Login Form Bypass using Mantra Security Toolkit


Hi All,

In this tutorial we will try to bypass login form of vulnerable website using Mantra Security Toolkit

What all you need

1. Mantra Security Toolkit - Download

2. A vulnerable website. I'm using a modified version of LAMPSecurity CTF6


Let's begin,

Step 1:

I'm on the home page of the website now

http://192.168.132.128/

[Image: mantrasecuritytoolkit1.jpg]


Step 2:

Login form of the website

http://192.168.132.128/?action=login

[Image: mantrasecuritytoolkit2.jpg]


Step 3:

Now we will test the input forms against SQL injection. For that we can use SQL Inject Me tool. It can be launched from Tools > SQL Inject Me > Open SQL Inject Me Sidebar

[Image: mantrasecuritytoolkit3.jpg]


Step 4:

You can see SQL Inject Me sidebar on the right

[Image: mantrasecuritytoolkit4.jpg]


Step 5:

I'm checking all the fields to test.

[Image: mantrasecuritytoolkit5.jpg]


Step 6:

I clicked on "Test all forms with all attacks"

[Image: mantrasecuritytoolkit6.jpg]


Step 7:

Test results says that none of the fields are vulnerable to SQL injection attack. So its confirmed that the website is sanitizing the input

[Image: mantrasecuritytoolkit7.jpg]



Step 8:

Now we will try to see what type of sanitizing mechanism the website is employed. For that we will use Firebug. It can be launched by going to Tools > Firebug > Open Firebug

[Image: mantrasecuritytoolkit9.jpg]



Step 9:

Now that firebug is open. I'm enabling Inspect mode of Firebug clicking on the inspect icon (second one) on the top left corner.

[Image: mantrasecuritytoolkit10.jpg]



Step 10:

I clicked on the login from and Firebug highlighted respective source code. It shows that some type of local JavaScript is used to sanitize the input.

[Image: mantrasecuritytoolkit11.jpg]



Step 11:

For bypassing it, we will use Live HTTP Headers. It can be launched either from sidebar or by going to Tools > Live HTTP Headers

[Image: mantrasecuritytoolkit12.jpg]



Step 12:

Now you can see Live HTTP Headers. The Capture check box must be checked.

[Image: mantrasecuritytoolkit13.jpg]



Step 13:

I went back to the login from and entered some sample values there and pressed on Log In

[Image: mantrasecuritytoolkit14.jpg]


Step 14:

Now I again went back to Live HTTP Headers. We can clearly see that it captured the session.

[Image: mantrasecuritytoolkit15.jpg]



Step 15:

I scrolled it up to find the username, password data field. I clicked on it and pressed on Replay button

[Image: mantrasecuritytoolkit16.jpg]



Step 16:

I'm changing the value little bit to bypass the authentication and clicking on Replay button

[Image: mantrasecuritytoolkit17.jpg]


Step 17:
hmmm. I got an error message. Looks like I should modify the injected code.

[Image: mantrasecuritytoolkit18.jpg]

Step 18:

I modified the code

[Image: mantrasecuritytoolkit19.jpg]


Step 19:

No luck

[Image: mantrasecuritytoolkit20.jpg]


Step 18:

I changed the value again and pressed on Replay button

[Image: mantrasecuritytoolkit21.jpg]


Step 19:

Voila. I'm successfully authenticated.

[Image: mantrasecuritytoolkit22.jpg]


Step 20:

Now that I have got admin access

[Image: mantrasecuritytoolkit23.jpg]

If you wish to completely root the whole server, you can go to this post and follow steps from step 24

Post a Comment

Previous Post Next Post