Codegate 2012: Forensics 200

Forensics 200

“”"

When IU who lives in Seoul tried to do SQL Injection attack a certain WEB site, suddenly the browser was closed abnormally. What is the SQL Injection value she tried to enter and when the browser was closed? The time is based on Korea Standard Time(UTC +09:00)
Time Format is YYYY-MM-DDThh:mm:ssTZD (TZD : +hh:mm or hh:mm)

Answer : injection_value|time
(‘|’ is just a character)
Convert ‘ ‘ to ‘_’ for injection value.

Download
“”"

So we check out the folders of the various browsers. Found an interesting link to

http://docbe.com/2012/01/05/web-browser-session-restore-forensics-3/

So we decided to see if that helps. First up Firefox Recovery: Mozilla Session Restore
Followed the instructions in the pdf from the above link, and there it is:
C:\Users\UserName\AppData\Roaming\Mozilla\Firefox\Profiles\########.default\sessionstore.js

According to the document, sessionstore.js is created when the browser force restarts. sessionstore.js will be deleted when the browser shuts down normally.
So we took a look at the sessionstore.js which is in json. http://jsoneditor.net/ < Using this makes things easier. I cat-ed the file though.
And look what we found (excerpt, full one at the bottom of the post):

formdata":{"//xhtml:li[@id='search-3']/xhtml:div/xhtml:form/xhtml:fieldset/xhtml:input[@name='s']":"1_UNI/**/ON_SELECT"}

>1_UNI/**/ON_SELECT

<Hiromi> well lets see
<Hiromi> “1_UNI/**/ON_SELECT”
<Hiromi> does that smell like sqli?
<amon> OHH
<amon> yes

There we found the sqli. Now for the timing since Answer : injection_value|time
There are 4 epoch/unix timestamps in the file. We converted them to Time Format is YYYY-MM-DDThh:mm:ssTZD (TZD : +hh:mm or hh:mm) and tried them out.

1_UNI/**/ON_SELECT|2012-02-12T10:23:17+09:00

And there we have the answer.

sessionstore.js