Skip to main content

Natas Level 15 Writeup: Blind SQLi

1. Objective

 Find the password for natas level 16.

URL: http://natas15.natas.labs.overthewire.org


2. Introduction

After opening the webpage, we see a search form. The website allows us to search for users and responds with either "This user doesn't exist" or "This user exists" depending on whether the user was found or not. 

user

 
 
natas16 
 



3. Exploration

Clicking on the View source code link we are able to view the logic of the server side code.

The following code snippets shows that the provided username is searched for in the database and the corresponding result is returned

    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\""; 
    if(mysqli_num_rows($res) > 0) {
        echo "This user exists.";
    }
    else {
        echo "This user doesn't exist.";
    }

Just like in natas 15, we immediately notice that the input is not being sanitized and is being used directly in the query via string concatenation. This means there is an SQLi vulnerability here.

4. Exploit

Going back to the input form, we can enter a double quotation mark in the username field to verify our conclusion from above



To make our work slightly easier, we are going to switch over to burp suite. You can download burp suite from here https://portswigger.net/burp/communitydownload.

After opening burp and configuring it (How to configure burp suite), submit a request. The request should will show up in the HTTP History tab under Proxy. Right click on it and select send to repeater.


Let's craft a query that always returns true to see if we will get the expected result. 

 natas16"+AND+1=1--+-

This works.

Lets try to craft an SQL statement that will allow us to get the password of natas 16. The resulting prompt looks like this 

 
username=natas16"+AND+ASCII(SUBSTRING(password,1,1))=ASCII("A")--+-

This prompt does the following

  • Checks if the first character in the string is equal to A
  • Doing SUBSTRING(password,1,1))="A" won't work as this will return true for both capital and small A (A and a)



We get the response that This user does not exist. Which means that the password is not A.

After a couple of tries we get to the letter T, and this returns a successful result.

The password begins with the letter T. 

Inferring from previous levels, we can safely come to the conclusion that the password has 32 characters consisting of letters and numbers. Repeating 32 times with 62 possible values for each character will be quite tedious.

We will be using intruder to help us with this task. Right inside he section with the request and select send to Intruder.

 

 

Use the following steps to get intruder working.

  • The attack type is Cluster Bomb
  • On the right side of the screen, click on Clear § to clear out any placeholders that might have been automatically placed 
  • Highlight the second parameter of SUBSTRING to and click on Add §.
  • Highlight the letter in the ASCII function (in our case T) and click on Add §.






  •  Select Payloads on the sub menu at the top
  •  There will be two payloads, one for each position we added in the positions tab
  • Payload Set 1
    • Make sure payload set is set to 1
    • Under payload type select Numbers
    • Under payload settings:
      • Enter 2 in the From field (We already have the first character.
      • input 32 in the To field


  • Payload Set 2
    • Go back to the top and change payload set to 2
    • Leave payload type as simple list
    • Under payload settings, we will use the values below. You can save them in a file and click on the load button on the left side of payload settings to load the file 

    • Entering each value in the Enter a new item term and clicking add will also work but that is not necessary


  • At the top sub menu select Settings
  • Scroll down to the section Grep-Match
  • On the left side, click on Clear to clear all the values that have been automatically added
  • On the text box below, type in This user exists.
  • This is the value we need to look for in a successful attempt. 


  • Click on start attack to start intruder. 

  • If you are using Burp Community Edition, you will get a popup saying that some features are disabled.... Just click on okay to proceed.



  • After the attack starts, click on the "This user exists" column header twice to arrange the items in descending order depending on whether the phrase was found or not. This will make sure that all successful results will be at the top making it easier for us to pick what we need

 

5. Bonus 

A problem I noticed with Intruder is that even if the correct letter is found, it will still check the other possible characters for the same position. I am yet to find if it is possible to skip a certain iteration once the correct character is found. If any of you have a solution let me know in the comments.

As burp was running, I decided to write a python script that was slightly more efficient in the way it searched for characters. Here is what I have:


You are going to need to install requests to run the script

 pip install requests

 

6. Success

You now have the password for natas 16. You can progress to the next level.  

If you use burp suite


If you used my script


    Use the password to proceed to the next level






TRD7iZrd5gATjj9PkPEuaOlfEjHqj32V
Labels:

Comments

Post a Comment

Popular posts from this blog

Natas Level 11 Writeup: XOR Encryption

1. Objective Find the password for natas level 12. 2. Introduction When we open the webpage for Natas 11, we are greeted with the following message: Cookies are protected with XOR encryption. What is XOR: XOR is a binary operation that returns true (1) only when the number of true inputs is odd. It compares corresponding bits of two binary numbers, resulting in 1 for differing bits and 0 for identical bits. Example: Let's consider two binary numbers, A = 1010 and B = 1101. 1010 X 1101 ------- 0111 In this case, A XOR B equals 0111 in binary, or 7 in decimal. XOR Property: If A XOR B = C, then A XOR C = B. Verification: Let A = 1010, C = 0111, and find B. 1010 X 0111 ------- 1101 The result is 1101 in binary, which is B. So, A XOR C equals B, confirming the XOR property. This property holds true for any combination of A, B, and C, demonstrating that given any two values, you can find the third using XOR. 3. Exploration Ch...
Post a Comment
Read more

Natas Level 14 Writeup: SQL Injection

1. Objective  Find the password for natas level 15. URL: http://natas14.natas.labs.overthewire.org   2. Introduction After opening the webpage, we see a login form. We need to get the correct credentials or somehow bypass the login page in order to proceed to the next level.   3. Exploration Clicking on the View sourcecode link we are able to view the logic of the server side code. The following code snippet is used to query the database to check if the username and password are valid $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\""; However, we immediately notice that the input is not being sanitized and is being used directly in the query via string concatenation. These shows us that there is potential for sq injection        SQL injection is a cyber attack that exploits vulne...
Post a Comment
Read more

Natas Level 7 Writeup: Directory Traversal

  URL: http://natas7.natas.labs.overthewire.org Open the Website : Exploration : Page Navigation: Clicking on the "home" and "about" pages reveals the following links: http://natas7.natas.labs.overthewire.org/index.php?page=home http://natas7.natas.labs.overthewire.org/index.php?page=about Hint in Source Code: Inspecting the source code provides a hint about how the application includes pages. Exploit : URL Parameter Manipulation: Replace the page parameter with the desired file path: http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8   Success : You have successfully manipulated the URL parameter to access the password for natas8. Proceed to the next level using the acquired information.   PS: In Natas0, it was stated that    All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas4 and natas5 That is how we know that the file...
Post a Comment
Read more