Results 1 to 6 of 6

Thread: Bypass web logon pages

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    8

    Default Bypass web logon pages

    Hi, I was wondering if there are ways to bypass web logons. I've tryed hydra and can crack the user/pass but if its not a basic pair it would be difficult. I'm trying to target php and asp pages.
    Any ideas.
    Thanks

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default Re: Bypass web logon pages

    Normally in this situation injection or xss is used to either add a user to the database or (in the case of MSSQL) spawn a xp command shell

  3. #3
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Re: Bypass web logon pages

    "K Menu, Backtrack, Web Application Analysis, Database (Backend)", the programs that follow will aid you in your quest, learn a little about them.
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Bypass web logon pages

    Quote Originally Posted by pigtail View Post
    Hi, I was wondering if there are ways to bypass web logons.
    Yes.
    I've tryed hydra and can crack the user/pass but if its not a basic pair it would be difficult. I'm trying to target php and asp pages.
    Any ideas.
    My idea is that you're trying to do something for which you do not have the necessary information.

    1) Go learn how HTTP/HTTPS work.
    2) Lean how HTML works.
    3) Learn how browsers work.
    4) Learn how databases, LDAP, and other information stores and authentication mechanisms work.
    5) Do some reading over at OWASP.
    6) etc.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    8

    Default Re: Bypass web logon pages

    5) Do some reading over at OWASP.
    "Blind Xpath injection attack"
    XPath is a type of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL). However, XPath can be used to reference almost any part of any XML document without access control restrictions, whereas with SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain tables, columns or queries.

    More information may be found in the article dedicated to XPATH Injection. Using an XPATH Injection attack the attacker is able to log in to the system without entering valid login and password. If he wants to know information about other users he must take one step further. When conducting a Blind XPath Injection attack, the attacker has no knowledge about the structure of the XML document. However his situation is better compared to Blind SQL Injection, because there are functions which allow for performing tests (XML Crawling) and in the end getting to know the document structure.

    Risk Factors
    TBD




    Examples
    The attacker may be successful using two methods: Boolenization and XML Crawling. By adding to the XPath syntax, the attacker uses additional expressions (replacing what the attacker entered in the place of login to the specially crafted expression).
    now just have to learn html and other web langs

  6. #6
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    8

    Default Re: Bypass web logon pages

    Thanks for the pointers, you lot
    Checked out OWASP site, read up about the different attack vectors(nice site)..got some googleing to do.

Similar Threads

  1. Man pages in color
    By The MoD in forum OLD BT3final Support
    Replies: 4
    Last Post: 01-06-2009, 12:05 PM
  2. Logon Screen
    By Tampa2pac in forum OLD Newbie Area
    Replies: 2
    Last Post: 08-28-2008, 05:17 PM
  3. Logon NEW MEMBERS... new/old technique
    By greyspace in forum OLD General IT Discussion
    Replies: 8
    Last Post: 05-20-2008, 01:22 PM
  4. Auto-logon
    By InMyMind in forum OLD Newbie Area
    Replies: 1
    Last Post: 04-05-2008, 02:35 PM
  5. saving web pages
    By InSanCen in forum OLD General IT Discussion
    Replies: 7
    Last Post: 11-22-2007, 04:57 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •