Thursday, December 22, 2016

ANDROID PT / Client Side Injection


- Layout for this exercise:

- Connecting Santoku to Nexus 5:

- The goal of this exercise is to inject a crafted SQL query to a database, so that the application yields the contents of the database due to the lack of proper input sanitization.

- Android mobile devices use SQLite as framework for local database storage, so let's install the application sqliteapp.apk into the mobile device:

- Clicking the icon of the application:

- The user is prompted to register:


- Registering a user:

- The valid user logins and his private details are displayed:

- With the purpose of bypassing the authentication proceses, let's disassemble the application with jadx and see how is written the source code:

- Running jadx over the application:

- A new directory is created:

- Going to the manifest to see what is the associated package:

- Moving trough the directory to reach the innermost folder of the package, the Java source code is found:

- Opening the connector to the database, there is a SQL instruction that takes credentials (username and password) from the user_records database:

- Now, taking advantage of the lack of input validation sanitization, let's try an "always true" SQL query.

- This SQL injection is based on the well-known fact that OR function yields TRUE whenever one the operands is 1:

0 OR 0 = 0
0 OR 1 = 1
1 OR 0 = 1
1 OR 1 = 1

- For instance: Joey1'or'1'='1'--

- The command injection is successful, because all the details about the user are displayed: