Food Store

Hello everyone , In this blog post , I will try to explain my solution steps for Food Store challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

PreviousPost Board NextCycle Scanner

Last updated 3 months ago

Food Store

Hello everyone , In this blog post , I will try to explain my solution steps for Food Store challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

after install app then we have 2 Options login if we have an account and sign if we don’t have
lets analyse the AndroidManifest.xml
we have 3 Activities( Main , signup , login ) and 1 provider :
Main activity Component :
1. it check for if user input username , it login with guest and if there is no address : application submit the order with unknown address
2. then the The app retrieves user information (USERNAME, USER_CREDIT, IS_PRO_USER, and USER_ADDRESS) from the Intent used to start the activity.
login Activity Component :
1. it use DBHelper
2. and then determine if the user put username and password (not null)
3. if the credential is correct , App will create an intent with all user data to start the activity
4. if the user has no account then app will start signup activity
Signup Component :
1. When the signupBtn is clicked, the onCreate$lambda$0 method is called, which performs the actual user registration logic (validation, adding the user to the database, and showing a Toast message).
2. it take the data from user like : username , password , address and if the 3 fields ≠ null ⇒ App will create a new user and show this message User Registered Successfully
3. If all fields are filled, a new User object is created with the provided information. The DBHelper class is used to add the user to the database.
DBHelper Class Structure :
1. when we start the DB for the first time , it exec this command : db.execSQL("CREATE TABLE users (\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n username TEXT,\n password TEXT,\n address TEXT,\n isPro INTEGER\n \n \n)");
2. adduser() : it take a user parameter , then encode the password and store the name then exec this command to store user data : "INSERT INTO users (username, password, address, isPro) VALUES ('" + Username + "', '" + encodedPassword + "', '" + encodedAddress + "', 0)
3. when isPro = 0 here it mean application create a regular user with limit features
4. getUserByUsername(String Username): This method retrieves a user based on the username , Password and address are decoded from Base64 and show in plain text
The exploit here is : inject sql query that have a isPro=1 ⇒ it mean we will create a pro account with encoded password and address
1. INSERT INTO users (username, password, address, isPro) VALUES ('keroPro', 'MTIzNA==', 'Y2Fpcm8=', 1)
2. i have already access the database and then insert the query to create an account
it’s already success but i can’t do login because may be the app is have a problem or my emulator doesn’t show all gui

PreviousPost Board NextCycle Scanner

Last updated 3 months ago

after install app then we have 2 Options login if we have an account and sign if we don’t have
lets analyse the AndroidManifest.xml
we have 3 Activities( Main , signup , login ) and 1 provider :
Main activity Component :
1. it check for if user input username , it login with guest and if there is no address : application submit the order with unknown address
2. then the The app retrieves user information (USERNAME, USER_CREDIT, IS_PRO_USER, and USER_ADDRESS) from the Intent used to start the activity.
login Activity Component :
1. it use DBHelper
2. and then determine if the user put username and password (not null)
3. if the credential is correct , App will create an intent with all user data to start the activity
4. if the user has no account then app will start signup activity
Signup Component :
1. When the signupBtn is clicked, the onCreate$lambda$0 method is called, which performs the actual user registration logic (validation, adding the user to the database, and showing a Toast message).
2. it take the data from user like : username , password , address and if the 3 fields ≠ null ⇒ App will create a new user and show this message User Registered Successfully
3. If all fields are filled, a new User object is created with the provided information. The DBHelper class is used to add the user to the database.
DBHelper Class Structure :
1. when we start the DB for the first time , it exec this command : db.execSQL("CREATE TABLE users (\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n username TEXT,\n password TEXT,\n address TEXT,\n isPro INTEGER\n \n \n)");
2. adduser() : it take a user parameter , then encode the password and store the name then exec this command to store user data : "INSERT INTO users (username, password, address, isPro) VALUES ('" + Username + "', '" + encodedPassword + "', '" + encodedAddress + "', 0)
3. when isPro = 0 here it mean application create a regular user with limit features
4. getUserByUsername(String Username): This method retrieves a user based on the username , Password and address are decoded from Base64 and show in plain text
The exploit here is : inject sql query that have a isPro=1 ⇒ it mean we will create a pro account with encoded password and address
1. INSERT INTO users (username, password, address, isPro) VALUES ('keroPro', 'MTIzNA==', 'Y2Fpcm8=', 1)
2. i have already access the database and then insert the query to create an account
it’s already success but i can’t do login because may be the app is have a problem or my emulator doesn’t show all gui