markdown 移动应用Pentesting研讨会的东西

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了markdown 移动应用Pentesting研讨会的东西相关的知识,希望对你有一定的参考价值。

# Prerequisites

(Preferably) Use a VPN
- AlgoVPN https://github.com/trailofbits/algo
- OpenVPN (AS) https://openvpn.net/index.php/access-server/overview.html
- 3rd party service, e.g. ProtonVPN https://protonvpn.com

Install a proxy tool of choise
- OWASP ZAP https://github.com/zaproxy/zaproxy/wiki/Downloads
- BurpSuite https://portswigger.net/burp/communitydownload

Android Studio
- On macOS: ```brew cask install android-studio```
- Manually download and install: https://developer.android.com/studio/index.html
- Install SDK Platforms: http://take.ms/kyWuF
- Install SDK Tools: http://take.ms/H5iZP

# Scope & Rules of Engagement

Read Privatbank Bug Bounty program brief
- In general: https://bugbounty.privatbank.ua/help
- Specifically: http://take.ms/LcAPX

Download Andriod application
- https://privatbank.ua/apps
- https://privatbank.ua/apps/privatbudzhet
- https://play.google.com/store/apps/details?id=ua.privatbank.pfm
- https://apps.evozi.com/apk-downloader/?id=ua.privatbank.pfm

# Preparation 

Create virtual device
- Hardware: http://take.ms/Yg9VC
- Image: http://take.ms/CTboN
- Large (2GB) flash: http://take.ms/ykYSK
- Note: DON'T enable device frame

Startup the emulator
```
emulator -avd OWASPKyiv -writable-system -http-proxy http://127.0.0.1:8080
```

Look around
```
adb devices
adb shell
```

Install Burp/ZAP certificate
- Export from http://127.0.0.1:8080
- Convert CER to PEM and push to device
```
openssl x509 -inform der -in cacert.der -out cacert.pem
adb push cacert.pem /sdcard/
```
- Settings / Security / Install from SD card

Install Xposed Framework Installer
- Official: http://repo.xposed.info/module/de.robv.android.xposed.installer
- Android after 5.0/5.1: https://forum.xda-developers.com/showthread.php?t=3034811
```
adb install XposedInstaller_3.1.4.apk
```

Root the device: bash emulator_root.sh
```
#!/bin/bash

adb root
adb remount
adb -e push su.pie /system/xbin/su
adb shell chmod 06755 /system/xbin/su
adb shell su --install
adb shell su --daemon&
adb shell setenforce 0
```

Repeat Xposed installation

Install Inspeckage and SSL Unpinning

Forward local ports
```
adb forward tcp:8008 tcp:8008
```

Access http://:8008 on laptop

Install APK for testing
```
adb install ua.privatbank.pfm.apk
```

Have fun!

以上是关于markdown 移动应用Pentesting研讨会的东西的主要内容,如果未能解决你的问题,请参考以下文章

BTS PenTesting Lab-Injection-sql injection-blind sqli1

BTS PenTesting Lab-Injection-sql injection-authentication bypass

网络研讨会:Flutter x Ktor 打造跨平台全端应用

《MLA中国机器学习及其应用研讨会》

机器学习在生物信息领域应用研讨会 | IJCAI 2020

抢先报名 Google 谷歌“游戏出海的下一个金矿——抢滩东南亚”线上研讨会