Hacking and Rooting Web Server Through Android Application
This is write-up, proof-of-concept, PoC about (server-side) vulnerabilities I found in Android application I analysed recently.
First I configured Burpsuite to intercept traffic from my Android phone, open application and intercepted request for uploading new photo.
Here’s what I got. Every photo you upload will have “filename” = photo.jpg, but that’s not main thing.
There’s three interesting parts in this request; filename, content-type and content of attachment.
There’s three interesting parts in this request; filename, content-type and content of attachment.
We can edit these three parameters in order to change file extension, type of file and content of file.
You can also try to exploit this using Null Byte Injection, but I made it very simple and it worked for me, change filename to “photo.php”, Content-Type: application/octet-stream and in 4th line of content add PHP code (i used simple phpinfo output: <?php echo phpinfo(); ?>) you want to execute (you can add it where you want, but 4th line was blank for me). Here’s response:
As you can see it’s uploaded as PHP file. Once I opened it, I got output from phpinfo function.
Since It’s responsible disclosure, I can’t provide any more information, but I hope that’s helpful! Enjoy!
BY
Hacking and Rooting Web Server Through Android Application
Reviewed by Unknown
on
6:10:00 PM
Rating:
No comments: