TIMING ATTACK SQL Injection: Python Web Hacking | Natas: OverTheWire (Level 17)
Skills:
Tool Use & Function Calling80%
Key Takeaways
Performs a timing attack SQL injection on Natas Level 17 using Python
Full Transcript
What's up everybody? Welcome back to another YouTube video. My name is John Hammond and this video we're looking at level 17 of the Natis war game from Over the Wire. So on the tales of level 16, we just got the password for level 17. So let's run the script to check out what this web page is and what we're actually working with here. Um here we have the form that we've seen before just for logging in. It looks like we're given a username input field. Um and the button will check existence. So, kind of the same SQL injection attack we've seen before, but maybe there's something different. So, let's actually take a look at the source code and let's see what they're doing here. Just copy that link to the index source. And again, we'll have to deantitize this and we can remove all those break tags because we don't need those. All right. So, we have the same schema as we've seen before, just a users table with username and password. Have the same test if we're actually posted to the page in the PHP code. and we run the same query. Looks like we have the same SQL injection attack vector because they're just concatenating in the username. Um, but it's commented out the output as to whether or not it got a result. So, no longer can we determine, okay, a yes or no binary dichotomy thing. Does this user exist? Does this user not exist? So, we can't use that for our typical blind SQL attack. um we won't be able to determine via that yes or no, one or zero, do we have the correct character and what we're trying to leak out. So, we have to go for a different attack. And this will be pretty neat. This is one of I think one of the coolest things that you can do with with SQL. Um but let's go ahead and start to post to this web page and see what we can do. We want to change our method to post. Same URL. um data will be username that's the variable that we've got to work with in HTTP and we'll say subscribe blah blah blah post run this no output just like um it told us but we know we have our SQL injection so if I were to change these to single quotes and the original quote the double quote that they're using in that SQL statement we can or one equals 1 and throw a comment in there. Run this. And looks like we're getting no real output. But we can do some other interesting things. We can actually because we have that SQL injection, we can run SQL commands and SQL functions and do SQL things. Let's actually try and sleep for a certain amount of time. So this function will do exactly as it says. It will wait or sleep a certain amount of seconds that we pass in here as a number. And it will actually operate because we're using that and function. So if something returns and we get this sleep function which will return one if it succeeds or it'll it'll return successful. But the and will mean it will execute if the user that we're checking for according to the application code exists. So let's try this. If I hit controlB to run it, it returns immediately because obviously the user subscribe does not exist. But if I change this to natus 718, natus 18 is the next password that we want. If I hit the go button here, the build output, there's no response for at least 5 seconds because we've ended that sleep function. So this gives us the building blocks for a timing attack for timebased SQL injection because we can actually leak out the password, right? We can say where um password Uh I want to we actually don't want to use the wear clause because it's already being used for that wear username. So we can just say and password is like and use the same methodology that we've been using before. Um, so add in what we've seen of a scene password join of scene password because we'll keep track of that in a list and a character that we iterate through. Don't forget our percent sign here so we get the wild card and we'll let's change the sleep to two. So let's get that uh character pool that we want to work with. So let's say characters can equal let's get everything from the string module. So we can use lowercase, uppercase and digits as we've seen before. Sorry for this duplicate code here guys. But now we'll do a while loop or actually we'll do a scene password again to determine the length length of scene password is less than 32 because we know that was the length for it. We'll say for character in characters try and get this response here and let's actually just print trying and let's get what we're looking for. Cool. We don't need the plus there. We don't have to print that out. But I'm going to do this in the command line. Let's change that preference so it looks Let's run that Python nata 17 script. And I forgot my colon. My bad. Okay. So now we're going to start to iterate trying all these characters. But X, we hang a little bit. And we got to test if we actually got a hit. If it slept for 2 seconds or if there is a real difference in the time between one execution and the next then we know we've got the correct character because that and password like successfully executed and then sleep will successfully execute. So let's change this and let's start to get a time to determine how long this code takes to run. Let's import time. Let's actually do from time import all. So, we can just use the time function real easy. So, for every character we're looking at, we're going to try and send it. And then we'll determine what the time currently is. Start time. We can just do that for debugging purposes. And then we can say end time can be the new time after we've already made that request. And let's say the difference can equal end time minus start time. So we can get an idea of how long that took. difference. Now, we can print these things out. And while we're watching it, difference is maybe 2010 of a second. But I'll scroll up here. Once we got to X, we could tell the difference took more than a second because we slept for that second there. Um, you might have different values on this depending on how your internet connection is because we're literally timing how long this request takes and that sleep function, whatever integer amount of seconds you pass into the sleep function in SQL, obviously that will vary. So, if I were to run this with two, you'll see a different difference because now you're sleeping for two seconds. But since you're going to automate this and weaponize it to actually leak out the password, you want to do something that will give you relatively quick speed, but still let you be able to determine what is the threshold for this actually being a successful hit. So we can say if the difference is greater than one, then we know we actually have a successful hit. That's the correct character that we've seen in that position of the password. So, let's add that to our scene password and break out of this for loop so we can keep moving. Scene password.append character we're looking at in the loop and then let's break. Cool. We don't need this uh start time notice anymore. Now, let's start to loop. What did I do wrong? Uh, I think that was happening because nothing was buffering this output here. Now, let's try this. If we actually have that print statement, it'll tell us the trying and it will determine that X is the correct password. Okay, cool. So, now we have an attack. Looks like we're leaking out the password, but we forgot the binary uh notion in the password here. So, we may be missing capital letters. Let's make sure we include and binary password like so we get case sensitivity when we leak out that field in the database. Now, we can let this script run and by the end of it, we'll have the password for Natis 18. All right, I'll let this run and I'll see you in a little bit. So, it looks like the script did finish and we have a potential password. Uh, let's head back to the original script and save it as a new one. Natis 18. Um, paste the password in here, change the username, and let's see if we can just get that page. See if we got the correct password, and we're ready to move on. Let's controlB run this. And here we are. Natis level 18. Sweet. So we did it. That was the successful loop and pretty much a good Python attack for actually implementing a timingbased SQL injection uh exploit if you want to call it that. Um and I think that's super cool. SQL Map does some stuff with that. If you haven't seen that tool, totally check it out. Um but I like to consider that methodology pretty good for a timing attack. And you'll see those in a lot of capture the flag competitions. And when you don't have explicit SQL injection and you can't get a result easily to determine your blind SQL injection, you can still leak out pieces of the database just by taking a little bit of time using a loop like this. Um, and you can just run with a while true if you don't have this criteria about what you're leaking out about its length or whatever. You can just run forever and once your loop starts to act weird and gives you like random bites, you know. Okay, I pretty much reached the end. So that's it. That's how we can do a timing attack and timebased SQL injection in Python and some web hacking. Thank you guys so much for watching. Uh if you do like the video, please click that like button. Uh please let me know what else you're thinking, what else you'd like to see, what else I could do better with in a comment if you're willing to subscribe. And if Thank you so much. I'll see you another video.
Original Description
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: http://paypal.me/johnhammond010
GitHub: https://github.com/JohnHammond
Site: http://www.johnhammond.org
Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Tool Use & Function Calling
View skill →Related AI Lessons
🎓
Tutor Explanation
DeepCamp AI