post board

the main activity has a webview

the webview has:

• setJavaScriptEnalbled set to true

• javascript interface named webAppInterface

the activity takes the message content from a deep link URI path in base 64 format like the following

postboard://postmessage/

let’s try send a simple message:

adb shell am start -n com.mobilehackinglab.postboard/.MainActivity -a android.intent.action.VIEW -d postboard://postmessage/aGFzc29uYQo=

let’s take a look on the html page that the webview loads by defualt in the assetts folderandroid_asset/index.html

as we see in line 137 each message is loaded and viewed in the web page using innerHTML without any sanitization which can cause an XSS injection

let’s try a simple XSS payload to see if it works:

<img src=1 onerror=alert(1)>

It does work

java interface mothods

there are 4 java methods annotated with @JavascriptInterface this means they are exposed and can be called by javascript code in the webview.

after taking a look on the 4 functions i notices that the interesting one is postCowsayMessage

which takes a string message and sent it to another function CowsayUtil.INSTANCE.runCowsay for decoration or some edit and then add to the cache to be shown in the UI

Lets take a look ontThe runCowsay in the CowsayUtil class

it takes the message and append it to a bash command and return a string output like this

/bin/sh -c script.sh message

let’s try to find the script in the files folder

let’s craft a simple payload to trigger this function

<img src=x onerror=WebAppInterface.postCowsayMessage("random")>

i don’t know why after a lot of trials this didn’t work

but anyways let’s try to make it execute a command like id

this will be a mix of XXS and OS command injection vulnerabilities

after trying some payloads this one worked

<img src=x onerror=WebAppInterface.postCowsayMessage("random;id")>