food store

in the sign up activity when the signup button is clicked it checks that all the filled form fields is not empty and then adds a new user to the database by calling dbHelper.addUser(newUser);

let’s take a look on how the new user is created?

The addUser function accepts a User object and inserts its data (username, base64-encoded password, and base64-encoded address) into the database. The SQL query is constructed dynamically by embedding the user data directly into the statement without any input sanitization or parameterization, making it highly susceptible to SQL injection attacks.

notice that the field isPro is always 0 at registration to the users table in the sqlite database using this sql command

"INSERT INTO users (username, password, address, isPro) VALUES ('" + Username + "', '" + encodedPassword + "', '" + encodedAddress + "', 0)";

our goal is to create a sql injection payload to insert a user with pro privliges

exploit','ZXhwbG9pdA==','ZXhwbG9pdA==',1);--

this payload will create a user with username, password and address equal to exploit and isPro field will be true comment the rest

so when injected the sql command will be like

INSERT INTO users (username, password, address, isPro) VALUES ('" + exploit','ZXhwbG9pdA==','ZXhwbG9pdA==',1);-- + "', '" + encodedPassword + "', '" + encodedAddress + "', 0)

now let’s try to register a user and inject this payload in the username field and fill the other fields with any random values

now let’s try to login with the credentials exploit:exploit

and now we have a pro user account with credit of 10000

Previousconfig editor NextIOT Connect

Last updated 8 months ago