📡
Daniel Serbu's CyberSecurity Blog
  • 🔧Welcome
  • 💾Writeups
    • PWNEDLABS Identify the AWS Account ID from a Public S3 Bucket
    • TryHackMe Anthem
    • TryHackMe AttacktiveDirectory
    • TryHackMe Vulnnet: Active
    • TryHackMe Ice
    • TryHackMe Blueprint
    • TryHackMe VulnNet: Roasted
    • TryHackMe Post-Exploitation Basics
    • TryHackMe Lookback
    • MobileHackingLab Food Store
    • MobileHackingLab Notekeeper
    • MobileHackingLab IOT Connect
  • DevSecOps
    • Container Security
      • Kubernetes
    • Infrastructure as Code - IaC
    • Dynamic Application Security Testing - DAST
    • Static Application Security Testing - SAST
    • Software Bill of Materials - SBOM
    • Software Composition Analysis - SCA
    • Source Code Audit
      • PHP Code Review
      • Secure By Design Libraries
    • IDE Plugins for Developers
    • Security Hardening
    • Secure Coding
    • Cheatsheets
    • Mobile
    • Cloud Security
  • OSINT
Powered by GitBook
On this page
  • Overview
  • Reverse Engineering
  • Exploitation
  1. Writeups

MobileHackingLab Food Store

PreviousTryHackMe LookbackNextMobileHackingLab Notekeeper

Last updated 9 days ago

Overview

The FoodStore Mobile Hacking Lab presents a challenge involving SQL injection within an Android application. The primary objective is to exploit this vulnerability to elevate a user's privileges from a regular user to a "pro" user. This writeup details the process of identifying the vulnerability, crafting a successful exploit, and the key takeaways from the challenge.

Reverse Engineering

The initial step involved decompiling the APK file using tools like APKTool and inspecting the code with jadx-gui. The dbHelper class, responsible for database interactions, was of particular interest. The addUser method within dbHelper was identified as the source of the SQL injection vulnerability. This method concatenates user-supplied input directly into an SQL query without proper sanitization or parameterization.

`String sql = "INSERT INTO users (username, password, address, isPro) VALUES ('" + Username + "', '" + encodedPassword + "', '" + encodedAddress + "', 0)";`

Exploitation

The goal is to manipulate the isPro flag during user creation. By injecting SQL code through the username signup field, it's possible to modify the SQL query to set isPro to 1 for a new user. The successful payload was:

admin','YWRtaW4=','YWRtaW4=',1); --"

This payload modifies the SQL query to insert a new user with the username "admin", sets the password and address to the Base64 encoded value "YWRtaW4=" (which decodes to "admin"), and sets the isPro flag to 1. The -- comments out the remainder of the original SQL statement.

💾
LogoMobile Hacking Lab - Online Mobile Hacking Course for Aspiring ExpertsMobile Hacking Lab
LogoMobile Hacking Lab - Online Mobile Hacking Course for Aspiring ExpertsMobile Hacking Lab
Registration
Login as admin