Natas Level 14

level 14 msg

Just a plain looking login page, lets jump to the source code:

natas level 14 source code

So $query is being initialized with unsanitized user input via $_REQUEST[“username”] and $_REQUEST[“password”].  I wonder what would happen if we put a quotation mark(“) in either field?  Let’s try it, we’ll also include “?debug=1” in the URL because per lines 20 – 22 this will show us the actual query which is executed:

natas level 14 error msgs

Well that’s interesting, we got an error message, which is telling us that the argument to mysql_num_rows() should be a boolean value (“true” or “false”).  Well in this case the argument to mysql_num_rows() is the return value of mysql_query($query, $link).  Something must be causing it to return an error rather than boolean.  Our argument to mysql_query() is:

SELECT * from users where username=””” and password=””

It’s saying username=””, which is just an empty username, then there is a random / extraneous quotation mark, then it continues with the query.  The extra quotation makes this query invalid.  It also tells us we can hack the query, and maybe get authenticated without a password 😀

Let’s the setting the username to natas15, and the password to (” or “1” = “1).

natas level 14 win

We won!  So the final query that was executed on the database was this:

SELECT * from users where username=”natas15″ and password=”” or “1” = “1”

Select all the rows from the table “users” where the username equals natas15 and the password (is the actual password for natas15) or 1=1.  Well we didn’t know the password for natas15, but we knew we could add another logical operator to our query, which in this case was the “OR” operator.  1 = 1, always evaluates to “true”, and anything OR’d with true is always true.  So by adding OR 1 = 1 we make the condition evaluate to true even though we don’t have the password.