ZiMa's Blog
  • $ Whoami
  • HACK THE BOX
    • Paper Machine HTB
  • TryHackMe
    • Brooklyn99 THM
    • Simple CTF THM
    • Tokyo Ghoul THM
  • PortSwigger
    • Client-side topics
      • Cross-site scripting (XSS)
        • Reflected XSS
          • Reflected XSS into HTML context with nothing encoded
        • Stored XSS
        • DOM-based XSS
          • 1- DOM XSS in document.write sink using source location.search
    • Server-side topics
  • Introduction To Network 🌐
  • Mobile App Write-ups
    • Prerequisites and tools before Beginning!
    • All Safe Application
    • DIVA
    • Insecure Shop Application
Powered by GitBook
On this page

Was this helpful?

  1. Mobile App Write-ups

Insecure Shop Application

PreviousDIVA

Last updated 29 days ago

Was this helpful?

Table of Content

  1. Starting the Solution

  2. Hardcoded Credentials

  3. Hooking The Login page

  4. Insecure Logging

  5. Deep Link Exploitation using WebView

  6. Deep Link Exploitation using WebView2Activity

  7. Editing on Smali Code

1- Starting the Solution

First start to use the application and found logging and try to test the creds and how it's react and try some SQL payloads and still the same "Invalid username and password"

So i try to reverse the code using Jadx-gui to search for username and saw Boolean Function called "verifyUserNamePassword()" and this is the function that verify the username and the password.

2- Hardcoded Credentials

When opening it I found a getUserCreds() function that have the Hardcoded creds of the login page.

3- Hooking The Login page

Now i can login but if i can't found Hardcoded creds there is also another way to bypass the login by using Frida Script by using the Package name(com.insecureshop.util) , Class name(Util), and the required function name (verifyUserNamePassword()) that appear in the Util File.

and this is the Script That we can use Java.perform(function () { console.log("[*] Hooking InsecureShop Login Bypass");

Java.perform(function () {
    var LoginBypass = Java.use("com.insecureshop.util.Util");
    LoginBypass.verifyUserNamePassword.implementation = function (username, password) {
        return true; 
    };

    console.log("[*] Login Bypass Hook Injected Successfully.");
});

and save it like file.js file then run the Frida sever on the emulator and run this command to Hook on the function. frida -U -l file.js -f <Package_Name> and i can login without Creds in the login page.

4- Insecure Logging

Using Logcat command in the to see if the app logged the data and it logged it in local file system

And see it in the file using cat /data/data/com.insecureshop/shared_prefs/Prefs.xml and found the Creds here.

5- Deep Link Exploitation using WebView

I found WebViewActivityhere with the host com.insecureshop and scheme insecureshop with and it open it when try to access /web OR /webview and the parameter url so the final link will be something like this: insecureshop://com.insecureshop/web?url=<URL_Link>

So i can use ADB Activity Manager so use it like this to open google website adb shell am start -n com.insecureshop/.WebViewActivity -d "insecureshop://com.insecureshop/web?url=http://google.com"

and it worked and open google in the WebView of the application

and also i can access file data using the file:// schema like this adb shell am start -n com.insecureshop/.WebViewActivity -d "insecureshop://com.insecureshop/web?url=file:///data/data/com.insecureshop/shared_prefs/Prefs.xml"

6- Deep Link Exploitation using WebView2Activity

I found WebView2Activityhere with the same as the previous one but without host and scheme, so i can open any file and any link without specific schema and host:

am start -n com.insecureshop/.WebView2Activity -d "file:///data/data/com.insecureshop/shared_prefs/Prefs.xml"

file:///data/data/com.insecureshop/shared_prefs/Prefs.xml
or 
https://google.com

7- Editing on Smali Code

I open the file.apk file in APKLab Extension in Visual Studio Code and edit the prices that stored in the Smali Code and then rebuild the app again and i able to buy all items with another prices.