2014-04-30: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-07-29: 厂商已经主动忽略漏洞,细节向公众公开
该APP的安卓客户端,设计问题导致数据泄漏,导致全站数据泄漏
最近对安卓的app逆向挺感兴趣,然后对网上一些app进行安全测试,此app初入手时,发现其
内部有mysql的jdbc驱动,然后就想应该有问题,在更多的反编译过程中发现其数据库配置直接写在so库文件里面,明文保存,连接致数据库,发现可控全站数据库!其危害之严重!
利用工具开始反编译,
然后提权其dex,
将dex文件转为jar包之后,分析代码发现其数据库连接,但是并未发现具体连接代码,然后就想,可能连接存在于类库里面,然后找到libservice_jni.so这个文件,
.plt:00000BAC ;.plt:00000BAC ; +-------------------------------------------------------------------------+.plt:00000BAC ; | This file has been generated by The Interactive Disassembler (IDA) |.plt:00000BAC ; | Copyright (c) 2009 by Hex-Rays, <support@hex-rays.com> |.plt:00000BAC ; | License info: FA-EC7E-28A4-A5 |.plt:00000BAC ; | Licensed User |.plt:00000BAC ; +-------------------------------------------------------------------------+.plt:00000BAC ;.plt:00000BAC ; Input MD5 : 0208C7DA39BFDBBC13FD435EA49F9C78.plt:00000BAC.plt:00000BAC ; ---------------------------------------------------------------------------.plt:00000BAC ; File Name : D:\apk\apktool1.5.2\apktool1.5.2\libservice_jni.so.plt:00000BAC ; Format : ELF (Shared object).plt:00000BAC ; Needed Library 'libstdc++.so'.plt:00000BAC ; Needed Library 'libm.so'.plt:00000BAC ; Needed Library 'libc.so'.plt:00000BAC ; Needed Library 'libdl.so'.plt:00000BAC ; Shared Name 'libservice_jni.so'.plt:00000BAC ;.plt:00000BAC ; EABI version: 5.plt:00000BAC ;.plt:00000BAC.plt:00000BAC ; Processor : ARM.plt:00000BAC ; Target assembler: Generic assembler for ARM.plt:00000BAC ; Byte sex : Little endian.plt:00000BAC.plt:00000BAC ; ===========================================================================.plt:00000BAC.plt:00000BAC ; Segment type: Pure code.plt:00000BAC AREA .plt, CODE, READWRITE.plt:00000BAC ; ORG 0xBAC.plt:00000BAC CODE32.plt:00000BAC STR LR, [SP,#-4]!.plt:00000BB0 LDR LR, =(_GLOBAL_OFFSET_TABLE_ - 0xBBC).plt:00000BB4 ADD LR, PC, LR.plt:00000BB8 LDR PC, [LR,#8]!.plt:00000BB8 ; ---------------------------------------------------------------------------.plt:00000BBC off_BBC DCD _GLOBAL_OFFSET_TABLE_ - 0xBBC ; DATA XREF: .plt:00000BB0r.plt:00000BC0 ; [0000000C BYTES: COLLAPSED FUNCTION __cxa_atexit. PRESS KEYPAD "+" TO EXPAND].plt:00000BCC ; [0000000C BYTES: COLLAPSED FUNCTION __cxa_finalize. PRESS KEYPAD "+" TO EXPAND].plt:00000BD8 ; [0000000C BYTES: COLLAPSED FUNCTION __gnu_Unwind_Find_exidx. PRESS KEYPAD "+" TO EXPAND].plt:00000BE4 ; [0000000C BYTES: COLLAPSED FUNCTION memcpy. PRESS KEYPAD "+" TO EXPAND].plt:00000BF0 ; [0000000C BYTES: COLLAPSED FUNCTION abort. PRESS KEYPAD "+" TO EXPAND].plt:00000BFC ; [0000000C BYTES: COLLAPSED FUNCTION __cxa_begin_cleanup. PRESS KEYPAD "+" TO EXPAND].plt:00000C08 ; [0000000C BYTES: COLLAPSED FUNCTION __cxa_type_match. PRESS KEYPAD "+" TO EXPAND].text:00000C14 ; ---------------------------------------------------------------------------.text:00000C14 ; ===========================================================================.text:00000C14.text:00000C14 ; Segment type: Pure code.text:00000C14 AREA .text, CODE, READWRITE.text:00000C14 ; ORG 0xC14.text:00000C14 CODE32.text:00000C14 LDR R2, =(unk_4000 - 0xC24).text:00000C18 MOV R1, #0.text:00000C1C ADD R2, PC, R2.text:00000C20 B __cxa_atexit.text:00000C20 ; ---------------------------------------------------------------------------.text:00000C24 off_C24 DCD unk_4000 - 0xC24 ; DATA XREF: .text:00000C14r.text:00000C28.text:00000C28 ; =============== S U B R O U T I N E =======================================.text:00000C28.text:00000C28.text:00000C28 sub_C28 ; DATA XREF: .fini_array:00003EB8o.text:00000C28 LDR R0, =(unk_4000 - 0xC34).text:00000C2C ADD R0, PC, R0.text:00000C30 B __cxa_finalize.text:00000C30 ; End of function sub_C28.text:00000C30.text:00000C30 ; ---------------------------------------------------------------------------.text:00000C34 off_C34 DCD unk_4000 - 0xC34 ; DATA XREF: sub_C28r.text:00000C38 CODE16.text:00000C38.text:00000C38 ; =============== S U B R O U T I N E =======================================.text:00000C38.text:00000C38.text:00000C38 EXPORT Java_com_fly186_service_jni_JNI_getUrl.text:00000C38 Java_com_fly186_service_jni_JNI_getUrl.text:00000C38 PUSH {R3,LR}.text:00000C3A LDR R2, [R0].text:00000C3C LDR R1, =(aJdbcMysql59_63 - 0xC46).text:00000C3E MOVS R3, 0x29C.text:00000C42 ADD R1, PC ; "jdbc:mysql://不告诉你/myxdfw".text:00000C44 LDR R3, [R2,R3].text:00000C46 BLX R3.text:00000C48 POP {R3,PC}.text:00000C48 ; End of function Java_com_fly186_service_jni_JNI_getUrl.text:00000C48.text:00000C48 ; ---------------------------------------------------------------------------.text:00000C4A ALIGN 4.text:00000C4C off_C4C DCD aJdbcMysql59_63 - 0xC46.text:00000C4C ; DATA XREF: Java_com_fly186_service_jni_JNI_getUrl+4r.text:00000C4C ; "jdbc:mysql://不告诉你/myxdfw".text:00000C50.text:00000C50 ; =============== S U B R O U T I N E =======================================.text:00000C50.text:00000C50.text:00000C50 EXPORT Java_com_fly186_service_jni_JNI_getName.text:00000C50 Java_com_fly186_service_jni_JNI_getName.text:00000C50 PUSH {R3,LR}.text:00000C52 LDR R2, [R0].text:00000C54 LDR R1, =(aMyxdfw - 0xC5E).text:00000C56 MOVS R3, 0x29C.text:00000C5A ADD R1, PC ; "myxdfw".text:00000C5C LDR R3, [R2,R3].text:00000C5E BLX R3.text:00000C60 POP {R3,PC}.text:00000C60 ; End of function Java_com_fly186_service_jni_JNI_getName.text:00000C60.text:00000C60 ; ---------------------------------------------------------------------------.text:00000C62 ALIGN 4.text:00000C64 off_C64 DCD aMyxdfw - 0xC5E ; DATA XREF: Java_com_fly186_service_jni_JNI_getName+4r.text:00000C64 ; "myxdfw".text:00000C68.text:00000C68 ; =============== S U B R O U T I N E =======================================.text:00000C68.text:00000C68.text:00000C68 EXPORT Java_com_fly186_service_jni_JNI_getPassword.text:00000C68 Java_com_fly186_service_jni_JNI_getPassword.text:00000C68 PUSH {R3,LR}.text:00000C6A LDR R2, [R0].text:00000C6C LDR R1, =(a101627xdfw - 0xC76).text:00000C6E MOVS R3, 0x29C.text:00000C72 ADD R1, PC ; "不告诉你".text:00000C74 LDR R3, [R2,R3].text:00000C76 BLX R3.text:00000C78 POP {R3,PC}.text:00000C78 ; End of function Java_com_fly186_service_jni_JNI_getPassword.text:00000C78.text:00000C78 ; ---------------------------------------------------------------------------.text:00000C7A ALIGN 4.text:00000C7C off_C7C DCD a101627xdfw - 0xC76 ; DATA XREF: Java_com_fly186_service_jni_JNI_getPassword+4r.text:00000C7C ; "不告诉你".text:00000C80 CODE32.text:00000C80
分析到这里,数据库泄漏就是必然了!
这个相信你们比我专业
未能联系到厂商或者厂商积极拒绝