Pwning OWASP’s Juice Shop Pt. 5: Login Admin

I’ve been writing up some fairly boring challenges for the sake of getting them out of the way, but now it’s finally time to actually hack!

Challenge: 

Name: Login Admin

Description: Log in with the administrator’s user account

Difficulty: 2 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

OWASP’s Testing for SQL Injection 

SQL Injection cheat sheet for login bypass

Methodology: 

Judging by the category of this challenge, I think it’s safe to assume that this is going to be an SQL injection challenge. To me, that means it’s time to fire up Burp Suite and figure out what data is being sent to the server.

Referer: 
http://IOcalhost 3000/ 
Cookie. language=en; welcomebanner status=dismiss; 
email 
'admin@test . com' , 
password 
'sql_inj ection_location' 
cookieconsent 
status=dismiss, 
cont

Because Juice Shop is intentionally insecure, it’s safe to assume that the login email address will be fairly simple and guessable. The password, on the other hand, maybe not so much. That leaves us with two fields to tinker with, “user” and “password”.

One of the Burp features I’m kind of clumsy with, and could use more practice on, is called Intruder. It’s used for spamming login pages and the like with wordlists to find what words work in different fields. In this case I’m using the “Cluster Bomb” attack type. After sending off a dummy login request to see how the data is formatted, I sent that packet to Intruder and formatted the tool to focus on the two fields I wanted to probe.

Dashboard 
Target 
Proxy 
ntrude 
Options 
Repeater 
Sequencer 
Decoder 
Comparer 
Extender 
Project options 
o itions Payloads 
Target 
O Payload Positions 
Configure the positions where payloads will be inserted into the base request The attacktype determines the way in which 1 
Attack type -Cluster bomb 
1 POST /rest/user/login HTTP/I.I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
4 Accept 
S Accept -Language: en-LlS, 
Accept -Encoding: gzip, deflate 
7 Content -Type: application/ j son 
Content -Length: 
Origin: http• 
// I Ocal host 3000 
10 Connection: close 
Referer: http://localhost : 3000/ 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
12 Cookle: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss, 
continueCode= 
ZnbkE9%SVeQXj NqgrxKLpJvGmMTNin7UDvG3wDnSP4Rzy1ZY16am78200kz; 10=dZ8Jg2Ypz6-HY1rsAAA8 
141{" email 
'5adminS@j uice-sh.op , 
password 
'Ssql_inj ect ion_l_ ocationS"}
Remember to clear all fields before selecting and adding the ones you want.

Next I needed a wordlist of SQL Injection test strings to feed into the fields. Different databases have different weaknesses, so I wanted to be as thorough as possible. Back to Google I went, ultimately finding a cheat sheet listing dozens of possible queries. I loaded them into the password payload set, filled in a few generic administrator-type names into the user field payload set, and pressed “Start Attack”.

41-12 W W 0 
工 45u2 凵 4n02E 一 ト 
」 0 」 」 山 
い u04d0 い p 0 - 、 ed い LIO い Od 
国 P20 - 、 ed 
」 042 」 4 い 一 u 一 W p 2 
」 042 」 4 い 一 u 一 W p 2 
」 042 」 4 い 一 u 一 W p 2 
い 2 セ = 
Ipeo - 、 ed anba 
帑 5 」 ト - の 
u 一 u 」 p 2 
u 一 u 」 p 2 
u 一 u 」 p 2 
25u 一 0 工 S L24- 『 
400 」 
400 」 
400 」
No luck.

184 requests later I began to suspect that the password field might not contain any vulnerabilities, so I decided to try the user field. Considering that users are stored in a database, that bypassing authentication would likely return the first user in that database, and that the first user on any system is usually an administrator, it made some sense. Because this attack would nullify anything in the password field, I changed the attack type to “Sniper” (one field only), loaded the list of injection queries into the payload, and started a new attack.

Intruder attack4 
Attack Save Columns 
esults Target 
Positions 
Filter: Showing all items 
Payload 
or 
or # 
admin' 
admin' # 
admin' 
or 
admin' or 
admin' 
admin' 
or 
admin'or or' 
admin' 
or 
35 Of 46 
Payloads 
Options 
Status 
401 
Error 
o 
o 
o 
o 
o 
o 
o 
o 
o 
Timeout 
o 
o 
o 
o 
o 
o 
o 
o 
o 
Length 
1586 
o 
Comment 
Contains 
Contains a JWT 
Contains a JL'T
We have tokens!

Now that we’ve found the vulnerability, it’s time to exploit it!

Login 
Email 
admin' or '1'='1' 
Password 
Forgot your password? 
Log in 
Remember me
Fingers crossed that we get an admin account

And to confirm that we are, indeed, logged into an administrator’s account…

Q 
e Account Your Basket EN 
e 
admin@juice-sh.op 
Orders & Payment 
Privacy & Security 
Logout
Success!

And to check the scoreboard…

You successfully solved a challenge: Login Admin (Log in with the administrator's user account.) 
x
I’m in.

Prevention and mitigation strategies:

OWASP SQL Injection Prevention Cheat Sheet

  1. Sanitize every input a user provides!
  2. Create a dummy account with no privileges and organize your database’s User table to ensure that, if SQL injection makes it past your input sanitization, it is the default/first account in that table. Better they should access a null account than that of an administrator.

Lessons Learned and Things Worth Mentioning: 

  1. Burp Suite would very much like for you to buy the professional edition. They show this by heavily throttling the rate at which Intruder sends requests.
  2. Cheat sheets are a real time saver. After finding this, I created an entirely new wordlist in my /usr/share/wordlists directory for this. If it’s handy here, it will likely be handy elsewhere.
  3. Sanitizing user input in every single field which is sent to your server is vital to prevent not only SQL injection, but also cross-site scripting attacks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s