The idea for this post is from a CTF challenge on root-me.org.
I will not be sharing information about how one will reach on this state as I wouldn't like to spoil the fun on it.
The initial page that the user will see after proceeding in the challenge will be the following:
With no apparent information about the login, trying with 'abc' as username and password will give the following result:
It's clear that there is some filtering implemented that are blocking some characters.
The first thing is to identify which characters are allowed. This can be done on Burp using intruder.
Intercept your login request and pass it to intruder as shown below:
On the intruder tab select sub-tab 'Positions' and clear all selections. Select the 'abc' value on the log= and add it as payload position.
Browse to the sub tab, select Payload set 1, Payload type 'List' and populate the list with. Simply use a notepad and input all possible characters one by one. I used a notepad and copy paste the entries on Burp.
Start the attack and observe the results.
The next step will be to exclude these bad characters and keep the valid ones. One can choose to select all remaining characters or limit the set to specific ones.
References: https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/, http://www.lifeoverpentest.com/2018/03/sql-injection-login-bypass-cheat-sheet.html .
From the links above the set of 19 characters could be reduced to 6, which are the followings, "# ( | ' / 1" . The rest characters that are valid as possible entries have no value to as for a potential auth bypass.
To create an iteration of these values in the intruder, change the payload type to 'Custom iterator' and paste the values.
As we don't know how many characters will be needed for the attack we can start with 2 positions and increase them adding the same values to each position.
Start the attack and check on the output. If you don't see it successful, try adjusting the Position count by increasing it and repeating the values.
In these case you are creating random values with all 6 characters which are used as attack patterns.
For our attack on the specific environment a value of length 5 was the one that was successful.
This can be seen on intruder on the following way:
The login request that is created with payload '||1# is giving a 302 redirect.
Trying the value on the web page itself,
Will allow us to bypass authentication and login on the portal.