GitBook: [#3208] No subject

2024-11-15 01:17:36 +00:00 · 2022-05-17 08:41:30 +00:00 · 2022-05-17 08:41:30 +00:00 · 8b93971883
commit 8b93971883
parent 58dcfa7486
1 changed files with 3 additions and 1 deletions
--- a/pentesting-web/login-bypass/README.md
+++ b/pentesting-web/login-bypass/README.md
@ -26,7 +26,9 @@ If you find a login page, here you can find some techniques to try to bypass it:
 * Check the **PHP comparisons error:** `user[]=a&pwd=b` , `user=a&pwd[]=b` , `user[]=a&pwd[]=b`
 * Check nodejs potential parsing error (read [**this**](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4)): `password[password]=1`
  * Nodejs will transform that payload to a query similar to the following one: ` SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` `` `**`password=password=1`**`;` which makes the password bit to be always true.
-  * Adding `"stringifyObjects":true` option when calling `mysql.createConnection` will eventually block all unexpected behaviours when `Object` is passed in the parameter.
+  * If you can send a JSON object you can send `"password":{"password": 1}` to bypass the login.
+  * Remember that to bypass this login you still need to **know and send a valid username**.
+  * **Adding `"stringifyObjects":true`** option when calling `mysql.createConnection` will eventually b**lock all unexpected behaviours when `Object` is passed** in the parameter.
 * Check credentials:
  * [**Default credentials**](../../generic-methodologies-and-resources/brute-force.md#default-credentials) of the technology/platform used
  * **Common combinations** (root, admin, password, name of the tech, default user with one of these passwords).