Level 16 - Level 17
Last updated
Last updated
Again, we got an input field with a link to the source code.
Form taking a look at the source code we can see that the query is vulnerable to SQL injection.
But all the errors that are to be thrown due to the SQL injection payloads are commented out.
So we can't perform error based or boolean based SQL Injection.
So let's opt out for Time Based injection. Let's try the following payload, since we know that there is going to be a user named natas18
in the table ( from the patterns followed in previous levels ):
You can see that the browser responded with no errors after 5 seconds.
Now, we have confirmed that there is user named natas18
. Now we have to retrieve the password for that particular user. To do that we are going to brute force with alphanumerice letters, trying to match the password string, like we did in the last level using regexp, but this time we are going to make use of the SQL operator LIKE.
Let's try the following payload:
It responded immediately, which means the password doesn't start with the letter a. Let's find the first character by using a simple python script, in which we are going set the value of SLEEP to be 1 and we will filter the responses based on the response time, i.e., if the response time is greater than 1, then that is the first character of the password.
The above script responded with the following output, from which we have found the first letter of the password.
Now its time to fetch the entire password. The following python script will fetch the entire password based on the response time of the requests.
The password for the next level has been obtained from the output of the above script.