Overthewire natas level 21 -22 is also like the last level but, there is Key and value pair as the input values. All we need to do is inject admin=1 as one of the key->value pair and we will get the password.
There are two different pages in this level which shares information with each other, In the experiment page we have injecting parameters and all we have to do inject admin=1 as key pair and pass the PHPSESSID of this page with the first page. Let’s see how we can do that:
The code for the first page looks like this:
Above page is the first page. The code is pretty straight forward.
The below code is of the second page which is 22-experiment, here it is validating the keys. What if we send the key as admin=1 with the valid keys?
So, to do that I fired up Firebug–>Go to the code –> right click –>Edit as HTML –> enter <input name=”admin” value=”1″> –> Click update.
Once you do the above steps, Copy the PHPSESSID of this page after the request has been sent, this is because once you pass the admin=1 as input key value pair, it is executed by the PHP code behind and it will sent the PHPSESSID of the admin because it found admin=1.
Now that we have the copied PHPSESSID of the admin, we can pass this in the first page where it is just checking if the session matches with the admin. I used burpsuite repeater to change the value and see the output. It works!
There you go, password for the next level is above!