sqlmap ---Write up for natas15

Problem: find the password of natas16.



 Tools: sqlmap

 The url of this problem is 'http://natas15.natas.labs.overthewire.org/'

 Step 1: view the source code
Before view the source code, it looks like an SQL injection, I tried SQL injection, it only returns the user exists.



View the source code.

In the code, we found the reason why it just returns exist or not, and there is no code would show the password, so that SQL injection will not work.

However, the code also give us some hint, there is a table names 'users' which contains password.


Step 2: Find the SQL vulnerability of the website: 

Let's say that you are auditing web application and found web page that accepts dynamic user provided values on GET or POST parameters or HTTP Cookie values or HTTP User-Agent header value. You now want to test if these are affected by an SQL injection vulnerability, and if so, exploit them to retrieve as much information as possible out of the web application's back-end database management system or even be able to access the underlying system and operating system.

When we type the username as '1' in the input box, it actually executed :

http://natas15.natas.labs.overthewire.org/index.php?username=1 

Step 3: make use of sqlmap

some simple usage of sqlmap:
  • '-u' means 'url'
  • '-D' means 'database'
  • '-T' means 'table'
we know the url is "http://natas15.natas.labs.overthewire.org/index.php?username=1"
and the table is 'user',
we construct the command as below:

sqlmap -u "http://natas15.natas.labs.overthewire.org/index.php?username=1" -T users 

When we run this in kali, we found that we didn't get authorized, I realized that only we log in, can we get into the challenge.


Step 4: construct the request as a file.
Fortunately, sqlmap has a parameter '-r' which is used to load HTTP request from a file. 
Then we launch a request and inspect the raw data.



Copy the raw data in a file named '1.txt'.

Step 5: run sqlmap to get all the passwords
find the database 

sqlmap -r 1.txt  —dbs 


 We can find there are two databases in the back-end server, information_schema and natas15.

 Next we construct a command to get the information in database 'natas15' and table 'users'

sqlmap -r 1.txt --dump -D natas15 -T users

 
Luckily we get the password of natas16! 😜


Popular posts from this blog

Phonebook - Hack the box Write up -- Web LDAP injection

Image
 0x00 Problem  0x01 Check the vulnerability When we see the login form on the website, it might be command injection, SQL injection, LDAP injection.  We can see that this need us to login with workstation username, it might be LDAP injection. 0x02 LDAP injection payload Here is the basic LDAP injection payload. We can check the vulnerability. user=*)(& password=*)(& --> (&(user=*)(&)(password=*)(&))  After we type it, we found the response shows successful, and return a page has search box. Then we type a character in the search box, and it returns some user phonebook information. I tried 'flag', 'HTB', it doesn't find any results. Then we try to find user 'Reese', but the information doesn't look like flag.   0x03 Locate the flag  Then we change our payload to check if the password is the flag. user=Reese password=HTB*)(& --> (&(user=Reese)(password=HTB*)(&  It can also return to the search page which means it...
Read more

wafwaf -- Hack The Box -- Web SQL injection

Image
0x00 Problem 0x01 Check the Source Code We open the website and only see the source code on the website. As we can see, there is a WAF will filter some characters and words, that means the normal injection will not work. However, we can see, there is a json_decode() function will decode JSON data, that means the data can be accepted should be JSON format.  The example JSON format data is like: /u0074, /u0075. In addition, there is a "php://input",  accesses the read-only stream of the requested raw data, executing the data in the post request as PHP code. 0x02 Local Test We can launch an Apache server to test it. I copy the source code and make a little change to test this. This file is in /var/www/html. We will construct the data first. This time I use 'select' as an example. The word transfer to ASCII, then to hex, then replace the '\0x' as '\u00'. This can be test in the browser console. At the end, we can test it with curl . As we can see, the SQL...
Read more

Cheat sheet for security+

Image
Malware virus: need people action to execute and spread. Hoax: trick the victim to infect, like game. worms: spread and execute without humman  trojans: can get remote control. RAT(remote access Trojan) ransomware: take control of your computer system, pay for unlock, most time will not unlock if you pay spyware: audit the callender, website history and other actions. rootkit: a type of backdoor, software design to administrative level control or root priviledge without detection. use DLL injection. malicious code inserted into a running process or kernel-mode device drvier. intercept calls and redirect to the malicous code. spam: CAN-Spam Act law to stop relaying send out email through other's mail server. Spim(instant message) like chat, text message.
Read more