Natas · OverTheWire

Natas Level 27 → Level 28

Level 27

Username : natas27
Password :55TBjpPZUUJgVP5b3BnbG6ON9uDPVzCJ


To solve this level, we first log into the natas27 application using the credentials provided above.


7-12-2017 2-30-41 PM.png

As we can see, the application presents us with a login form, however, this is unlike most of the login forms as it creates a new user if the user doesnt already exist in the table. Let’s look at the source code of the application.

7-12-2017 2-34-40 PM.png

The application uses the following functions:

createUser($link, $usr, $pass)

The application also provides with the MySQL statement that was used to create the table. The application flow is as follows:

If Username and Password exist:
    If the user exists in the table:
        If password matches with the user's password:
            Dump user data.
            echo "Wrong password".
        Create the user with the password provided.
    Display the form.

To solve this round, I went down several rabbit holes trying to find SQL Injection as my mind was fixated on it. Responses from Stack Overflow did not prod me in the right direction either as answers like the ones here kept me moving on the wrong path.

After some deliberation, I noticed that the MySQL table has 64 character fields. In an effort to understand what happens if the characters provided are more than 64, I created a user ‘natas28’ and appended 64 trailing spaces and another character in the end. The application creates a new user. According to the MySQL documentation here, For VARCHAR columns, trailing spaces in excess of the column length are truncated prior to insertion and a warning is generated, regardless of the SQL mode in use. Therefore, when the application first checks if the user is a validUser or not, the check returns false as natas28 is not equal to natas28 with 64 trailing spaces and a character and thus creates a new user. The application stores a new user with username ” natas28 and 57 trailing spaces ” as the maximum character count is 64.

To dump the user data the application uses mysql_fetch_assoc(), this function returns all the usernames which contain natas28 and checks it anyone of them has the password that we set for ” natas28 with 64 trailing spaces and a character “. MySQL checks this with “natas28″ as the username and our password. When the data is dumped, all the rows associated with ” natas28 ” as the username get dumped.

7-13-2017 1-38-44 PM.png

7-13-2017 1-39-09 PM.png

Level 28

Username : natas28
Password : JWwR438wkgTsNKBbcJoowyysdM82YjeF

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s