Posts

Intro Download the application from introduction section of the lab. Open apk file in jadx-gui Observe Manifest file and start from MainActivity as it is exported and has schemes and mimetype in manifest. In MainActivity file we can spot the following code: private final void handleIntent() { Intent intent = getIntent(); String action = intent.getAction(); Uri data = intent.getData(); if (Intrinsics.areEqual("android.intent.action.VIEW", action) && data != null) { CopyUtil.INSTANCE.copyFileFromUri(data).observe(this, new MainActivity3(new Function1<Uri, Unit>() { We can see that the app can open URI. The code itself is a mechanism to present data to the user. So it will open the file with mimetype pdf from file,http and https link. Also we can see that there is copyFileFromUri function, which downloads a file that we submit and put it into the Downloads folder! At the same time the exact file variable is used in outFile + lastPathSegment which basically adds one thing to another without proper validation. What I mean by that is the fact that we can manipulate the outfile because file = /storage/emulated/0/Downloads/ and lastPathSegment can be ../../../../../../filewewanttooverwrite. Testing ...

Intro Python has been around for ages and it’s not a coincidence. It’s probably one of the most frequently mentioned languages nowadays and widely used. We also don’t need to go far enough for a proper example. AI tools mostly supported by Python language and those frameworks (langchain) are actively maintained. A huge amount of custom built tools are also python based. Even though it is a great language and the support is tremendous, as well as the quantity of educational materials, probably the most annoying problem for a lot of people in security is the fact that there is no good way to maintain dependency compatibility issues. ...

In this short write-up I will tell you how to solve one of the challenges on MobileHacking Lab website. Specifically Postboard lab for Android. Application We run the application and see that there is “Write your Markdown message here” field. We’ve tried a couple different messages just to see what is going on. Exactly, <script> and <script>alert(1)</script>, which were not successful and the output was just a blank line. However, payload <img src=x onerror=alert(1)> showed a message displaying 1 . ...