1 00:00:00,140 --> 00:00:04,720 - Hello, and welcome to the new video of Android Security and Exploitation by 2 00:00:04,720 --> 00:00:09,470 Pentester Academy. My name is Aditya and I'm your course instructor for this entire 3 00:00:09,470 --> 00:00:15,240 training series. So this course is being run on PentesterAcademy.com and you can 4 00:00:15,240 --> 00:00:21,720 also check out the certifications at securitytube-training.com. So this 5 00:00:21,720 --> 00:00:26,780 particular video is about the Damn Insecure and Vulnerable Application, also 6 00:00:26,780 --> 00:00:31,930 known as DIVA. And in this particular video, we'll have a look at one of the 7 00:00:31,930 --> 00:00:39,060 input validation issues. Now an input validation can happen in multiple ways and 8 00:00:39,060 --> 00:00:45,900 one of the ways is if the application takes the user input and parses it inside 9 00:00:45,900 --> 00:00:52,300 a SQL query and executes the SQL query as it is leading to flaws such as 10 00:00:52,300 --> 00:00:59,060 SQL injection. Now this is a classical example of authentication bypass using 11 00:00:59,060 --> 00:01:09,860 SQL injection. So let's have a look at the exercise which is input validation 12 00:01:09,860 --> 00:01:17,430 part one. So in this exercise, the objective is to try to access all the user 13 00:01:17,430 --> 00:01:22,480 data without going any username. It says that there are three different users by 14 00:01:22,480 --> 00:01:29,500 default, and the task is to output data of all the three different users. Now if I 15 00:01:29,500 --> 00:01:35,850 don't know what the username is, I can try something as test where it says "user test 16 00:01:35,850 --> 00:01:41,590 not found." So in order to look more deeper inside this vulnerability, let's 17 00:01:41,590 --> 00:01:55,710 have a look at the source code. So this is the input validation one which is 18 00:01:55,710 --> 00:02:02,392 somewhere over here or the SQLInjectionActivity.java. So let's open 19 00:02:02,392 --> 00:02:12,240 it up, and if you look here, it takes the search text which is the text that you 20 00:02:12,240 --> 00:02:21,388 enter over here, puts it inside a variable called srchtxt, and parses it inside a SQL 21 00:02:21,388 --> 00:02:29,169 query as SELECT * FROM sqliuser where username equals to whatever you have 22 00:02:29,169 --> 00:02:42,150 entered. Now in these kind of cases what we can do is parse in a malicious 23 00:02:42,150 --> 00:02:49,851 string such as "1' or '1' = '1'" making sure that this particular string in 24 00:02:49,851 --> 00:02:55,032 SQL will always be true, and this is because we're using a conditional or 25 00:02:55,032 --> 00:03:05,719 greater or over here. So let's say the SQL query is this one, SELECT * FROM 26 00:03:05,719 --> 00:03:13,866 sqliuser where user equals to this particular value. Let's also copy the 27 00:03:13,866 --> 00:03:20,673 closing tags which is this one. And this is what the application is essentially 28 00:03:20,673 --> 00:03:28,397 doing. And it places the user text whatever we have entered. Now, if we 29 00:03:28,397 --> 00:03:35,262 enter something like an admin, it tries to select the user admin from the table. And 30 00:03:35,262 --> 00:03:40,849 if the argument does not exist, it simply returns a false. But if we try something 31 00:03:40,849 --> 00:03:48,102 like this, our string "1' or '1' = '1'" in place of the user, the string 32 00:03:48,102 --> 00:03:55,559 becomes SELECT * FROM sqliuser, where user equals either one or the other condition 33 00:03:55,559 --> 00:04:01,816 is if one equals to one. And since one equals to one is always going to be true, 34 00:04:01,816 --> 00:04:08,130 this entire statement is going to run true and all the user's information will 35 00:04:08,130 --> 00:04:18,020 be dumped. So let's try this over here. "1' or '1' = '1'", and we add 36 00:04:18,020 --> 00:04:23,860 everything after this as a comment, so the two hyphens, and we click on search, and 37 00:04:23,860 --> 00:04:31,230 we see the entire information of all the users. And this is how a SQL injection 38 00:04:31,230 --> 00:04:38,190 in an Android application takes place. Now also another thing to note is this 39 00:04:38,190 --> 00:04:43,090 particular vulnerability will be mostly applicable in applications which are doing 40 00:04:43,090 --> 00:04:49,520 something locally, because it's taking the user input and passing it inside the local 41 00:04:49,520 --> 00:04:57,310 SQLite query and executing it. So that's all for this short video. I hope you like 42 00:04:57,310 --> 00:05:02,060 the video and if you have any feedback or queries feel free to reach out to me 43 00:05:02,060 --> 00:05:06,060 @adi1391 on Twitter, or you can send out email to me at 44 00:05:06,060 --> 00:05:11,120 adi@attify.com. Check out the certifications at 45 00:05:11,120 --> 00:05:16,000 securitytube-training.com. That's all. Thank you.