InjuredAndroid 1-5
2021-02-14 Tide安全團隊一、簡述
該項目來自 Kyle B3nac ,是一名全職安全研究員、CTF出題人、漏洞賞金獵人。
該項目是一個Android application靶場,基於漏洞挖掘、漏洞利用,以CTF的形式呈現。
作者建議反編譯apk來解題,那就jadx-gui吧。
前五題難度不大,適合初學者練手。
註:FLAG已作打碼處理
Github:https://github.com/B3nac/InjuredAndroid
作者對這個項目的介紹:https://twitter.com/B3nac/status/1317185026677641218?s=20
二、writeup1、XSSTEXTXSSTEST is just for fun and to raise awareness on how WebViews can be made vulnerable to XSS.
當前Actvity為 XSSTextActivity ,反編譯,看一下程序對輸入值的處理過程:
public void submitText(View view) {
Intent intent = new Intent(this, DisplayPostXSS.class);
intent.putExtra("com.b3nac.injuredandroid.DisplayPostXSS", ((EditText) findViewById(R.id.editText)).getText().toString());
startActivity(intent);
}輸入的text作為參數直接傳給 com.b3nac.injuredandroid.DisplayPostXSS
public final class DisplayPostXSS extends C0459c {
/* access modifiers changed from: protected */
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
WebView webView = new WebView(this);
setContentView((View) webView);
String stringExtra = getIntent().getStringExtra("com.b3nac.injuredandroid.DisplayPostXSS");
WebSettings settings = webView.getSettings();
C2646d.m10664b(settings, "vulnWebView.settings");
settings.setJavaScriptEnabled(true); // 開啟WebView的js執行
webView.setWebChromeClient(new WebChromeClient());
webView.loadData(stringExtra, "text/html", "UTF-8");
}
}
在該段代碼中,可以得到程序新建了一個WebView,並開啟了其執行JS的能力。
在這使用最簡單的xss payload: <script>alert('xss')</script> ,即可。
![]()
這個例子簡單直觀的展示了開發者如何導致WebView存在XSS漏洞。
2、 FLAG ONE - LOGIN輸入字符串來驗證是否為FLAG
![]()
反編譯之後,可以看到點擊Button後的處理過程,輸入的字符串直接與明文FLAG進行對比:
![]()
輸入flag:
![]()
3、 FLAG TWO - EXPORTED ACTIVTY![]()
繞過main activity 來調用其他可導出的activities
這裡使用dorzer:
dz> run app.activity.info -a b3nac.injuredandroid
Package: b3nac.injuredandroid
b3nac.injuredandroid.CSPBypassActivity
Permission: null
b3nac.injuredandroid.RCEActivity
Permission: null
b3nac.injuredandroid.ExportedProtectedIntent
Permission: null
b3nac.injuredandroid.QXV0aA
Permission: null
b3nac.injuredandroid.DeepLinkActivity
Permission: null
b3nac.injuredandroid.MainActivity
Permission: null
b3nac.injuredandroid.b25lActivity
Permission: null
b3nac.injuredandroid.TestBroadcastReceiver
Permission: null
com.google.firebase.auth.internal.FederatedSignInActivity
Permission: com.google.firebase.auth.api.gms.permission.LAUNCH_FEDERATED_SIGN_IN
依次打開可被導出的組件:
dz> run app.activity.start --component b3nac.injuredandroid b3nac.injuredandroid.ExportedProtectedIntent
dz> run app.activity.start --component b3nac.injuredandroid b3nac.injuredandroid.CSPBypassActivity
dz> run app.activity.start --component b3nac.injuredandroid b3nac.injuredandroid.QXV0aA
dz> run app.activity.start --component b3nac.injuredandroid b3nac.injuredandroid.b25lActivity //this one
![]()
4、FLAG THERE - RESOURCES![]()
看一下Button被觸發後的處理流程:
public final void submitFlag(View view) {
EditText editText = (EditText) findViewById(R.id.editText2);
C2646d.m10664b(editText, "editText2");
if (C2646d.m10663a(editText.getText().toString(), getString(R.string.cmVzb3VyY2VzX3lv))) { // 對比
Intent intent = new Intent(this, FlagOneSuccess.class);
new FlagsOverview().mo6178L(true);
new C1464j().mo6221b(this, "flagThreeButtonColor", true);
startActivity(intent);
}
}在這,使用apktool來反編譯apk
apktool d InjuredAndroid-1.0.10-release.apk -o injured
在values/strings可以看到cmVzb3VyY2VzX3lv的值:
![]()
輸入flag:
![]()
5、FLAG FOUR - LOGIN2依然是輸入flag,進行驗證:
![]()
分析觸發Button時的處理邏輯:
public final void submitFlag(View view) {
EditText editText = (EditText) findViewById(R.id.editText2);
C2646d.m10664b(editText, "editText2");
String obj = editText.getText().toString(); //獲取輸入
byte[] a = new C1461g().mo6220a();
C2646d.m10664b(a, "decoder.getData()");
if (C2646d.m10663a(obj, new String(a, C2672c.f6838a))) { // compare
Intent intent = new Intent(this, FlagOneSuccess.class);
new FlagsOverview().mo6175I(true);
new C1464j().mo6221b(this, "flagFourButtonColor", true);
startActivity(intent);
}
}
依次分析
byte[] a = new C1461g().mo6220a();
package b3nac.injuredandroid;
import android.util.Base64;
/* renamed from: b3nac.injuredandroid.g */
public class C1461g {
/* renamed from: a */
private byte[] f4478a = Base64.decode("NF9vdmVyZG9uZV9vbWVsZXRz", 0);
//Base64.decode("NF9vdmVyZG9uZV9vbWVsZXRz", DEFAULT); 自行decode 得到flag
/* renamed from: a */
public byte[] mo6220a() {
return this.f4478a;
}
}
可得:a = Base64.decode("NF9vdmVyZG9uZV9vbWVsZXRz", 0);
if函數的條件
C2646d.m10663a(obj, new String(a, C2672c.f6838a)) //比對obj(即輸入)和a的值
分析 C2672c.f6838a 函數
Charset forName = Charset.forName("UTF-8");
C2646d.m10666d(forName, "Charset.forName(\"UTF-8\")");
f6838a = forName;
所以該函數可以簡化為:
C2646d.m10663a(obj, new String(a, "UTF-8")) //compare
輸入flag
![]()
三、Overview
整個靶場共18項,flag項共17個。
輸入flag:
三、Overview相關焦點
-
5步搞定android混淆
-
[實踐] Android5.1.1源碼 - 讓某個APP以解釋執行模式運行
本文的實踐修改了Android5.1.1的源碼。本文只簡單的講了一下原理。在「實踐」一節講了具體做法。 -
3 killed, 300 injured in Yunnan quake
Yesterday's 5:34 am quake shook the old town of the Hani and Yi Autonomous County of Ning'er, about 80 km from Pu'er, according to the China Earthquake Administration. -
5 injured in Venice as cruise ship slams into tourist boat
Local officials said five women aboard the riverboat were injured.Earlier, medical authorities said four of the women - a US citizen, a New Zealander and two Australians between the ages of 67 and 72 - were injured falling or trying to run away when the cruise -
HttpComponents Client for Android 4.3.5.1 發布
HttpComponents Client for Android 4.3.5.1 發布,此版本修復了大量關於 Android 對原始 HttpClient 4.3.5 代碼作為基礎的 Android -
Android Systrace 基礎知識(5) - SurfaceFlinger 解讀
本文是 Android Systrace 系列文章的第五篇,主要是對 Android 系統中的 SurfaceFlinger 進行簡單介紹,介紹了 SurfaceFlinger 中幾個比較重要的線程,包括 Vsync 信號的解讀、應用的 Buffer 展示、卡頓判定等,由於 Vsync 這一塊在Systrace 基礎知識 - Vsync 解讀[1] -
At least two injured in Shenzhen subway escalator accident
SHENZHEN -- At least two people were injured in an escalator accident at a subway station in Shenzhen City, south China's Guangdong Province, on Sunday night. -
271 injured in Shanghai's subway crash
SHANGHAI - Signal failure is being blamed for a subway train crash that injured more than 271 passengers. -
【學習】Android入門開發2-5RadioButton
2-5RadioButtonRadioButton就是類似於html的表單中的單選。 -
Four dead, 41 injured in Nigerian church blast
JOS, Nigeria -- At least four people were feared dead and 41 others were injured in a fresh blast on Sunday in a church in Jos, capital of north-central Nigeria's -
4 killed, dozen injured in Phuket pub fire
BANGKOK -- Four people, believed to be foreign tourists, were killed and a dozen others injured in a massive fire which ripped a disco pub on Thailand's southern resort -
Android-HIDL實例解析
@1.0.so VNDK-core: android.hardware.media.omx@1.0.so VNDK-core: android.hardware.media@1.0.so VNDK-core: android.hardware.memtrack@1.0.so+VNDK-core: android.hardware.naruto@1.0.so VNDK-core -
android 排列 - CSDN
linearLayout中有一個重要的屬性 android:layout_weight="1",這個weight在垂直布局時,代表行距;水平的時候代表列寬;weight值越大就越大。線形布局中預覽和真機中完全一樣。TextView佔一定的空間,沒有賦值也有一定的寬高,要特別注意。 -
12 people injured in cinema blast in Karachi of Pakistan
ISLAMABAD -- At least 12 people were injured when a blast ripped through a cinema in Pakistan's southern port city of Karachi on Sunday night, according to police. -
Android實現快遞時間軸功能
c.drawText("2018.4.03",Text_x+5,Text_y+20,mPaint2); break; case 1: c.drawText("13:40",Text_x,Text_y,mPaint1); -
AOP編程_Android優雅權限框架(1)概念基礎
正文大綱1、Demo地址2、本文所涉技術盤點3、關於Android權限的梗4、初級/中級/高級android開發的權限請求寫法5、AOP優雅權限框架詳解 gradle配置 Java代碼6、AOP思想以及常用AOP框架 -
燃氣洩露爆炸致死傷 8killed 3 injured
燃氣洩漏爆炸致死傷 8 killed 3 injured一、怎麼「讀」 ?「用了」英語沒有? -
39 Injured in Guangxi School Stabbing, Suspect Detained
Police have apprehended a security guard suspected of carrying out Thursday morning’s attackTwo people have been seriously injured -
Android壓力測試Monkey工具
二、 Monkey的特徵1、測試的對象僅為應用程式包,有一定的局限性。2、 Monky測試使用的事件流數據流是隨機的,不能進行自定義。3、可對MonkeyTest的對象,事件數量,類型,頻率等進行設置。 -
Android Crash 案例解決方案
* */ int[] array = null; // 1.以下代碼就會引起IndexOutOfBoundsException異常1.當Button控制項聲明android:onClick="IllegalStateException" 卻未在Java代碼中使用時,點擊Button,就會出現此類異常。1.