OverTheWire: Natas Level 26→ 27

SQL Truncation Vulnerability/Exploit/Attack

Once you login to this level, you are given a form with username and password fields. If you try to login with username as natas28(which is the username for next level) you are presented with wrong password ofcourse. But if you try any random username and password, a new user is created and when you login back, it prints the SQL entry for that (with the password of that user).

Looking at the source code it seems quiet a bit of effort has been made to block any attempts to stop SQL injection by using mysql_real_escape_string. So probably not worth looking into SQL injection.

But there is something interesting in the dumpData function. A valid credential check query should only one unique user by the database. But why is there a while loop there ?

Doing some googling found a SQL truncation exploit technique that is worth checking out. Reading the article if we can exceed the admin/natas28 username with more than 64 characters, we should be able to create two SQL entries with same username(natas28).

Lets fire up burp and record a normal request.

Send that request to the repeater and modify the POST data.

We get a response that the user was created.

Since we did not send any data in the password field when sending this request, we now should be able to login with username as natas28 without a password.

natas28: JWwR438wkgTsNKBbcJoowyysdM82YjeF