Skip to main content

Natas Level 14 Writeup: SQL Injection

1. Objective

 Find the password for natas level 15.

URL: http://natas14.natas.labs.overthewire.org

 

2. Introduction

After opening the webpage, we see a login form. We need to get the correct credentials or somehow bypass the login page in order to proceed to the next level.


 


3. Exploration

Clicking on the View sourcecode link we are able to view the logic of the server side code.


The following code snippet is used to query the database to check if the username and password are valid 

	$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";

However, we immediately notice that the input is not being sanitized and is being used directly in the query via string concatenation. These shows us that there is potential for sq injection 

 
    SQL injection is a cyber attack that exploits vulnerabilities in web applications by 
    injecting malicious SQL code through user-input fields. This occurs when applications 
    fail to properly validate or sanitize user-provided data before incorporating it into 
    SQL queries. By manipulating input, attackers can trick the application into executing 
    unintended SQL commands, with the primary objective of gaining unauthorized access to 
    databases. SQL injection attacks may lead to unauthorized data access, modification, or 
    deletion, making it crucial for developers to implement robust input validation, 
    sanitation, and parameterized queries to mitigate the risks associated with this security 
    threat.


4. Exploit

Going back to the input form, we can enter a double quotation mark in the username field to see the result of this 



We get an error, so we can proceed to crafting an SQL statement that will always be true, so that we can bypass the login logic. 

	user" or 1=1 -- -

  • The double quote (") is used to close the SQL string in the query.
  • "or 1=1" is a condition that always evaluates to true, effectively bypassing any user authentication.
  • The double hyphen (--) is the SQL comment syntax.
  • Anything after -- is treated as a comment and is ignored by the SQL engine.
  • The double hyphen is used to nullify the remainder of the query, preventing errors.
  • The double hyphen is followed by a space to ensure proper comment syntax.
  • The closing double hyphen and space (-- -) are used to avoid issues if the injected code is followed by other SQL code.
  • This injection technique is a classic example of SQL injection for unauthorized access.

5. Success

After submitting the query, we are presented with the password for the next level.


6. Prevention

It is important to validate user input before using it in the sever side code as this will prevent us from having vulnerabilities in our code.

Below is a sample of PHP code that can be considered secure enough to prevent SQLi attacks like the one we have seen in this level 


  
  $host = 'your_database_host';

  $dbname = 'your_database_name';

  $username = 'your_database_username';

  $password = 'your_database_password';

  $pdo = new PDO("mysql:host=$host;dbname=$dbname", $username, $password);

  $query = "SELECT * FROM users WHERE username = :username AND password = :password";

  $statement = $pdo->prepare($query);

  $statement->bindParam(':username', $_REQUEST['username']);

  $statement->bindParam(':password', $_REQUEST['password']);
  $statement->execute();

  $result = $statement->fetchAll(PDO::FETCH_ASSOC);

  if (!empty($result)) {
    echo "Success";
  } 
  else {
    echo "Failed";
  }


Labels:

Comments

Post a Comment

Popular posts from this blog

Natas Level 11 Writeup: XOR Encryption

1. Objective Find the password for natas level 12. 2. Introduction When we open the webpage for Natas 11, we are greeted with the following message: Cookies are protected with XOR encryption. What is XOR: XOR is a binary operation that returns true (1) only when the number of true inputs is odd. It compares corresponding bits of two binary numbers, resulting in 1 for differing bits and 0 for identical bits. Example: Let's consider two binary numbers, A = 1010 and B = 1101. 1010 X 1101 ------- 0111 In this case, A XOR B equals 0111 in binary, or 7 in decimal. XOR Property: If A XOR B = C, then A XOR C = B. Verification: Let A = 1010, C = 0111, and find B. 1010 X 0111 ------- 1101 The result is 1101 in binary, which is B. So, A XOR C equals B, confirming the XOR property. This property holds true for any combination of A, B, and C, demonstrating that given any two values, you can find the third using XOR. 3. Exploration Ch...
Post a Comment
Read more

Natas Level 7 Writeup: Directory Traversal

  URL: http://natas7.natas.labs.overthewire.org Open the Website : Exploration : Page Navigation: Clicking on the "home" and "about" pages reveals the following links: http://natas7.natas.labs.overthewire.org/index.php?page=home http://natas7.natas.labs.overthewire.org/index.php?page=about Hint in Source Code: Inspecting the source code provides a hint about how the application includes pages. Exploit : URL Parameter Manipulation: Replace the page parameter with the desired file path: http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8   Success : You have successfully manipulated the URL parameter to access the password for natas8. Proceed to the next level using the acquired information.   PS: In Natas0, it was stated that    All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5 That is how we know that the file...
Post a Comment
Read more