mobile

Introduction

During my recent penetration testing project for a company_ In the educational courses application.

Tools and Methodology

Outline the tools used for dynamic analysis and the methodology followed during the testing process.

Mobile Security Framework (MobSF) FRIDA Burp Suite Objection

nuclei sqlmap apktool jd-gui

Summary of Findings

I have found 2 High, 2 Medium, vulnerabilities were identified.

1- SSL Pinning Bypass

2- Account takeover

3- SQL Injection (SQLi)

4- Disclosure of sensitive data in URL parameters

5- External service interaction ( DNS & STMP )

Start using apktool and nuclei

The challenge here is to bypass all Detections to allow access API

DeveloperMode, Rootbeer & JailMonkey Root Detections.

If you try to bypass dev mode, you will see root detection, etc so I have asked chat GPT to make all of them in one script except ssl pinning by objection.

so now we have to bypass SSL pinning, if we run the Frida script with objection it will be terminated so

we open the first Terminal to run the Frida script and then run the objection both of them . By this line

``` objection --gadget $(frida-ps -Uai | grep com.company | awk '{print $1}') explore

  
Now we have access to Api Request  
  
frist thnig try to test Reset Password endponit  , open my check list note .  
  
  
## 1- Account Takeover  
 

---

 Discovered  Account Takeover password reset **check_mail_for_reset.php**  Endpoint  

[![](https://blogger.googleusercontent.com/img/a/AVvXsEjV5GrUnKJE1XbGf7yt91cjz369XOuyM8j2wZWPfCsYCtiKcBfCWx7Vd93QQPq6beJWl2llAAkVYrf25rRBRJdladDTqjQB8yEZZkT1dKr6_EIwSDsCw5zzWJhMrzTu7B4-IM0sSB5PFGUuOeclJH5OeeU8pcmnRREf2rFa5cjk1YbUkbyp4y8AH_a1RP4=w671-h412)](https://www.blogger.com/#)

  
  
  
  
This vulnerability attacker can gain unauthorized access to the user’s account , using  
Reset Password  OTP by Intercept request .  

  
  
so cloes my checklist  note  
  
   

[![](https://blogger.googleusercontent.com/img/a/AVvXsEgpV_4qPiGUzbVkxwf4M1KUJYP4zFawVBCSVBw_IRPWtWoTA6zlUKVKGTDf0Oak5CTvu-ujK3ZWKvcbVXIBoqVZnouAmco3SjexqRwen8k1VAAZ0R7i46BkWNWNDjsZxtWZIFjd4_jQ0cqs0Soyh1JtMpdDmkrgM7ovscF6gEWVCVPM-ixcGiLTgGjdNLc)](https://www.blogger.com/#)

  
  
  
## 2- SQL Injection

---

  
  
Issue detail  
The code JSON parameter appears to be vulnerable to SQL injection attacks. The payload (select  
\356idrfjq2uj8x104al8bdh0irorcn0e22upmdb.oastify.com\nqk')) was submitted in the c  
parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC fil  
references a URL on an external domain. The application interacted with that domain, indicatin  
injected SQL query was executed.  
The database appears to be MySQL.

  
Issue background  
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL 
unsafe manner. An attacker can supply crafted input to break out of the data context in which  
appears and interfere with the structure of the surrounding query.  
A wide range of damaging attacks can often be delivered via SQL injection, including reading or  
critical application data, interfering with application logic, escalating privileges within the database  
control of the database server.  
all of  this query vuln to SQL attack  
  
  
  
```{  
"email"  
"student_id"  
"category_id"  
"student_name"  
"student_avater_url"  
"student_nickname"  
"course_id"  
"unit_id"  
}
  



[![](https://blogger.googleusercontent.com/img/a/AVvXsEiXMvsH_kTaAb8GbUhoJDZqjAzRN5rkBPrSabmdTei3EE3FSbmu1lLQuDmwdxVPJt1vKKVfWiRZUvyDYH1ag37mZBTYnCb1XY5cAGLaTLDLRyWH-ix_OsjYkLUCDvAjc-Y2Fnx6ISWQht1QfUdt09ENxYxyFavxIMzUQn0911FSNGtv2o-Cj_CdJ0EwKA0=w600-h368)](https://www.blogger.com/#)

  
  
and used too frida script by   @SecFathy  [https://codeshare.frida.re/@SecFathy/sqlite-data-monitor/](https://www.blogger.com/#)  

[![](https://blogger.googleusercontent.com/img/a/AVvXsEi8vtyDHortM1rXBcZpR1z5C6cF31wGmVRelr5XKKd9vslGTl8h9uJLsEwEF4zM_g9_HK-9wNOmo9wNjA0y0aDvcQ3EIcDXT8iMnCIdwLTrDmDTTi-ub4Hnactela98KVbmIC7uylBq1G5R1qYC_Tk9CIF8PGj6mtc3TiJ52wfsI-shq5pqmeReBjp47sY=w875-h310)](https://www.blogger.com/#)

  
  
  
## Disclosure of sensitive data in URL  
  

[![](https://blogger.googleusercontent.com/img/a/AVvXsEghsQr5o2O1Xn1pkxIPNgXdbiB941otnrPitjgLQDbXfTFt6tZBqeh1JM8isqE5QIK1I8-Ncn3HKX3Uuu8zUfJLoggVjgxOJ_52nxGr0TOKVdWV86zKBDXR4rmkRP1QjqfoA8fBHXaptBd7AicjHnGGS8oqANULzFAKLLvfut2iAh2fZpUez973zXfVAuM=w793-h337)](https://www.blogger.com/#)

  

[![](https://blogger.googleusercontent.com/img/a/AVvXsEjQRm7-VxH9TcVXvrVFma_XsfCjuHbsmrsjGQY4-FrX8exHJ6DjyLBgKHK6_ApTsVq5pP2NY9UYtHSpFFI46eIDdALuSG1otUyEFv8E6u0PqfgM3vPycQMZTExwxjkz8_RBUuOy0PvkgJRqjdbAfVFushGSlb9_5vSYRjhVmy3YxHV0xNt0gRHj5TaXar4=w844-h298)](https://www.blogger.com/#)

  
  
  External service interaction ( DNS & STMP )

---

  
  
``Issue detail  
  
DNS  
It is possible to induce the application to perform server-side DNS lookups of  
arbitrary domain names.  
The server-side include statement "-->'-->`--> was submitted in the code JSON  
parameter. This payload is designed to trigger a CNAME DNS lookup if the  
application is vulnerable to server-side include.  
The application performed a DNS lookup of the specified domain of an unexpected  
type. This indicates that the server has a component that is parsing out hostnames  
and making the interaction.  
``Issue detail  
  
SMTP  
It is possible to induce the application to send emails via SMTP to arbitrary  
addresses.  
The email address 5bhkjtllw40lez72acrahfn2otutikc843svfl3a@oastify.com was  
submitted in the email JSON parameter.  
The application sent an email via SMTP to the specified address.  
  
  

[![](https://blogger.googleusercontent.com/img/a/AVvXsEjCR28q-ZTtZX392c1VqSQrLPiCOkRsDPQX9hVxgPseBVQBmwa4v6H_5eE09f6isQ9k9kQFg2hz-aq9fYT8-JWtGd3D3MXOYXY5lV7m6F81uVLb4TAoUUEWT621jU0SyLFvPcj30eXDNwD5pMahEANWRNbABmVVItyrRzYVSwFU_SxyKMuMKIzfUWFBEg8=w778-h624)](https://www.blogger.com/#)

  
  
  
  
  

[![](https://blogger.googleusercontent.com/img/a/AVvXsEiKSJv3DZf8FY_shAerpuH7mMpt3Y_UitWjaE-0pKEwYd7n0q43fa0-dliXC7yDyd5_Ic8eAOxmVYQ7DbCUIL6O0RUrP5bbGcjfjZs0pyTaBN-jk-mf56z6WLP8NLxAAjqlxTvM2udd0bkHcJTj_j-mTTquN-odQB1rS8jGKwe8KcMiq85AsuQTjhR-x1U=w629-h324)](https://www.blogger.com/#)

  
An attacker can send phishing links :D  
   
   
also found Stored & Reflected Cross-Site Scripting (XSS) with no impact to exploit with ``web view``