Food Store

Hello everyone , In this blog post , I will try to explain my solution steps for Food Store challenge from Mobile Hacking Lab Platform . i hope it will be useful for you

  1. after install app then we have 2 Options login if we have an account and sign if we don’t have

    image.png

  2. lets analyse the AndroidManifest.xml

  3. we have 3 Activities( Main , signup , login ) and 1 provider :

  4. Main activity Component :

    1. it check for if user input username , it login with guest and if there is no address : application submit the order with unknown address

    2. then the The app retrieves user information (USERNAME, USER_CREDIT, IS_PRO_USER, and USER_ADDRESS) from the Intent used to start the activity.

  5. login Activity Component :

    1. it use DBHelper

    2. and then determine if the user put username and password (not null)

    3. if the credential is correct , App will create an intent with all user data to start the activity

    4. if the user has no account then app will start signup activity

  6. Signup Component :

    1. When the signupBtn is clicked, the onCreate$lambda$0 method is called, which performs the actual user registration logic (validation, adding the user to the database, and showing a Toast message).

    2. it take the data from user like : username , password , address and if the 3 fields ≠ null ⇒ App will create a new user and show this message User Registered Successfully

    3. If all fields are filled, a new User object is created with the provided information. The DBHelper class is used to add the user to the database.

  7. DBHelper Class Structure :

    1. when we start the DB for the first time , it exec this command : db.execSQL("CREATE TABLE users (\n id INTEGER PRIMARY KEY AUTOINCREMENT,\n username TEXT,\n password TEXT,\n address TEXT,\n isPro INTEGER\n \n \n)");

    2. adduser() : it take a user parameter , then encode the password and store the name then exec this command to store user data : "INSERT INTO users (username, password, address, isPro) VALUES ('" + Username + "', '" + encodedPassword + "', '" + encodedAddress + "', 0)

    3. when isPro = 0 here it mean application create a regular user with limit features

    4. getUserByUsername(String Username): This method retrieves a user based on the username , Password and address are decoded from Base64 and show in plain text

  8. The exploit here is : inject sql query that have a isPro=1 ⇒ it mean we will create a pro account with encoded password and address

    1. INSERT INTO users (username, password, address, isPro) VALUES ('keroPro', 'MTIzNA==', 'Y2Fpcm8=', 1)

    2. i have already access the database and then insert the query to create an account

  9. it’s already success but i can’t do login because may be the app is have a problem or my emulator doesn’t show all gui

PreviousPost BoardNextCycle Scanner

Last updated