Disclaimer: This is for educational purposes only.
Parallel Blind-SQL Injection done in ~30 lines of code (the rest is just comments) that solves the challenge in ~ 10 Seconds. I'm really proud of it.
Other Writeups on the internet have more code and take a lot more time. How? It has a Timing based control Structure that does not contain any if-Statement. I think it's just really neat. It's also super fast.
Usage: python3 natas17.py
The code has two parts.
- HTTP-Request for Blind-SQL Injection
- Timing-Based Control structure
This code solves Natas Level 17, part of the Overthewire wargame: http://natas17.natas.labs.overthewire.org/
The challenge is to get the Password for the next level using a Blind SQL-Injection. Blind SQL-Injection means that we get no output, we can only know based on the timing of the Request, if our request returned True or False.
SELECT * from users where username=" Your Query "
http://natas17.natas.labs.overthewire.org/?username=natas18" and ASCII(Right(password,32)) = "120" and sleep(5) or "
SELECT * from users where username="natas18" and ASCII(Right(password,32)) = "65" and sleep(5) or ""
This query checks if the first letter of the Query is has the Ascii Value of 65 ("A"). If it is true, it will sleep 5 seconds, otherwise it does nothing.
It's not a Race Condition if you know who will lose the race!
- Create a query for all
32Passwords positions and the possible ASCII characters. - Create a password Buffer to store the result.
- Create Threads: Their job is to run every query
- Each Thread stores the corresponding Ascii-Character in the respective position of the password buffer.
- After every Thread finishes, print out the Password buffer
Remember: It's not a Race Condition if you know who will lose the race!
32 Threads will have to wait for 5 seconds until the server replies. It's the ones that found the right Password Character! During that time the other Threads will have gone though all the other requests.
The other Threads will fill the Buffer with Garbage but it does not matter!
The last 32 Threads will overwrite the Buffer with the right password.
No If statement needed!
- This Parallel Solution will find the password in approximately 10 Seconds.
- Since it is a Timing Based algorithm, it is susceptible to Network problems, if that is the case, increase the
sleep. - The Sequential Solution needs on average
7Request per Password index -->7*32*5Seconds = 1.120 Seconds = 18.7 Minutes - The Sequential Solution can be very unreliable, it needs to check how much time the request took, which is hard to measure.
- Any real target will ban your 1000 Request per second.
- Use SQL-Map instead.