Information Security

Hacking OWASP’s Juice Shop Pt 46: User Credentials

Posted on by codeblue04

Challenge: 

Name: User Credentials

Description: Retrieve a list of all user credentials via SQL Injection.

Difficulty: 4 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

None.

Resources used:

Database Schema

Methodology: 

In the expanded description for this challenge it is made fairly obvious that this challenge will be very similar to the Database Schema challenge, for which a special SQL injection payload had to be crafted. As this time around the target is only the user credential table, it’s handy to have an idea of what the table entries  look like. To gather that information, you can either complete the Database Schema or Administration Section challenges. The Admin Section challenge requires a few additional steps in terms of using the browser’s developer tools to track down the authentication-details.json file. The end result, however, is that the below set of information is what the database tracks about each user.

"createdAt": " "deletedAt" : nun, "deluxeToken" . "email": "benderö)juice-sh .op" , "id": "isActive" : true, "lastLoginIp" : "0.0.0.0" , "password • " "assets/ public/images/uploads/default.svg" "profilelmage" : "role": "customer" "totpSecret": " " , "updatedAt": " "username" :

Knowing this, it’s just a matter of crafting an SQL query and utilizing the injection syntax (“q=word’)) … query … –“) we used in the Database Schema challenge on the same vulnerable url. Knowing from the Database Schema challenge that the query we craft must seek nine data columns from the User table, and also that there are more than nine columns in that particular table, the query we’ll use to complete this challenge is somewhat customizable in terms of what data you’re looking to extract from the database. In my case, I chose ID, email, password, role, isActive, username, createdAt, deletedAt, and totpSecret. My query was “none’)) UNION SELECT  id, email, password, role, isActive, username, createdAt, deletedAt, totpSecret FROM Users–“. I then added that query string to the /rest/products/search?q= url and hit enter.

G) localhost:3000/rest/products/search?q=none')) UNIC Kali Training JSON Raw Data Kali Tools Headers Save Copy Collapse All Expand All NetHunter Exploit-DB GHDB MSFU Filter JsaN status : data: nane : description: price: deluxePrice: Image: createdAt: updatedAt : deletedAt: nane : description: price: deluxePrice: Image: createdAt: updatedAt : deletedAt : nane : description: price: deluxePrice: Image: createdAt: updatedAt : deletedAt: "success" "admin@juice-sh.op" "0192323a7bbd7325e516fB69df18b5dO" "admin" "2e2e-11-11 "jim@j sh . op "e541ca7ecf72b8d1286474fc613ese45" "customer" "2e2e-11-11 "bender@j ulce- sh . op" "Oc36e517e3fa95aabf1bbffc6744a4ef" "customer" "2e2e-11-11
You successfully solved a challenge: User Credentials (Retrieve a list of all user credentials via SQL Injection.) x

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

I’m slowly getting better at SQL queries. Despite earning an A in my Databases class, and having planned, diagrammed, and implemented a MySQL database using PHP, injection attacks felt awkward for a long time. It’s nice to see that progress.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s