Damn Insecure and Vulnerable Application – Part IV

Uncategorized 3 Minutes

In this post I would continue to solve the challenges that is in the vulnerable application “diva”. In the end of the post you may find a document, which is capturing network packets.

Till now we have discussed about the following things:

  • Android Platform
  • Android Architecture
  • Android Application Architecture
  • Android device virtualisation
  • Connecting to the android device using android debug bridge
  • Using shell commands on the device
  • Installing android application using adb
  • Knowing about the process which is executed when we click to launch the application
  • Getting the logs of the android application
  • Checking for sensitive data in the log
  • Hardcoding issues of developer
  • Insecure data storage in xml file
  • Insecure data storage in SQLite database file
  • Insecure data storage in randomly generated temporary file
  • Insecure data storage in hidden text file

If you don’t know about the above points, then I would recommend you read the following posts:

  1. Android Platform Architecture
  2. Android Application and it’s Architecture (PPT)
  3. Damn Insecure and Vulnerable Application – Part I
  4. Damn Insecure and Vulnerable Application – Part II
  5. Damn Insecure and Vulnerable Application – Part III

As we have completed the first six challenges, so now, let’s move on to the 7th challenge which is “Insecure Data Storage Part 2”.

Challenge 7

This challenge presents us with the following screen :-

Objective: Try to access all user data without knowing any user name. There are three users by default and your task is to output data of all the three users with a single malicious search.

Hint: Improper or no input validation issue arise when the input is not filtered or validated before using it. When developing components that take input from outside, always validate it. For ease of testing there are three users already present in the database, for example one of them is admin, you can try searching for admin to test the output.

Fig 1 : DIVA Challenge 7

So, as the hint suggests, let’s enter “admin” in the text field.

Fig 2 : DIVA Challenge 7

As we can see that, this application gives me the user details if I enter a user in the text field. Our motive is to get all the user data which is in the database. So, as we know that, database understands the language SQL. That implies, we need to try SQL injection in the text field.

Let’s try the basic trick “ ‘ ” to get SQL query error.

Fig 3 : DIVA Challenge 7

When we enter “ ‘ ”, we don’t get any result on the screen. So, let’s try extracting the logs of the device, we might get something there.

Fig 4 : DIVA Challenge 7 – Logcat

From the SQL query error, we got the following :

  • It really is a database in the background
    • As it is android device and it is not using the network / internet, then it has to be SQLite database
  • The table from which data is being extracted is “ sqliuser ”

Let’s change the query. Let’s try the following query :

1’ or 1=1 –
Fig 5 : DIVA Challenge 7

We can see that we got our required result which is :

  • User: (admin) pass: (passwd123) Credit card: (1234567812345678)
  • User: (diva) pass: (p@ssword) Credit card: (1111222233334444)
  • User: (john) pass: (password123) Credit card: (5555666677778888)

All user details.

Mission Accomplished!!! Yoooooo!!!

Let’s move on to our next challenge which is challenge 8, “Input Validation Issues Part 1”.

Challenge 8

This challenge presents us with the following screen :-

Objective: Try accessing any sensitive information apart from a web URL.

Hint: Improper or no input validation issue arise when the input is not filtered or validated before using it. When developing components that take input from outside, always validate it.

Fig 6 : DIVA Challenge 8

Let’s enter a URL in the given text field.

Fig 7 : DIVA Challenge 8

When we click on “View”, we would get the following screen:

Fig 8 : DIVA Challenge 8

As we see that it is calling the URL which is entered by the user. So, let’s see, how can we exploit this.

Well we can use the LFI ( Local File Inclusion ) method to read sensitive information which is in the internal / external storage media. For exploiting, we input the following in the text field:

file:///storage/.uinfo.txt
Fig 9 : DIVA Challenge 8

When we click on “View”, we would get the content of the hidden text file which was created in 6th challenge :

Fig 10 : DIVA Challenge 8

By this way we can access any file which is stored in the file system of the android device. For example, you may try to access the xml file which was created by this application.

Note: Only clear text related files can be displayed in the screen as, other file would require specific application to extract the content of the file like the SQLite database file.

Mission Accomplished!!! Yoooooo!!!

Stay tuned for my next post !!!!!!!

You can check out the steps to Capture network packet in Android

Published by Fire Hunter

Security Enthusiast

Published

2 thoughts on “Damn Insecure and Vulnerable Application – Part IV

  1. Pingback: Damn Insecure and Vulnerable Application – Part V – Fire Hunter's Blog
  2. Pingback: Damn Insecure and Vulnerable Application – Part VI – Fire Hunter's Blog

Comments are closed.