How to carry out authorized APK penetration test


   This paper aims to provide some testing ideas for beginners who also lack penetration testing experience. The content involved may be relatively basic, cousins forgive me. After unpacking APK and extracting it with 7-Zip, you can get several folders, an AndroidManifest.xml file and a dex file. Decompressing this dex file with DEX2jar will generate a JAR file, and then you can view the java source code with jd-gui. Although you can look at the source code to find code vulnerabilities, there is usually confusion, so we will not discuss it in depth here. The xml file mentioned above must not be distributed, which involves many important configuration items, such as:-AndroidManifest.xml file in which android:debuggable is true. App can be debugged at will-android: allowBackup in androidmanifest.xml file is true. App data can be backed up and exported. -Wait ... another point that may be used in the actual testing process: after decompressing apk, you can try to search the db file in powershell, which may have sensitive information (why do you say that, because I met it once ...)

  1. for /r F:source-code %i in (*.db) do echo %i

Apk safety analysis and detection:

Experiment: apk safety analysis and detection (Hetian Netan Laboratory)

Experiments were conducted to learn how to run the apk security analysis and detection program, and the potential threats were found. )

The simplest case of enumerating user names is that when you enter a user name and log in, the system will respond that the user name does not exist. This time, you don't need a password to log in, but you need to enter a registered user name, and then you will send a verification code to the corresponding mobile phone according to the user name. At the same time, it is set that you can't resend it within 120s, and the verification code is valid within 120s. At this time, it seems that we can't do anything through the verification code, but in the actual test process, we found that 1. When we enter the existing account, we will be prompted to send it successfully; 2. Repeated sending will respond that it cannot be repeated within 120s; 3. If the input does not exist, the user will prompt that sending failed. Even if the time limit is set, user name enumeration can still verify the existence of user names by blasting, and only need to judge according to the information returned by the server.


Wait, since we don't know the mobile phone number, and we won't log in with the password, even if we get the user name to generate a social worker dictionary, we can't use it. What's the use of getting the user name? Of course, it is useful, but it depends on the specific scenario. For example, in the following case, the arbitrary verification code bypasses the SMS verification code sent by the server to the mobile phone number bound by the account when we log in. We enter an account obtained in the previous step, and the verification code is casually input. Click to grab the package after logging in, and the login fails, and we find that there are two code fields in the response.

Try changing it:


It works!

Verification code bypasses vulnerability:

Experiment: the verification code bypasses the vulnerability

(Master the common principle of verification code bypassing vulnerabilities, as well as the utilization of bypass methods and vulnerability protection)

After the successful login of the function page, click on all the functions. On the personal information page, there is a function to query the real-time online number of people. The column only shows the number of people, and there is no arrow next to it.

At one time, I thought I couldn't click there (in fact, because the amount of data was too large, it was loaded for a long time, so I clicked back directly, which gave me the feeling that there was nothing here), and I could see the information of all the login personnel after I went in.

After I tried different users, I found that the user information here is not restricted by permissions, that is to say, it is visible to everyone, and the permissions are obviously improperly configured. The application also has several query functions, and the format of the data packets returned by the BURP tool is JSON.

It's no use trying to inject JSON and XXE, because I don't have much experience. There is another parameter in front, try it?


There's a play!

Try xss.


Put it in the browser and pop it up successfully!

Copyright Description:No reproduction without permission。

Knowledge sharing community for developers。

Let more developers benefit from it。

Help developers share knowledge through the Internet。

Follow us