Natas 14 — Manual SQL Injection
This is part VI of OverTheWire’s Natas wargame. In the previous articles we’ve dealt with the previous levels, always getting the access key to the next challenge. To simplify things, you can get the access key here.
Natas 14 greets us with a login page. Try to reuse the login from natas and…
Hum… a login page usually means some kind of backoffice. Lets take a look at the source code.
We have a connection to a mysql DB and a query for a username and password. Take notice of the line “if(array_key_exists(“debug”, $_GET)) {“. If we send the param ‘debug’, we’ll get the fully formed query.
Using OWASP ZAP open the Manual Request Editor and add to the URL the debug parameter:
The response will be the query used:
Using this guide we can try some SQL Injection techiques. I’ll try using single quotes… No. But take a closer look at the response. The query uses double quotes! Let’s use them:
The response looks promising. There’s no quote sanitation and we get a SQL error:
Notice the extra double quotes at the beginning and at the end. Remove our double quotes so our params become:
username=1" OR “1” = “1”&password=”1" OR “1” = “1
Nailed it! Changing the param values to a true statement tricks the DB into giving us a response to the query. Lets head on to natas 15.
