search

MobileHackingLab Food Store

LogoMobile Hacking Lab - Online Mobile Hacking Course for Aspiring ExpertsMobile Hacking Labchevron-right

hashtag
Overview

The FoodStore Mobile Hacking Lab presents a challenge involving SQL injection within an Android application. The primary objective is to exploit this vulnerability to elevate a user's privileges from a regular user to a "pro" user. This writeup details the process of identifying the vulnerability, crafting a successful exploit, and the key takeaways from the challenge.

hashtag
Reverse Engineering

The initial step involved decompiling the APK file using tools like APKTool and inspecting the code with jadx-gui. The dbHelper class, responsible for database interactions, was of particular interest. The addUser method within dbHelper was identified as the source of the SQL injection vulnerability. This method concatenates user-supplied input directly into an SQL query without proper sanitization or parameterization.

hashtag
Exploitation

The goal is to manipulate the isPro flag during user creation. By injecting SQL code through the username signup field, it's possible to modify the SQL query to set isPro to 1 for a new user. The successful payload was:

This payload modifies the SQL query to insert a new user with the username "admin", sets the password and address to the Base64 encoded value "YWRtaW4=" (which decodes to "admin"), and sets the isPro flag to 1. The -- comments out the remainder of the original SQL statement.

Registration
Login as admin
LogoMobile Hacking Lab - Online Mobile Hacking Course for Aspiring ExpertsMobile Hacking Labchevron-right
PreviousTryHackMe LookbackNextMobileHackingLab Notekeeper

Last updated