Python Web Hacking: BLIND SQL Injection | Natas: OverTheWire (Level 15)

John Hammond · Intermediate ·🔐 Cybersecurity ·8y ago

Key Takeaways

Demonstrates a blind SQL injection attack on a PHP application in a Natas challenge

Full Transcript

Hey, what's up YouTube? This is John Hammond and in this video we're looking at Natis level 15 from over the wire. So this level uh we just got the password for Natis level 15. So we can use the same Python script we've been using to get the web page, see what we're actually working with here. And uh when we're looking at the web page source, the HTML here, we have a form that goes to index.php. It's another post request um with the username that we can fill out. That looks like the only field here and the button submit goes to check existence. So, uh, maybe it's just trying to determine whether or not a user exists. We can go ahead and take a look at the source code here by going to that view source or index source page. We'll go ahead and deantize some of these. And let's remove all these break statements here because they're getting in the way. So, now we've got the page source here and we can see the PHP code. Looks like it gives us a schema a little bit of the database like okay we have a users table with the username and password uh just in there and we're determining if the array key exists username in the request so okay if we actually posted the form and that username is is present we connect to the database with the censored password select the database and the query that we're running is select all from users where username again concatenated in so pretty obvious SQL injection there Um, and we get the debug query again if we want to take a look at it. And we get the query results and if we have a result one or another, it tells us this user exists or this user doesn't exist or there's an error in the query. Okay. Um, so we don't actually get to know any information. We don't actually log in or anything. Really just determining uh a binary kind of a yes or no. Does this unit exist? Does this user not exist? Um, so let's go ahead and play with this. Let's go ahead and change this to a post request and let's go to the original web page, not the source anymore. Um, let's actually take the source though and just put it in a new pane in case we want it later on. And let's go ahead and post with the data keyword arguments having username and let's say like John just to test that stuff out. I'm going to assume user doesn't exist. Okay, man. I missed my opportunity to use like username subscribe or something. Dang it. All right. But uh Natis 16. So the next level here looks like that we can assume that user probably will exist. Okay. Yeah, that user does exist. So we want from the database here, we want to be able to find the user where the username is equal to NATA6 and we want to somehow leak out their password. Um, but we can't do SQL injection like we've done before because we're not logging into anything. We don't have explicit SQL injection. So, we can't see some of the results. We can only determine whether or not a yes or a no, a user exists or the user doesn't exist. So, now we can get into a tactic called blind SQL injection. So blind SQL injection means we're probably going to have to leak out data like bite by bite or character by character um because we can't explicitly see a result. But we can figure out some data by testing other characters over and over again until we get one that matches. So we can determine through that yes or no determination whether a user exists or does not exist if we're on the correct character or not. And because we have our SQL injection, we know we can have a valid query if we really wanted to. So, let's change this username to be able to use the u double quote here. And we can comment this out and we'll still get a user exists, right? If we had um and one equals two, we can get this to be an invalid statement that user doesn't exist because one does not equal two. An and statement ruins that. But that and condition because we're using our SQL injection lets us do more here. We can test and the password is equal to something, right? We don't know what the password actually is, so we can't use equal to, but we can try and figure out what the password is like. And with that we can start to iterate through possible characters like maybe any any possible thing a letter or not a uppercase letter a lowercase letter or a number like the typical style we've seen in all the other natis passwords we can figure out if the password is containing those characters and we can leak out like character by character what that password is. So we can do that with the SQL like statement and we can determine if it's like anything, right? The anything character or the wild card character and a SQL like statement is a percent sign. So we can say and password like anything with the wild card that will return true right the user exists because that wild card will match anything. But if we had the password like the word anything or who knows, right? We don't know the password and that user doesn't exist because that like isn't going to work for us because there there is no uh that wild card isn't affecting it and it's not matching anything. It's matching only who knows and the password obviously isn't that. So we can actually take advantage of this though. we can start to loop through all the possible characters or what could be part of the password. So let's go ahead and grab those things um from string import all. So we can say characters that we want to look through can equal lowercase that we've got from the string module up here um and uppercase that we've got from the string module above and digits. So all of these variables exist in that string module. But if we're seeing them the seeing the characters that we put together now we've got a list or a string really out of this 15. Yeah. Okay. All of these things that we can work with. So now we can post this request, make the SQL injection happen, and determine whether or not the password is like what we've built so far of the password and trying to test each character by character. If we wanted to test if the password is like A and anything that follows with our wild card here, or B and anything that follows with the wild card here, C, etc., D, E, F, and the list goes on and on until you get like, oh, F, maybe that's the correct letter, etc. until we find L is the correct letter, and then B or A, etc. And then we can leak out the password by using this wild card and by using this technique. This will happen over a period of time, right? We're going to have to loop here. So, let's start a while loop. While true. Do this over and over and over again. We can do four ch in characters. So every single character that we're working with, let's just print that out for now. And you can see that loop goes over and over and over with the characters. Let's keep track of what we've seen of the password. So scene password, that will be a list. And I'm just going to declare it empty like this. So it'll be really easy for us to append onto it or join it together as a string. So we can try and print out trying character with password and then join of what we've seen of the password. So when we join that scene password together that just makes it a string. That's some Python syntactic sugar to join every element in the list or element in the array together with an empty string. So it puts them all together as one string. Nice. So now we can get the response, but we're going to have to change our post request to make that like statement add in what we've seen so far of the password as a string. Right? So I'm terminating my original string with the single quote, but I'm still inside the like query here with the double quotes that denote this is part of the like SQL string. adding in what we've seen of the password and then the character that we're looking at currently. And if we wanted to actually check out what the debug query is, you can see that this is going to be iterating through what we've seen including our scene password. So we can actually do change this to trying with password plus ch. And you'll see it move just like that. Great. Trying with password A, B, C, D, FG, etc., etc., etc. But right now, we're not actually seeing what the response is coming back to us with. Let's actually get the response. And then let's just print it out in our loop. This is going to look pretty messy and pretty crazy, but as you'll see, this user doesn't exist for just about everything, but eventually we'll trigger. Oh, this user does exist for one of these. Maybe it'll happen too quickly. Oh, actually, I forgot the percent sign. Remember, we need our wild card because doing that like is only going to be doing okay, it'll match this if it's like this query. But the percent sign with the wild card will allow us to fill out the rest of this. So now when I go back and run the script, we should be able to see this usern exist. But for one of these, it'll gimmick just like that. You just saw it. And the user does exist for where it is like trying with password W. this user does exist. Okay, cool. So, now we know we've just leaked out W is the first character of this password. So, we don't know whether or not it's going to be uh case sensitive or not though because by default SQL is case insensitive. So, that password may be using maybe starting with a W, but we don't know whether that's lowerase or uppercase. We can change that by in our query saying and binary password. Putting binary right before that in the select statement will uh make that field case sensitive. So now we can test if user exists is in the content and if that's the case we can say scene password.append append the current character we've got or ch and then we can break out of this for loop and keep moving on. Cool. So now let's try and work through this. We're not printing out the entire content anymore. But lowercase W didn't catch. But will capital W catch? It does. Okay, cool. And now we're leaking out more WA. That looked like it went through, etc., etc. Cool. We're getting more of them. And this will happen slowly but surely. We will get the flag just like this. So, I'm going to wait a second. I'm going to uh pause the video here and let this run and we'll see if we can leak out the whole password. I think we're getting close to the end here. I sure hope so. So, this is taking a little bit of time, right? That goes without saying. Um, this is obviously a real attack, right? Blind SQL injection is a real real thing you can take advantage of with databases. Um so it's going to take a little bit of time because we're doing a real taking advantage of a real vulnerability um a real technique. So we're almost at the end here. I sure hope so. I don't know how long are these passwords usually. 32 characters. Oh, Sublime Text just had some of those things that it acted funny with. Sorry. How much are we at right now? throw 27. Okay, so we're getting real close. It looks like this one has been going for a while. So, I don't think there's any way we can particularly test this other than just looking at the length. Okay, so that is 32 characters right now. Um, and I guess we didn't make our program smart enough to determine that that was the end. Um, but we aren't actually getting any other results back yet. So that must be the whole password. So let's break this for now. Um, and that should be what we're able to move on with. If for some reason, I just want to tell you this for your own knowledge here. If you only got like half of this password or something and you needed to you wanted to keep moving where you were, like where you left off, um, that's okay. You can easily do that without wasting all that time that you spent waiting by putting that in as your scene password. like initialize it as a string inside of the list object here. Um, and that way you would start off right where you had everything to begin with and you can still keep moving along with your SQL injection, your blind SQL injection uh, loop with what you have so far, what you've built so far of the password. So, that's a good way to keep that in mind. Um, let's go ahead and create a new script and just kind of save this as NAT 16 because now we've got the password and let's see if we can go ahead and read that page. Let's make sure we actually did get the correct password. Let's print out response.ext. Just make that content and then print that out just like all of our other scripts. And awesome. We are on natis level 16. Awesome. Looks like we just did that. Looks like we just got a blind SQL injection attack and leaked out a password from a database. So, I hope you guys really like that technique. Um, it's really just looping through all of the like common characters or printable characters that you're used to and adding them onto a list or uh what you've already seen so far. And using that like technique with the uh percent sign is really great. Um, there are other techniques where you can say not only is the password because I I showed you where the password is equal to, but I said you can have the password greater than. Um, because obviously when you get down to it, the numbers or or all the letters or all these ASKI characters that you're trying are just decimal numbers. They're all 0 to 255 in the ASKI table. So, if you went in asy order, you could determine whether or not the password is greater than something like that. And binary, of course, will make it case sensitive. So, that's a pretty handy trick, too. But I like the like character because or the sorry the like term because that way you can keep the current character you're on rather than seeing that threshold trigger. Because if you're using the greater than symbol, you'll get results like the user does exist, the user does exist, the user does exist, and then once the user does not exist, you know that okay, the previous character that I was just on with that technique with the greater than symbol was the correct one. So you have to kind of backtrack for your character testing if you're using that style. But I like the like uh statement in SQL here. That's I think that's a cool technique with the wild card. So thank you guys for watching. Again, I really hope you're enjoying this. I think this is some really cool web application security and uh exploits and attacks. So I'll see you in the next video when we tackle Natis level 16. Hey, if you like this video, please do like the video or comment. Tell me let me know what you think. Uh let me know what I can do better. Subscribe and if Thanks so much guys.

Original Description

If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010 E-mail: johnhammond010@gmail.com PayPal: http://paypal.me/johnhammond010 GitHub: https://github.com/JohnHammond Site: http://www.johnhammond.org Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

Related AI Lessons

The Billion Dollar Business of Making You Forget Passwords
Learn how the internet is shifting away from password-based security and what this means for cybersecurity, as companies invest billions in alternative authentication methods
Medium · Cybersecurity
Your ChatGPT History Is a Liability. I Fixed That With a $80 Chip and a Pi5.
Protect your ChatGPT history from being used as evidence against you by building a secure local solution using a Raspberry Pi and external chip
Medium · Cybersecurity
Aikido buys Root to patch open source in place, without the upgrade dance
Aikido Security acquires Root to patch open source vulnerabilities in-place, streamlining dependency management
Dev.to · Leo
5G Security: Why Most Operators Are Underprepared for the Threats Standalone Architecture Introduces
Learn why 5G standalone architecture introduces new security threats and how operators can prepare for them
Dev.to · 5gwolrdpro
Up next
Cyber security threats @FameWorldEducationalHub #cybersecurity #threats #shorts #ytshorts
FAME WORLD EDUCATIONAL HUB
Watch →