Attacking the Database - SQLite Injection

Learning Objectives

• Locate an app's SQLite database file on the emulator.
• Use the sqlite3 command-line tool to query the database.
• Exploit a SQL injection vulnerability to bypass a login.

Introduction

Android apps use SQLite for local storage. If an app takes user input and builds a database query without sanitizing it, an attacker can inject SQL code. This is a Local SQL Injection.

Target App

Use DIVA Android App -> Exercise 7: "Input Validation Issues - Part 1".

Practical Tasks

Task 1: Locate the Database

1. Run the DIVA app on your emulator. Go to the exercise and try to search for a user.

2. Find the app's package name: jakhar.aseem.diva.

3. Open an adb shell:

   adb shell
   cd /data/data/jakhar.aseem.diva/databases/
   ls
   

4. You should see a database file, likely DIVA.

Task 2: Query the Database Manually

1. Open the database with sqlite3:

   sqlite3 DIVA
   

2. Your Mission:

   • List all tables: .tables
   • View the schema: .schema
   • Dump all data from a table: SELECT * FROM users; (or whatever table you find).

Task 3: Exploit the SQL Injection

1. Back in the DIVA app, there is likely a search feature.
2. Your Mission: The app asks for a user ID. Instead of a number like 1, try entering: 1' OR '1' = '1
3. Expected Result: The app might dump the entire users table, including credentials, even for users you shouldn't see.
4. Why it works: The vulnerable query looks like SELECT * FROM users WHERE id = ' + user_input + '. Your input makes the query: ... WHERE id = '1' OR '1' = '1', which is always true.

Summary

• SQLite databases are stored in /data/data/<package-name>/databases/.
• You can directly query them using sqlite3 on a rooted device/emulator.
• Unsanitized user input in SQL queries leads to SQL Injection, allowing an attacker to dump or modify database contents.