webapp , we find a web page that explains what Gatekeeper corp is , We do find 2 endpoints : Directory and a Login page . The directory endpoint has multiple email adresses , we will keep this in mind as we might be using them to brute force our way in , if the web app doesn’t implement any rate limiting .
Now if we try to login , all credentials return the same response , “Invalid Creds” so we can’t really enumerate usernames this way .
Tried Fuzzing for other endpoints but i didnt find anything useful .
Now first thing i would think about when i see a Login page , is Auth Bypass via SQLi , i already have a section of payloads in my methodology that i can test .
1
2
3
4
5
6
7
8
9
'==> Auth Bypass :
'OR 1 = 1 --
Adminstrator'OR 1 = 1 --
Admin'OR 1 = 1 --
Admin ' or '1' = '1 #
admin')-- -
Admin')-- -
Now let’s first take a look at how the request looks like to try and use FFUF to brute force .
For the username file i will use the ones from auth bypass . (If the payloads won’t work try URL encoding although it’s done by default by FFUF Post requests) . Now just make sure you include all Headers , Filter the 200 , so that we only get the redirect (which means login succeeded )
Now we just chose any of these payloads to login and we should get our Flag .
Just like that we can completely Bypass the Login Page .
Another fun challenge from Webverselabs , a great playground to freely test and explore Auth Bypass techniques via SQLi .