 Hey what's up YouTube this is John Hammond and in this video we're looking at Natus level 15 from over the wire So this level we just got the password for Natus level 15 so we can use the same Python script we're using to get the web page see what we're actually working with here and When we're looking at the web page source the HTML here We have a form that goes to index.php. It's another post request with the username that we can fill out That looks like the only field here and the button submit goes to check existence So maybe it's just trying to determine whether or not a user exists We can go ahead and take a look at the source code here by going to that view source or index source page We'll go ahead and de-entitize some of these and let's remove all these break statements here because we're getting in the way So now we've got the page source here, and we can see the PHP code Looks like it gives us a schema a little bit of the database like okay We have a user's table with the username and password Just in there and we're determining if the array key exists username and the request So okay, if we actually posted the form and that username is is present We connect the database with the censored password Select the database and the query that we're running is select all from users where username Again can catnate it in so pretty obvious SQL injection there and we get the debug query again if we want to take a look at it and We get the query results, and if we have a result One or another it tells us this user exists or this user doesn't exist or there's an error in the query Okay, so we don't actually get to know any information. We don't actually log in or anything really just determining a binary kind of a yes or no does this unit exist does this user not exist So let's go ahead and play with this let's go ahead and change this to a Post request and let's go to the original web page not the source anymore Let's actually take the source though and just put it in a new pane in case we want it later on and Let's go ahead and post With the data keyword arguments Having username and let's say like John just to test that stuff out I'm going to assume a user doesn't exist. Okay Man, I missed my opportunity to use like username subscribe or something dang it. All right, but Natus 16 so the next level here looks like that we can assume that user probably will exist Okay, yeah, that user does exist. So we want from the database here. We want to be able to Find the user where the username is able to Natus 16 and we want to somehow leak out their password But we can't do sequel injection like we've done before because we're not logging into anything We don't have explicit sequel injection. So we can't see some of the results We can only determine whether or not a yes or a no a user exist or the user doesn't exist So now we can get into a tactic called blind sequel injection. So Blind sequel injection means we're probably gonna have to leak out data like bite by bite or character by character Because we can't explicitly see a result But we can figure out some data by testing other characters over and over again until we get one that matches. So We can determine through that yes or no determination whether a user exists or does not exist if we're on the correct character or not and Because we have our sequel injection. We know we can have a valid query if we really wanted to so let's change this username to be able to use the Double quote here and we can comment this out and We'll still get a user exists, right if we had And the one equals two we can get this to be an invalid statement That user doesn't exist because one does not equal to an and statement ruins that but that and the condition Because we're using our sequel injection. Let's us do more here. We can test and the password Is equal to something right? We don't know what the password actually is so we can't use equal to but we can try and figure out what the password is like and with that We can start to iterate through Possible characters like maybe any any possible thing a letter or not an uppercase letter a lowercase letter or a Number like the typical style we've seen in all the other Natas passwords and we can figure out if the password is Containing those characters and we can leak out by character by character what that password is so we can do that with the sequel like statement and We can determine if it's like Anything right the anything character or the wild card a character in a sequel like statement as a percent sign so we can say and Password like anything with the wild card that will return true Right the user exists because that wild card will match anything, but if we had the password like the word anything or Who knows right? We don't know the password and that user doesn't exist because that like isn't going to work for us because there is no That wild card isn't affecting it and it's not matching anything It's matching only who knows and the password obviously isn't that so We can actually take advantage of this though We can start to loop through all the possible characters or what could be part of the password So let's go ahead and grab those things from string import all So we can say characters that we want to look through can equal lowercase that we've got from the string module up here And uppercase that we've got from the string module above and digits So all of these variables exist in that string Module, but if we're seeing them the seeing the characters that we put together now We've got a list or a string really How does 15? Yeah, okay all of these things that we can work with so now we can post This request make the sequel injection happen and determine whether or not the password is like What we've built so far of the password and trying to test each character by character if we wanted to test If the password is like a and anything that follows with our wildcard here or B and anything that follows with the wildcard here C etc D E F and the list goes on and on until you get like oh F Maybe that's the correct letter It's a run till we find L's the correct letter and then B or a etc And then we can leak out the password by using this wildcard and by using this technique This will happen over a period of time, right? We're gonna have to loop here So let's start a while loop while true Do this over and over and over again. We can do four CH in characters, so every single character that we're working with Let's just print that out for now, and you can see that loop goes over and over and over and with the characters Let's keep track of what we've seen of the password. So seen password That will be a list and I was going to declare it empty like this So it'll be really easy for us to append on to it or join it together as a string So we can try and print out trying character with password and then Join of what we've seen of the password So when we join that scene password together that just makes it a string that's some Python syntactic sugar to join every element in the list or element in the ray together with an empty string So it puts them all together as one string So now we can get the response But we're gonna have to change our post request to make that like statement Add in what we've seen so far of the password as a string, right? So I'm terminating My original string with the single quote, but I'm still inside the like query here with the double quotes at the note This is part of the like SQL string adding in what we've seen of the password and then the character that we're looking at currently And if we wanted to actually check out what the debug query is you can see that this is going to be iterating through what we've seen Including our scene password So we can actually do changes to trying with password plus ch and you'll see it move just like that Great trying with password a bcd fg etc etc etc, but right now We're not actually seeing what the response is coming back to us with Let's actually get the response and then let's just print it out in our loop This is going to look pretty messy and pretty crazy But as you'll see this user doesn't exist for just about everything, but eventually we will trigger Oh, this user does exist for one of these Maybe it'll happen too quickly. Oh actually I forgot the percent sign Remember we need our wild card because doing that like is only going to be doing Okay, it'll match this if it's like this query But the percent sign with the wild card will allow us to fill out the rest of this So now when I go back and run the script we should be able to see this user doesn't exist But for one of these it'll gimmick just like that you just saw it and the user does exist for where it is like Trying with password w this user does exist. Okay, cool. So now we know we've just leaked out W is the first character of this password. So we don't know whether or not it's going to be Case sensitive or not though because by default sequel is case insensitive So that password may be using maybe starting with the W But we don't know that's lower case or uppercase we can change that by in our query saying and binary password Putting binary right before that in the select statement will make that field case sensitive so now we can test if user exists is in the content and if that's the case we can say Scene password dot append the current character. We've got Her ch and then we can break out of this for loop and keep moving on Cool So now let's try and work through this We're not printing out the entire content anymore But lowercase w didn't catch but will capital w catch it does okay cool And now we're leaking out more W a that looked like it went through Etc etc Cool, we're getting more of them and this will happen slowly, but surely we will get the flag just like this So I'm gonna wait a second I'm going to pause the video here and let this run and We'll see if we can leak out the whole password. I Think we're getting close to the end here. I sure hope so So this is taking a little bit of time right that goes without saying This is obviously a real attack right blind sequel injection is a real real thing You can take advantage of with databases So it's gonna take a little bit of time because we're doing a real taking advantage of a real vulnerability and They're real technique. So We're almost at the end here. I sure hope so I don't know how long are these passwords usually 32 characters Oh Sublime text just had some of those things that acted funny with sorry How much are we at right now? 27 okay, so we're getting real close Looks like this one has been going for a while. So I don't think there's any way we can particularly test this other than just looking at the length Okay, so that is 32 characters right now And I guess we didn't make our program smart enough to determine that that was the end But we aren't actually getting any other results back yet. So that must be the whole password. So let's break this for now And that should be what we're able to move on with if for some reason I just want to tell you this for your own knowledge here if you only got like half of this password or something and You needed it. You want to keep moving where you were like where you left off That's okay You can easily do that without wasting all that time that you spent waiting by putting that in as you're seeing password like initialize it as a string inside of the list object here and That way you would start off right where you had everything to begin with and you can still keep moving along with your sequel injection Your blind sequel injection loop with what you have so far what you've built so far of the password So that's a good way to keep that in mind Let's go ahead and create a new script and just kind of save this as Natus 16 Because now we've got the password and let's see if we can go ahead and read that page Let's make sure we actually did get the correct password. Let's print out response.txt We should just make that content and then print that out just like all of our other scripts and Awesome we are on Natus level 16 awesome Looks like we just did that looks like we just got a blind sequel injection attack and leaked out a Password from a database. So I hope you guys really like that technique It's really just looping through all of the like common characters or printable characters that you're used to and Adding them on to a list or what you've already seen so far and using that like technique with the percent sign is really great There are other techniques where you can say not only is the password because I showed you where the passwords equal to But I said you can have the password greater than Because obviously when you get down to it the numbers or all the letters or all these ASCII characters that you're trying are Just decimal numbers. They're all a 0 to 255 in the ASCII table So if you went in ASCII order you could determine not the password is greater than something like that and Binary of course will make it case sensitive. So that's a pretty handy trick, too But I like the like character because or the sorry the like term because that way you can keep the current character You're on rather than seeing that threshold trigger because if you're using the greater than symbol You'll get results like the user does exist a user does exist the user does exist and then once the user does not exist You know that okay the previous character that I was just on With that technique with the greater than symbol was the correct one So you have to kind of backtrack for your character testing if you're using that style, but I like the like Statement and sequel here. That's I think that's a cool technique with the wild card So thank you guys for watching again. I really hope you're enjoying this I think this is some really cool web application security and exploits and attacks So I'll see you in the next video when we tackle Natus level 16 Hey, if you like this video, please do like the video or comment. Tell me let me know what you think Let me know what I can do better subscribe and if you thanks so much guys. See you in another video