来源:自学PHP网 时间:2015-04-16 23:15 作者: 阅读:次
[导读] 该APP的安卓客户端,设计问题导致数据泄漏,导致全站数据泄漏最近对安卓的app逆向挺感兴趣,然后对网上一些app进行安全测试,此app初入手时,发现其内部有mysql的jdbc驱动,然后就想...
该APP的安卓客户端,设计问题导致数据泄漏,导致全站数据泄漏最近对安卓的app逆向挺感兴趣,然后对网上一些app进行安全测试,此app初入手时,发现其内部有mysql的jdbc驱动,然后就想应该有问题,在更多的反编译过程中发现其数据库配置直接写在so库文件里面,明文保存,连接致数据库,发现可控全站数据库!其危害之严重!利用工具开始反编译,然后提权其dex, 将dex文件转为jar包之后,分析代码发现其数据库连接,但是并未发现具体连接代码,然后就想,可能连接存在于类库里面,然后找到libservice_jni.so这个文件, .plt:00000BAC ; .plt:00000BAC ; +-------------------------------------------------------------------------+ .plt:00000BAC ; | This file has been generated by The Interactive Disassembler (IDA) | .plt:00000BAC ; | Copyright (c) 2009 by Hex-Rays, <support@hex-rays.com> | .plt:00000BAC ; | License info: FA-EC7E-28A4-A5 | .plt:00000BAC ; | Licensed User | .plt:00000BAC ; +-------------------------------------------------------------------------+ .plt:00000BAC ; .plt:00000BAC ; Input MD5 : 0208C7DA39BFDBBC13FD435EA49F9C78 .plt:00000BAC .plt:00000BAC ; --------------------------------------------------------------------------- .plt:00000BAC ; File Name : D:\apk\apktool1.5.2\apktool1.5.2\libservice_jni.so .plt:00000BAC ; Format : ELF (Shared object) .plt:00000BAC ; Needed Library 'libstdc++.so' .plt:00000BAC ; Needed Library 'libm.so' .plt:00000BAC ; Needed Library 'libc.so' .plt:00000BAC ; Needed Library 'libdl.so' .plt:00000BAC ; Shared Name 'libservice_jni.so' .plt:00000BAC ; .plt:00000BAC ; EABI version: 5 .plt:00000BAC ; .plt:00000BAC .plt:00000BAC ; Processor : ARM .plt:00000BAC ; Target assembler: Generic assembler for ARM .plt:00000BAC ; Byte sex : Little endian .plt:00000BAC .plt:00000BAC ; =========================================================================== .plt:00000BAC .plt:00000BAC ; Segment type: Pure code .plt:00000BAC AREA .plt, CODE, READWRITE .plt:00000BAC ; ORG 0xBAC .plt:00000BAC CODE32 .plt:00000BAC STR LR, [SP,#-4]! .plt:00000BB0 LDR LR, =(_GLOBAL_OFFSET_TABLE_ - 0xBBC) .plt:00000BB4 ADD LR, PC, LR .plt:00000BB8 LDR PC, [LR,#8]! .plt:00000BB8 ; --------------------------------------------------------------------------- .plt:00000BBC off_BBC DCD _GLOBAL_OFFSET_TABLE_ - 0xBBC ; DATA XREF: .plt:00000BB0r .plt:00000BC0 ; [0000000C BYTES: COLLAPSED FUNCTION __cxa_atexit. PRESS KEYPAD "+" TO EXPAND] .plt:00000BCC ; [0000000C BYTES: COLLAPSED FUNCTION __cxa_finalize. PRESS KEYPAD "+" TO EXPAND] .plt:00000BD8 ; [0000000C BYTES: COLLAPSED FUNCTION __gnu_Unwind_Find_exidx. PRESS KEYPAD "+" TO EXPAND] .plt:00000BE4 ; [0000000C BYTES: COLLAPSED FUNCTION memcpy. PRESS KEYPAD "+" TO EXPAND] .plt:00000BF0 ; [0000000C BYTES: COLLAPSED FUNCTION abort. PRESS KEYPAD "+" TO EXPAND] .plt:00000BFC ; [0000000C BYTES: COLLAPSED FUNCTION __cxa_begin_cleanup. PRESS KEYPAD "+" TO EXPAND] .plt:00000C08 ; [0000000C BYTES: COLLAPSED FUNCTION __cxa_type_match. PRESS KEYPAD "+" TO EXPAND] .text:00000C14 ; --------------------------------------------------------------------------- .text:00000C14 ; =========================================================================== .text:00000C14 .text:00000C14 ; Segment type: Pure code .text:00000C14 AREA .text, CODE, READWRITE .text:00000C14 ; ORG 0xC14 .text:00000C14 CODE32 .text:00000C14 LDR R2, =(unk_4000 - 0xC24) .text:00000C18 MOV R1, #0 .text:00000C1C ADD R2, PC, R2 .text:00000C20 B __cxa_atexit .text:00000C20 ; --------------------------------------------------------------------------- .text:00000C24 off_C24 DCD unk_4000 - 0xC24 ; DATA XREF: .text:00000C14r .text:00000C28 .text:00000C28 ; =============== S U B R O U T I N E ======================================= .text:00000C28 .text:00000C28 .text:00000C28 sub_C28 ; DATA XREF: .fini_array:00003EB8o .text:00000C28 LDR R0, =(unk_4000 - 0xC34) .text:00000C2C ADD R0, PC, R0 .text:00000C30 B __cxa_finalize .text:00000C30 ; End of function sub_C28 .text:00000C30 .text:00000C30 ; --------------------------------------------------------------------------- .text:00000C34 off_C34 DCD unk_4000 - 0xC34 ; DATA XREF: sub_C28r .text:00000C38 CODE16 .text:00000C38 .text:00000C38 ; =============== S U B R O U T I N E ======================================= .text:00000C38 .text:00000C38 .text:00000C38 EXPORT Java_com_fly186_service_jni_JNI_getUrl .text:00000C38 Java_com_fly186_service_jni_JNI_getUrl .text:00000C38 PUSH {R3,LR} .text:00000C3A LDR R2, [R0] .text:00000C3C LDR R1, =(aJdbcMysql59_63 - 0xC46) .text:00000C3E MOVS R3, 0x29C .text:00000C42 ADD R1, PC ; "jdbc:mysql://不告诉你/myxdfw" .text:00000C44 LDR R3, [R2,R3] .text:00000C46 BLX R3 .text:00000C48 POP {R3,PC} .text:00000C48 ; End of function Java_com_fly186_service_jni_JNI_getUrl .text:00000C48 .text:00000C48 ; --------------------------------------------------------------------------- .text:00000C4A ALIGN 4 .text:00000C4C off_C4C DCD aJdbcMysql59_63 - 0xC46 .text:00000C4C ; DATA XREF: Java_com_fly186_service_jni_JNI_getUrl+4r .text:00000C4C ; "jdbc:mysql://不告诉你/myxdfw" .text:00000C50 .text:00000C50 ; =============== S U B R O U T I N E ======================================= .text:00000C50 .text:00000C50 .text:00000C50 EXPORT Java_com_fly186_service_jni_JNI_getName .text:00000C50 Java_com_fly186_service_jni_JNI_getName .text:00000C50 PUSH {R3,LR} .text:00000C52 LDR R2, [R0] .text:00000C54 LDR R1, =(aMyxdfw - 0xC5E) .text:00000C56 MOVS R3, 0x29C .text:00000C5A ADD R1, PC ; "myxdfw" .text:00000C5C LDR R3, [R2,R3] .text:00000C5E BLX R3 .text:00000C60 POP {R3,PC} .text:00000C60 ; End of function Java_com_fly186_service_jni_JNI_getName .text:00000C60 .text:00000C60 ; --------------------------------------------------------------------------- .text:00000C62 ALIGN 4 .text:00000C64 off_C64 DCD aMyxdfw - 0xC5E ; DATA XREF: Java_com_fly186_service_jni_JNI_getName+4r .text:00000C64 ; "myxdfw" .text:00000C68 .text:00000C68 ; =============== S U B R O U T I N E ======================================= .text:00000C68 .text:00000C68 .text:00000C68 EXPORT Java_com_fly186_service_jni_JNI_getPassword .text:00000C68 Java_com_fly186_service_jni_JNI_getPassword .text:00000C68 PUSH {R3,LR} .text:00000C6A LDR R2, [R0] .text:00000C6C LDR R1, =(a101627xdfw - 0xC76) .text:00000C6E MOVS R3, 0x29C .text:00000C72 ADD R1, PC ; "不告诉你" .text:00000C74 LDR R3, [R2,R3] .text:00000C76 BLX R3 .text:00000C78 POP {R3,PC} .text:00000C78 ; End of function Java_com_fly186_service_jni_JNI_getPassword .text:00000C78 .text:00000C78 ; --------------------------------------------------------------------------- .text:00000C7A ALIGN 4 .text:00000C7C off_C7C DCD a101627xdfw - 0xC76 ; DATA XREF: Java_com_fly186_service_jni_JNI_getPassword+4r .text:00000C7C ; "不告诉你" .text:00000C80 CODE32 .text:00000C80 分析到这里,数据库泄漏就是必然了! |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com