Natas Level 14 → Level 15

The page contain a username and a password to be able to login. Looking at the source code, we can see that the username and password will be use as part of the sql query to obtain the authentication.

<? 
if(array_key_exists("username", $_REQUEST)) { 
 $link = mysql_connect('localhost', 'natas14', '<censored>'); 
 mysql_select_db('natas14', $link); 
 
 $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\""; 
 if(array_key_exists("debug", $_GET)) { 
 echo "Executing query: $query<br>"; 
 } 

 if(mysql_num_rows(mysql_query($query, $link)) > 0) { 
 echo "Successful login! The password for natas15 is <censored><br>"; 
 } else { 
 echo "Access denied!<br>"; 
 } 
 mysql_close($link); 
} else { 
?>

We see that the first if statement check if the username exists, if so, create connection $link using mysql_connect to database natas14.

Next, the $query is constructed our of username and the password. However, the if statement under that said if there is a “debug” in our $_GET, the $query will be echo.

Lastly, it will check if the $query and the $link return more than 0 rows. If so, we get the password, otherwise, access is denied.

The key is to get the query return at least 1 row but we could return as many as we want. Let’s use the debug feature to see what the query looks like by supplying the following url.

http://natas14.natas.labs.overthewire.org/index.php?username=user&password=password&debug
Executing query: SELECT * from users where username="user" and password="password"
Access denied!
We can see that what we input in the username and password field is being use as the input for the query. A classic SQL injection is to finish the double quote and add something that is always true and match the closing double quote. Since we surrounded by double quotes, we could use something that will produce a query like this:
SELECT * from users where username="" or ""="" and password="" or ""=""
Comparing the two queries, the username and password provided in the form is shown below to match the double quote that used in the query while create an always true query.
" or ""="
After we input and hit login, the next password is shown with a successful login message.
AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J

Additional resources:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s