26
Feb
2012

CODEGATE 2012 – Forensics 200

Challenge Description

When IU who lives in Seoul tried to do SQL Injection attack a certain WEB site, suddenly the browser was closed abnormally. What is the SQL Injection value she tried to enter and when the browser was closed? The time is based on Korea Standard Time(UTC +09:00)

Time Format is YYYY-MM-DDThh:mm:ssTZD (TZD : +hh:mm or hh:mm)
Answer : injection_value|time
(‘|’ is just a character)
Convert ‘ ‘ to ‘_’ for injection value.

The file belonging to this challenge is C1E4775363DE0885E8360ED9A13A86B8 which is a 7zip compressed archive file. The archive contains a Windows 7 \Users\ directory. Within this directory we can find a Mozilla Firefox directory which contains session information.

File:

/Users/proneer/AppData/Roaming/Mozilla/Firefox/Profiles/075lfxbt.default/sessionstore.js

The contents of this file is shown below:

{
    "windows": [{
        "tabs": [{
            "entries": [{
                "url": "about:home",
                "title": "Mozilla Firefox Start Page",
                "ID": 0,
                "docshellID": 5,
                "owner_b64": "NhAra3tiRRqhyKDUVsktxQAAAAAAAAAAwAAAAAAAAEYAAQAAAAAAAS8nfAAOr03buTZBMmukiq45X+BFfRhK26P9r5jIoa8RAAAAAAVhYm91dAAAAARob21lAODaHXAvexHTjNAAYLD8FKM5X+BFfRhK26P9r5jIoa8RAAAAAA5tb3otc2FmZS1hYm91dAAAAARob21lAAAAAA==",
                "docIdentifier": 0
            }, {
                "url": "http://forensic-proof.com/",
                "title": "FORENSIC-PROOF",
                "ID": 2,
                "docshellID": 5,
                "docIdentifier": 2,
                "formdata": {
                    "//xhtml:li[@id='search-3']/xhtml:div/xhtml:form/xhtml:fieldset/xhtml:input[@name='s']": "1_UNI/**/ON_SELECT"
                },
                "scroll": "0,0"
            }],
            "index": 2,
            "hidden": false,
            "attributes": {
                "image": "http://forensic-proof.com/wp-content/uploads/2011/10/search.ico"
            }
        }, {
            "entries": [{
                "url": "about:newaddon?id=toolbar@ask.com",
                "title": "Install Add-on",
                "ID": 1,
                "docshellID": 7,
                "owner_b64": "SmIS26zLEdO3ZQBgsLbOywAAAAAAAAAAwAAAAAAAAEY=",
                "docIdentifier": 1
            }, {
                "url": "http://forensicinsight.org/",
                "title": "Forensic Insight",
                "ID": 3,
                "docshellID": 7,
                "docIdentifier": 3,
                "formdata": {},
                "scroll": "0,0"
            }],
            "index": 2,
            "hidden": false,
            "attributes": {
                "image": "http://forensicinsight.org/wp-content/uploads/2011/11/FilterFeather2.gif"
            }
        }],
        "selected": 1,
        "_closedTabs": [],
        "busy": false,
        "width": "994",
        "height": "750",
        "screenX": "4",
        "screenY": "4",
        "sizemode": "maximized",
        "cookies": [{
            "host": ".forensic-proof.com",
            "value": "75300229",
            "path": "/",
            "name": "__utmc"
        }, {
            "host": ".forensicinsight.org",
            "value": "12711840",
            "path": "/",
            "name": "__utmc"
        }]
    }],
    "selectedWindow": 1,
    "_closedWindows": [],
    "session": {
        "state": "running",
        "lastUpdate": 1329009797205,
        "startTime": 1329009441160,
        "recentCrashes": 0
    },
    "scratchpads": [],
    "lastSessionState": {
        "windows": [{
            "tabs": [{
                "entries": [{
                    "url": "about:home",
                    "title": "Mozilla Firefox Start Page",
                    "ID": 0,
                    "docshellID": 5,
                    "owner_b64": "NhAra3tiRRqhyKDUVsktxQAAAAAAAAAAwAAAAAAAAEYAAQAAAAAAAS8nfAAOr03buTZBMmukiq45X+BFfRhK26P9r5jIoa8RAAAAAAVhYm91dAAAAARob21lAODaHXAvexHTjNAAYLD8FKM5X+BFfRhK26P9r5jIoa8RAAAAAA5tb3otc2FmZS1hYm91dAAAAARob21lAAAAAA==",
                    "docIdentifier": 0,
                    "formdata": {},
                    "scroll": "0,0"
                }],
                "index": 1,
                "hidden": false,
                "attributes": {
                    "image": "chrome://branding/content/icon16.png"
                }
            }],
            "selected": 1,
            "_closedTabs": [],
            "width": "994",
            "height": "750",
            "screenX": "4",
            "screenY": "4",
            "sizemode": "maximized",
            "title": "Mozilla Firefox Start Page"
        }],
        "selectedWindow": 1,
        "_closedWindows": [],
        "session": {
            "state": "stopped",
            "lastUpdate": 1328976025895,
            "startTime": 1328975220425,
            "recentCrashes": 0
        },
        "scratchpads": []
    }
}

Within this file we find the following information:

SQL Injection: 1_UNI/**/ON_SELECT
Time stamp: 1329009797205 

After converting the Time stamp to the requested layout we got the solution for this challenge.

Final answer: 1_UNI/**/ON_SELECT|2012-02-12T10:23:17+09:00

Comments are closed.