Android-exploitme (d): Parameter tampering

Today we will test the parameter tampering in the request, which is commonly used in web security testing, intercepting request packets, modifying parameters, committing

1. First we need to start the simulator, and use the agent of the machine (plus the purpose of the parameter-partition-size is to be able to copy data to Android/system, otherwise it will prompt "Out of Memory" error).

If it is Linux need to add sudo,emulator need to develop path.

2. Set Charles, proxy port to 8008 (Charles hack: http://www.52pojie.cn/thread-218687-1-1.html)

3. Execute EXPLOITME server side, SSL, Port 8443

4. Open the EMM software in Android, set the bank service address as the native IP, and have checked "https enabled"

5. Enter the password to unlock in the EMM is locked interface and go to the software homepage.

If the error is "could not connect to server", it is possible that you did not set the Android trust agent software for Charles's certificate.

To complete the action of adding trust certificates to Android, let's start by looking at what format the system uses to save the certificate.

A. If the following certificate is stored in the Cacerts folder

# ll/system/etc/security                                        Drwxr-xr-x root     root              2013-02-13 15:22 cacerts-rw-r--r--root     root         1125 2013-02-13 15:20 Otacerts.zip

* Download Charles's certificate: Http://www.charlesproxy.com/ssl.zip, get "CHARLES-PROXY-SSL-PROXYING-CERTIFICATE.CRT" after decompression

* Run the SPENSSL command:

OpenSSL x509-inform Pem-subject_hash- in charles-proxy-ssl-proxying-certificate.crt# get hash value 51b1a81b

* Run command OpenSSL x509-inform pem-text-in yourcert.crt > Yourcert.txt, get the certificate txt value

* Run the Gedit and swap the text and PEM portions of the TXT file in the following way:

* Then rename the txt file to 51b1a81b.0 the hash value generated above plus ". 0"

* Upload 51b1a81b.0 to/system/etc/security/cacerts (this process can be wrong, the error is when you start the emulator without adding the-partition-size parameter, or the specified size is too small, Causes the system to have no free space. In addition if prompted read-only, need to execute the command "adb remount" make/system writable)
B. If the certificate is saved in/system/etc/security/cacerts.bks

* Pull files to PC

/system/etc/security/cacerts.bks cacerts.bks

* Use Keytools to import Charles's certificate into KeyStore

keytool-keystore cacerts.bks-storetype bks-Provider Org.bouncycastle.jce.provider.BouncyCastleProvider-storepass changeit-importcert-  Trustcacerts-alias <##CERT alias here##>-file <##YOUR PROXY. CRT here##>

* Make the System directory writable

ADB  remount

* Upload files to the virtual machine, overwriting

ADB push cacerts.bks/system/etc/security/

The method above allows Charles to proxy the contents of SSL, but resets the virtual machine after it has been restarted, and one way is to copy the system image.

* Download Tool

http://code.google.com/p/android-group-korea/downloads/detail?name=mkfs.yaffs2.arm&can=2&q=

* Upload the tool to the virtual machine

santoku@santoku-virtual-machine:/disk4/tmp$ ADB push MKFS.YAFFS2.ARM/SYSTEM/XBIN/MKFS.YAFFS2

* Make image

# ll MKFS.YAFFS2                                  -rw-rw-rw-root     root       463072 2014-07-15 01:12 mkfs.yaffs2root@android:#  chmod 777./ MKFS.YAFFS2                            #  ./mkfs.yaffs2/system//sdcard/system.img          MKFS.YAFFS2: Android YAFFS2 Tool,build by PowerGUI at         http://www.openhandsetalliance.org.cnBuilding...lBuild Ok.

* Download the image to your PC

santoku@santoku-virtual-machine:/disk4/tmp$ adb pull/sdcard/system.img in 223.080s)

* Use the following command when you start the virtual machine later

santoku@santoku-virtual-machine:/usr/share/adt-bundle/sdk/tools$ emulator-avd avd1  -partition-size 300-system /disk4/tmp/system.img-http-proxy 192.168.118.140:8008

6. After entering the software interface, click Transfer to complete the transfer operation.

7. Charles can see the transmitted data

8. Then you can try to modify the From_account, resend the package, and see the results

For this problem, the solution is:

1. Determine if the account belongs to the user

if or from_account.user! = session.user    :return error ("E6")

2. Determine whether the amount is legal and whether it is greater than 0.

if total_cents < 0:    return error ("E5")