CLIENT SIDE INJECTION
- Layout for this exercise:
- Connecting Santoku to Nexus 5:
- The goal of this exercise is to inject a crafted SQL query to a database, so that the application yields the contents of the database due to the lack of proper input sanitization.
- Android mobile devices use SQLite as framework for local database storage, so let's install the application sqliteapp.apk into the mobile device:
- Clicking the icon of the application:
- The user is prompted to register:
- Registering a user:
- The valid user logins and his private details are displayed:
- With the purpose of bypassing the authentication proceses, let's disassemble the application with jadx and see how is written the source code:
- Running jadx over the application:
- A new directory is created:
- Going to the manifest to see what is the associated package:
- Moving trough the directory to reach the innermost folder of the package, the Java source code is found:
- Opening the connector to the database, there is a SQL instruction that takes credentials (username and password) from the user_records database:
- Now, taking advantage of the lack of input validation sanitization, let's try an "always true" SQL query.
- This SQL injection is based on the well-known fact that OR function yields TRUE whenever one the operands is 1:
0 OR 0 = 0
0 OR 1 = 1
1 OR 0 = 1
1 OR 1 = 1
- For instance: Joey1'or'1'='1'--
- The command injection is successful, because all the details about the user are displayed:
