Mobilehackinglab

Intro Download the application from introduction section of the lab. Open apk file in jadx-gui Observe Manifest file and start from MainActivity as it is exported and has schemes and mimetype in manifest. In MainActivity file we can spot the following code: private final void handleIntent() { Intent intent = getIntent(); String action = intent.getAction(); Uri data = intent.getData(); if (Intrinsics.areEqual("android.intent.action.VIEW", action) && data != null) { CopyUtil.INSTANCE.copyFileFromUri(data).observe(this, new MainActivity3(new Function1<Uri, Unit>() { We can see that the app can open URI. The code itself is a mechanism to present data to the user. So it will open the file with mimetype pdf from file,http and https link. Also we can see that there is copyFileFromUri function, which downloads a file that we submit and put it into the Downloads folder! At the same time the exact file variable is used in outFile + lastPathSegment which basically adds one thing to another without proper validation. What I mean by that is the fact that we can manipulate the outfile because file = /storage/emulated/0/Downloads/ and lastPathSegment can be ../../../../../../filewewanttooverwrite. Testing ...

In this short write-up I will tell you how to solve one of the challenges on MobileHacking Lab website. Specifically Postboard lab for Android. Application We run the application and see that there is “Write your Markdown message here” field. We’ve tried a couple different messages just to see what is going on. Exactly, <script> and <script>alert(1)</script>, which were not successful and the output was just a blank line. However, payload <img src=x onerror=alert(1)> showed a message displaying 1 . ...