Friday, 23 July 2021

Quine sql Injection

What is Quine? let's refer to Wiki.

A quine is a computer program which takes no input and produces a copy of its own source code as its only output. The standard terms for these programs in the computability theory and computer science literature are self-replicating programs,self-reproducing programs, and self-copying programs

There is good example wargame problem which is ouroboros golf of Webhacking.kr.

Below is the problem code:
<?php
  include "../../config.php";
  login_chk();
  print_best_golfer(73);
  $db = dbconnect("ouroboros");
  if(preg_match("/\./i", $_GET['pw'])) exit("No Hack ~_~");
  $query = "select pw from prob_ouroboros where pw='{$_GET['pw']}'";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if($result['pw']) echo "<h2>Pw : {$result['pw']}</h2>";
  if(($result['pw']) && ($result['pw'] === $_GET['pw'])){
    // !!THIS IS PAYLOAD GOLF CHALLENGE!!
    // My solution of ouroboros golf is 210byte.
    // If your solution is shorter than mine, you will get 5 point per 1 byte.
    $len = 210 - strlen($_GET['pw']);
    if($len > 0){
      solve(73,$len * 5);
    }
    else{
      echo "<h2>nice try :)</h2>";
    }
  }
  highlight_file(__FILE__);
?>

I should inject a SQL query, it will be $_GET['pw']. and the SQL query will run to DB, and return the result as per the code $result['pw'].

Next, the $reuslt['pw'] should be exist and same as my input. ($result['pw'] === $_GET['pw']).

Last, the payload should be less than 210 lengths.

Now, it sounds like time to make a Quine Generator for SQL. We can use replacement mothod, indirect ($) replacement method and union select.

We can pseudocode the simple replacement as follow:
'union+select+replace(replace('"union+select+replace(replace("$",char(34),char(39)),char(36),"$")as+a%23',char(34),char(39)),char(36),'"union+select+replace(replace("$",char(34),char(39)),char(36)"$")as+a%23')as+a%23

It makes same $result['pw'] and $_GET['pw']. You could reduce the length. For your Quine practice, I don't put a correct answer here.

END

Tuesday, 13 July 2021

Android Reverse Engineering and modifying apk.

When to conduct penetration tests about Android applications, this is a small piece to help you.

It is easy to decompile and repack android apps (apk). 

The following list describes some android terms:

  • Smali disassembled Java opcodes in textual format generated by baksmali, a DEX format disassembler

  • App Manifest: XML file that provides essential app information

Basic static analysis provides a general understanding of the mobile application's structure. the apktool can help to decompile the app's resources.

$apktool d -o ./sample sample.apk

The apk could contains meta information in AndroidManifest.xml file, and other files as per below:

  • AndroidManifest.xml
  • classes.dex
  • res/
  • lib/
  • META-INF

We could update source codes on in the disassembled class files (smali).

There are few methods to update smali files.
  • Manually add/edit/remove smali code. We should learn about smali code. This URL may be useful. In this case, JD GUI and jadx-gui are useful tools.
  • You build new android app with your android java code, and disassemble the apk to extract the smali code.

After update the smali code, you could build an updated apk using apktool.

$apktool b -o sample_new.apk ./sample

Next, we could create key and sign.

$keytool -genkey -v -keystore resign.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000  
 $jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore resign.keystore sample_new.apk alias_name  


If you know how to use smali language, you can modify apk much easier.


Reference:

1. OWASP MASVS - https://github.com/OWASP/owasp-masvs/releases/