markdown 移动应用Pentesting研讨会的东西
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了markdown 移动应用Pentesting研讨会的东西相关的知识,希望对你有一定的参考价值。
# Prerequisites
(Preferably) Use a VPN
- AlgoVPN https://github.com/trailofbits/algo
- OpenVPN (AS) https://openvpn.net/index.php/access-server/overview.html
- 3rd party service, e.g. ProtonVPN https://protonvpn.com
Install a proxy tool of choise
- OWASP ZAP https://github.com/zaproxy/zaproxy/wiki/Downloads
- BurpSuite https://portswigger.net/burp/communitydownload
Android Studio
- On macOS: ```brew cask install android-studio```
- Manually download and install: https://developer.android.com/studio/index.html
- Install SDK Platforms: http://take.ms/kyWuF
- Install SDK Tools: http://take.ms/H5iZP
# Scope & Rules of Engagement
Read Privatbank Bug Bounty program brief
- In general: https://bugbounty.privatbank.ua/help
- Specifically: http://take.ms/LcAPX
Download Andriod application
- https://privatbank.ua/apps
- https://privatbank.ua/apps/privatbudzhet
- https://play.google.com/store/apps/details?id=ua.privatbank.pfm
- https://apps.evozi.com/apk-downloader/?id=ua.privatbank.pfm
# Preparation
Create virtual device
- Hardware: http://take.ms/Yg9VC
- Image: http://take.ms/CTboN
- Large (2GB) flash: http://take.ms/ykYSK
- Note: DON'T enable device frame
Startup the emulator
```
emulator -avd OWASPKyiv -writable-system -http-proxy http://127.0.0.1:8080
```
Look around
```
adb devices
adb shell
```
Install Burp/ZAP certificate
- Export from http://127.0.0.1:8080
- Convert CER to PEM and push to device
```
openssl x509 -inform der -in cacert.der -out cacert.pem
adb push cacert.pem /sdcard/
```
- Settings / Security / Install from SD card
Install Xposed Framework Installer
- Official: http://repo.xposed.info/module/de.robv.android.xposed.installer
- Android after 5.0/5.1: https://forum.xda-developers.com/showthread.php?t=3034811
```
adb install XposedInstaller_3.1.4.apk
```
Root the device: bash emulator_root.sh
```
#!/bin/bash
adb root
adb remount
adb -e push su.pie /system/xbin/su
adb shell chmod 06755 /system/xbin/su
adb shell su --install
adb shell su --daemon&
adb shell setenforce 0
```
Repeat Xposed installation
Install Inspeckage and SSL Unpinning
Forward local ports
```
adb forward tcp:8008 tcp:8008
```
Access http://:8008 on laptop
Install APK for testing
```
adb install ua.privatbank.pfm.apk
```
Have fun!
以上是关于markdown 移动应用Pentesting研讨会的东西的主要内容,如果未能解决你的问题,请参考以下文章
BTS PenTesting Lab-Injection-sql injection-blind sqli1
BTS PenTesting Lab-Injection-sql injection-authentication bypass
网络研讨会:Flutter x Ktor 打造跨平台全端应用
《MLA中国机器学习及其应用研讨会》
机器学习在生物信息领域应用研讨会 | IJCAI 2020
抢先报名 Google 谷歌“游戏出海的下一个金矿——抢滩东南亚”线上研讨会