0x00 wedge
Recently, Xiao Ming had an upset that disturbed him in sleep and food. It turned out that a certain Android phone of the goddess had a weird disease, and the text messages could not be received or sent to others. What's more annoying was that the money the goddess used to prepare online shopping was mysteriously swiped away.
When the goddess rummaged through her address book with anxiety, she suddenly found Xiao Ming's remarks: Jack No. 17-computer, flashing. So under the pitiful eyes of the goddess, Xiao Ming slapped his chest and promised to get it done in one day.
So, Xiao Ming got the goddess phone he dreamed of. Unexpectedly, what happened later made him unexpected.
0x01 Lock the culprit
The first thing you do when you get your phone is to find out why you can't receive text messages. I checked the system's short message settings and APP, everything installed was normal, and no suspicious blank icons were found. I checked it with the software management tool, and no suspicious signs were found.
So Xiaoming started the investigation from the system program. As expected, when he opened the "Google Store", he found the fox tail.
is shown in the figure below. First, when you click this APP when you are not connected to the Internet, it will prompt "The phone cannot be connected to the Internet".
Second, when you click on this APP when you are online, you will be prompted with a lot of permission requirements and a "network is normal" prompt
Seeing this, Xiao Ming laughed. Isn't this the most normal SMS blocking horse? So decisively export the target APK file package from the phone through the pea pod. as the picture shows
Looking at the SMS horse less than 100KB on the desktop, Xiaoming silently put on an apron (Android virtual environment), found the scalpel (decompilation tool dex2jar+Xjad), and pressed the horse on the dissection table (Eclipse) .
0x02 Pao Ding Jie Niu
First, Xiao Ming unzips the APK file, and then finds the key classes.dex file. It is the java source code compiled file of APK file.
Then copy the classes.dex to the dex2jar directory, and then enter the dex2jar directory in cmd and enter: dex2jar.bat classes.dex and press Enter, the source package we want is obtained in the same directory: classes_dex2jar.jar
Then please take out our jar to decompile Xjad, click on the file-decompile jar-select the generated jar file, it will be decompiled into a source code folder.
At this point, our cattle has been successfully decomposed initially. Here is how to find the filet steak we want~
0x03 caress the chrysanthemum
After decompilation, it is analyzed that the interaction between the Trojan and the background is by calling the C# WebService protocol, and the IP of the chrysanthemum is encrypted. The calling code diagram is as follows:
Directly put the encryption code and find the encryption function according to the diagram, and decompile it and find the following:
After running, directly explode to the server-side address:
http://103.X.X.X/priv1/baseservice.asmx
At this point, the location of the chrysanthemum has been identified. Let’s start studying the chrysanthemum
0x04 Long drive injection (explosive chrysanthemum part is completed by sql test Daniel)
Now that I have found the backend address, how do I get the backend? This is a headache. I scanned it with a tool and found no loopholes. My ability is limited. It seems that I can only start from the site, reorganize my thoughts
Road, http://103.XXX/priv1/baseservice.asmx into the browser to find
There are several methods, since there are methods I can use directly, open the program and quote the WebService code as follows:
I wanted to try XSS and insert it into the database using the AddCall method. The code is as follows
Called and found an error!
Insert picture description here
Silent, since there is SQL injection, let's talk about this WebService SQL injection.
I selected a getOrders method, and added a single quote to the parameter when calling it to indicate a MYSQL error. There are too many injection points, right?
The query statement is modified as follows
XML is returned:
<?xml version="1.0" encoding="UTF-8"?>
<RootJob>
<Job>
<Type>9</Type>
<Content>3</Content>
<Phone>2</Phone>
<JobID>1</JobID>
</Job>
</RootJob>This is known at a glance, the following steps will not be written in detail, it is root injection.
In a sentence, the target is IIS, and I didn't find the catalog program catalog. I directly tried C:\Inetpub\www\root wrote an Aspx and went immediately, and I successfully accessed it on the browser.
Basically completed, all that is left is to escalate the rights. With the help of a friend, the escalation was successful.
0x05 Expand the results
At this time, I have obtained the server's authority through mysql. Checking the registry, I found that the port is 55555 and the server version is 2003R2. Just add a user and check in.
Things are not complicated, the WebService of IIS+mysql+C#
Make a remote mysql, connect it locally to see. At first glance, Xiao Ming was taken aback by the gang's monitoring of the content of the victim through the SMS Ma.
In the SO library, Xiao Ming found information about more than N victims, including large bank transfer tips. If this kind of text messages are intercepted, the consequences can be imagined.
0x06 Mining the industry chain
As long as an industry must be profitable, since Xiao Ming has discovered the source, he will go upstream and dig deeper. Android SMS intercepts the entire industrial chain of horses.
Just do it, Xiao Ming entered relevant keywords on the computer such as SMS blocking horse, SMS horse selling, etc., and found that many people are posting related needs.
Instead, there are many posts about seeking horses in various underground forums.
They bought it mainly for fraud.
Or pretend to be acquaintances to defraud, or to trick online banking, or for some unspeakable secret activities.
Randomly found an example.
By analyzing the code, Xiao Ming found that the operation mode of the SMS Horse is like this.
Once the mobile phone of the Trojan horse is installed and authorized to the Trojan horse, the Trojan horse will immediately upload the address book of the victim mobile phone. All short messages of the mobile phone will be sent to the designated mobile phone number, and the mobile phone number can use a code to direct the Trojan horse to forge the short message, thereby implementing the purpose of fraud.
Don’t install apps with unknown origins!
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。