Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to carry out authorized APK penetration testing, the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

As a rookie in penetration testing, the purpose of this article is to provide some testing ideas for those rookies like me. The content involved may be more basic, cousins forgive me. After unpacking APK and getting apk, you can decompress it directly with 7-Zip to get several folders, an AndroidManifest.xml file and a dex file. Unzipping the dex file with dex2jar https://sourceforge.net/projects/dex2jar/ produces a jar file, and then you can view the java source code using jd-gui. Of course, you can find vulnerabilities in the source code, but there will be confusion, and there will be no in-depth discussion here. The xml file mentioned above must not be issued, which involves many important configuration items, such as:-AndroidManifest.xml file in which android:debuggable is true. App can be debugged arbitrarily-android: allowBackup is true in the AndroidManifest.xml file. App data can be exported by backup. -wait a minute. There is another point that may be used in the actual testing process: after decompressing apk, you can try to search the db file in powershell for sensitive information (why, because I came across it once.)

For / r F:\ source-code% I in (* .db) do echo% I

Apk Security Analysis Detection:

Experiment: apk Safety Analysis and testing (Hetian Network Security Laboratory)

Learn how to run the apk security analysis and detection program through experiments, conduct security analysis and detection of apk, and find out the potential threats through analysis. )

Login page user names can be enumerated after entering the user name, the response user name does not exist, this is the simplest case of enumerating user names. This time, you don't need a password to log in, but you need to enter a registered user name, and then send a verification code to the corresponding phone according to the user name. At the same time, you can't resend it within 120s, and the verification code is valid for 120s. At this time, it seems that we can't do anything with the CAPTCHA, but in the actual testing process, we found 1. 5%. When we enter the existing account, the prompt is sent successfully; 2. If it is sent repeatedly, it will respond that it can not be sent repeatedly within 120 seconds. If the input does not exist, the user will prompt that the send failed. So this time limit has no effect on the user name enumeration. We can check whether the user name exists based on the returned information by exploding the user name.

Wait, wait, Of course, it is useful, but it depends on the specific scenario. For example, in the following case, the arbitrary verification code bypasses the SMS verification code sent by the server to the mobile phone number bound to the account when we log in. We enter an account number obtained in the previous step, and input the verification code casually. Click to log in to grab the package, login fails, and we find that there are two code fields in the response.

Try to change it:

It works!

CAPTCHA bypass vulnerabilities:

Lab: CAPTCHA bypass vulnerabilities

(master the principle of common CAPTCHA bypass vulnerabilities, as well as bypass exploitation and vulnerability protection)

After the function page has successfully logged in, all the functions are clicked. On the personal information page, there is a function to query the number of people online in real time. That column only shows the number of people, and there is no arrow next to it.

At one point, I thought I couldn't click there (in fact, because of the large amount of data, it was loaded for a long time, and I clicked back directly, giving me the impression that there was nothing here). After entering, I could see the information of all the login personnel.

After trying different users, I found that there are no permission restrictions on the user information here, that is to say, it is visible to everyone, and the permissions are obviously misconfigured. In addition, there are several query functions in the application. Through BURP, we can see that the returned packets are all of JSON type.

Because I don't have much experience, I just try it more. It's useless to inject it into json and xxe it all over again. There is another parameter in front, try it?

There's a chance!

Try xss.

Put it in the browser success pop-up window!

On how to carry out authorized APK penetration testing is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.