Time-Based SQL Injection to Dumping the Database

Hello all!. I hope Everyone is fine and I am here sharing my new recent vulnerability I found on an Android Application. The Android Application is an asset tracking application and I am not allowed to disclose the Application name, so I am sorry about that. Let’s get started…

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.

So I was testing an asset tracking application for finding vulnerabilities and it’s an android application. I quickly installed the app and reverse-engineered it to check for hardcoded secrets luckily I founded nothing.

Then I used objection to bypass the SSL Certificate Pinning and then noticed that the Application is using Content-Type: application/json; charset=UTF-8 as the content type which exactly means the application using JSON request body to perform the actions.

So I quickly thought that if we could trigger an activity without any authorization then there is gonna be a huge impact on the Application. So I gathered all the activities from MOBSF. One of the activity caught my attention that is there are 2 dashboard activities are present in that application.

I used to trigger the first activity,

com.abc.xyz.view.activity.DashboardActivity => activity 1com.abc.xyz.view.activity.DashboardActivitySecond => activity 2

The dashboard of the application is opened and the default pages are present. Then I looked dor another activity to see if I can get anything and the activity called com.abc.xyz.view.activity.SearchActivity is present and it is triggered successfully.

There is a lot of information is required to search the exact information we are looking for and I entered all of them. The JSON body in that request took my attention, so I decided to check for injection vulnerabilities.

Attack surface

That abc_serial_no object took my attention so I just added to that object and see what happens and the server resulted in 500 INTERNAL SERVER ERROR. So this Object is vulnerable to perform SQL Injection.

I quickly copied the POST request to the file and passed it into the sqlmap to automate the process so I can find the backend database.

Backend Database

And the Backend Database is PostgreSQL. At the first time when I tried to get the database banner sqlmap shown me that the JSON object abc_serial_no is vulnerable to time-based SQL injection. So I applied the payload and observed that the response from the server response is 5,044ms delayed which is working as expected the payload I injected is abc_serial_no”:”1' AND 9520=(SELECT 9520 FROM PG_SLEEP(5)) AND ‘GRTs’=’GRTs”

Time-Based SQL Injection

So then I quickly tried to retrieve the database by using sqlmap as below,

Retrieving Database

Security Researcher | Security Engineer | Security Nerd…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store