Month: March 2015

Natas Level 27

All the sql code in this level is there to throw us off.  If you pull off a SQL injection on this level let me know, because AFAIK it is not possible.  The trick to beating this level is in the comments at the top of the page. They’re telling

Read More »

Natas Level 26

Today we’ll be exploiting the unserialize() function in PHP.  The major lesson here is to NEVER unserialize() user input, and I’ll show you why. describes the serialize() function as follows: “Generates a storable representation of a value.  This is useful for storing or passing PHP values around without losing

Read More »

Natas Level 25

This one is one of the most involved levels so far, as there are multiple pieces to the puzzle.  Let’s jump right in: First we can see they are making an awful lot of effort to prevent us from including arbitrary files via the $filename variable.  This is a big

Read More »