Monday, 8 August 2016

Download all APK from Google Play - Device/Country bypass (Android 6 Marshmallow)

As we all know Google Play has multiple filters whose main objective is to verify whether the application to download (APK) is compatible with our device, however as I have seen there are also filters by country, limiting downloading the APK to the country where it is used. The clearest example we can have in international organizations that have different APK depending on where the headquarters.

The objective of this article will be to evade the principal restrictions or filters determined by Google Play.

Maybe someone us there said someone there websites that evade these restrictions allowing download any APK, but the reality is different, they are sites with their own repositories, previously downloaded from Google Play, with this means that if the application has not been previously downloaded you can not download this APK from those sites.

1.Bypass device filter:

Before you start talking about the filters, you must set the stage for action, ie the type of device to use (virtual or physical). In the case of using a virtual machine recommend:
Mobile Security Framework (MobSF) with Xposed Framework to spoof your device, but if the application uses GPS MobSF may not be useful. For this reason I decided to use a physical device, in my case a terminal with Android Xiaomi MI4 to force device filter on Google Play.Let's see if your device is not compatible with the download of certain applications. Then you will see something like that on Google Play:

The only solution is to spoof our Android device to avoid this restriction. If you use MobSF you can use Xposed Framework and spoof your Android virtual machine. You can also install Xposed Framework on your physical Android device, I could not incompatible with my kernel version 3.4.0. Therefore, and after rooting my physical device, install an application that allowed me to spoof my device.


I will not go into details about the application. Once  spoofed we can check in the device manager of Google. By other hand, Google Play will automatically recognize the new device, make sure you have installed Google Play services on your Android device.


I changed my Xiaomi MI4 LTE by OnePlus One... and magicly I have OnePlus MI4LTE. If you check your new user-agent will see a Real Phone + Spoofed Phone agent combination.  Therefore, if we could do MitM to Google Play with BurpSuite (for example) and modify the user-agent, and with this we could spoof the device also. Although it is easier to change the User-Agent in the system, with the application shown above.

Now you can check Google Play to see the new state...
2.Bypass country filter:

To skip this filter, I followed the following steps:

1) Create a Gmail account in the country where you want to download the APK.
2) Create a virtual phone that country for use in my new Gmail account.
3) Locate a free VPN connection in the country where you want to download the APK.
4) Download a GPS simulation software to place in that country.

Well, with this and we can download all the APKs available in the repository of Google Play, although the process may seem tedious, it is not much and will be very useful in the future.

Note: If you use virtual machine with Android, remembers take snapshots.

If you want know more about Google Play filters:

https://developer.android.com/google/play/filters.html?hl=en

Thanks to:
@bitsniper

Saturday, 23 April 2016

Analizing BurpLoader.jar (Larry Lau version)

All who are dedicated to this IT security, know that there are key tools, especially when making a web pentesting. One of these key tools is the Burp Suite.

However, there are many versions online, and one of the most famous is that of Larry Lau. This version has been controversial, since many doubted the legitimacy of it. This post is not intended to "hack" version of Burp Suite pro, but BurpLoader deobfuscate, decompile, and verify whether or not the existence of malware into the jar file. It has carried out an analysis to Burploader.jar version version 1.6.38.

Once understood the purpose of this post, let's get to work.

The first step is to extract the .jar file class, the BurpLoader, for this will open the .jar file compressor for example WinRar. After removing the .class will proceed to visualize the code to address the problem in the best way possible. We will use the jdecompiler and the .jar file decompiler Burp As shown in the following image we are only able to see the bytecode:


As you can see in the picture above, we can not see the original source code, but you can see the bytecode. So now we need some bytecode decompiler to find out exactly what makes this source code. The code can be recompiled with Eclipse, however I have used a simpler tool called Procyon-decompiler. Procyon run and you look at the part of the obfuscated bytecode ldc(load constant):


As was seen in the picture above, the ldc is obfuscated. It should then proceed to find out what was the algorithm I use Larry Lau to obfuscate the code, so it can use jedit, obtaining the following results (BurpLoader.class):




Therefore we conclude that the algorithm used is ZKM8.0.1E (http://www.zelix.com/). To deobfuscate this code to need the 5 digit key that can be found very easily with jedit, between others.
Now we need some software that embeds the option to deobfuscate code with ZKM, we disclaim by DirtyJoe, software for Windows.


Subsequently, after applying the correct algorithm to deobfuscate:


I do not think it necessary to go into details, once you have the .class deobfuscated must return to the first steps in order to decompile this class. Getting the license using Larry Lau in his Loaders. But it was impossible to determine the existence of malware, since we could not compile the decompiled .java above, since we lacked dependence burp_extras.jar

Tuesday, 9 February 2016

Understanding "tamper" option in Sqlmap (II)

In the previous post, we explained the reason for using tamper sqlmap option. However, due to the large number of tampers available, it is necessary to construct a table where you can see where we can use every tamper, because I could not find a table on the internet where you reflect the type of database manager data used in each tamper, between others:

TAMPER MySQL MSSQL Oracle PostgreSQL
apostrophemask * * * *
apostrophenullencode - - - -
appendnullbyte * * * *
base64encode 4,5,5.5 2005 10g -
between 5.1 - - -
bluecoat * * * *
apostrophemask 9.0.3 2000,2005 - 9.3
charunicodeencode 4,5.0 and 5.5 2005 10g 8.3,8.4,9.0
charencode * - - -
commalessmid * - - -
concat2concatws * * * *
equaltolike * * * *
greatest < 5.1 - - -
halfversionedmorekeywords 5.0 and 5.5 - - -
ifnull2ifisnull * * * *
informationschemacomment 4,5.0,5.5 2005 10g 8.3,8.4,9.0
lowercase 5.0 - - -
modsecurityversioned 5.0 - - -
modsecurityzeroversioned * * * *
multiplespaces * * * *
nonrecursivereplacement * * * *
overlongutf8 5.1.56,5.5.11 2000, 2005 N/A 9.0
percentage 4, 5.0,5.5 2005 10g 8.3,8.4,9.0
randomcase * * * *
randomcomments * * * *
securesphere 4,5.0,5.5 2005 10g 8.3,8.4,9.0
space2comment - - - -
space2dash 4.0,5.0 - - -
space2hash >= 5.1.13 - - -
space2morehash - 2000, 2005 - -
space2mssqlblank * * - -
space2mssqlhash * * * *
space2plus 4,5.0,5.5 2005 10g 8.3,8.4,9.0
space2randomblank - * - -
sp_password * * * *
symboliclogical * * * *
unionalltounion * * * *
unmagicquotes 4, 5.0,5.5 2005 10g 8.3,8.4,9.0
uppercase * * * *
varnish * - - -
versionedkeywords >=5.1.13 - - -
versionedmorekeywords * * * *
xforwardedfor * * * *

(*) It might work for all versions. 
(-) Does not apply

While the ultimate goal of using the tamper data, to evade firewalls and filters possible application, should know to what kind of database manager apply one or the other tampers.

The reason not add the Microsoft Access data base is evident, this type of database is not relational, so using Sqlmap for such SQL injections might be a waste of time.However Sqlmap has a specific tamper for Microsoft Access databases, called appendnullbyte.

Moreover, there are some tampers that are unique to evade WAF, for example:

securesphere: Useful for bypassing Imperva SecureShere WAF.
varnish: Useful for bypassing WAF Protection of Varnish Firewall.

Some tampers only work for certain specific Web programming languages, such as:

charunicodeencode: Only for ASP or ASP.NET.

In short, there are many ways to bypass filters and firewalls. Although it will be difficult to find such deficiencies in large companies dedicated to it. Although we can always develop a script that can bypass such restrictions.

Other links that may be of interest to bypass filters, in this case XSS:

https://www.exploit-db.com/docs/38117.pdf

In the following post we use appendnullbyte tamper to Microsoft Access databases and try to explain in as much detail as possible the problem of SQL injections against these databases.

Regards,

Monday, 8 February 2016

Understanding "tamper" option in Sqlmap

In today's post, we will see the meaning of the "tamper" option in Sqlmap tool. By the time we just enough to know that there are certain data filtering mechanisms and certain web application firewalls that will hinder us much homework, when implemented correctly SQL injection attack.

To better understand the data covered, it will proceed to stage it in the following example. As you can see below, when a vulnerability is detected SQL code and then tries to exploit, the server returns the same sentence without spaces:

REQUEST:
GET /index.html?id=' AND 1=1
Host: X.X.X.X
User-agent: Mozilla/5.0 …
Connection: close

RESPONSE:
HTTP/1.1 200 OK
Server: X
Connection: Close
The SQL syntax is incorrect when SELECT * FROM productos WHERE ID='AND1=1....

As shown in the above example, the server responds as "The SQL syntax is incorrect" after eliminating the spaces of the sentence. Tampear would require data so that 20% be added to each space.

Although default hexadecimal sqlmap becomes the content of the petition, this example helps us to understand why to the "tamper" option.

Applying the above concept to our previous example, that the judgment was valid should be as follows:

REQUEST:
GET /index.html?id=%27%20AND%201=1
Host: X.X.X.X
User-agent: Mozilla/5.0 …
Connection: close

RESPONSE:
HTTP/1.1 200 OK
Server: X
Connection: Close
OK

As you can see in the previous answer, so that the SQL statement is correct, they should to use tamper option to convert all to hexadecimal data. However, Sqlmap does by default, but is a good way to understand why of tamper option.

I guess by now, you're thinking, and as I used to tamper option. How could identify this?.
Everything depends more, if our client uses WAF(Web Application Firewall), and the version of manager database software.Sometimes we believe that the filters themselves implemented by the manager of the database, are a WAF, but not always.

Sqlmap further it incorporates a feature that allows the detection of the best known to date WAFS this will help us in verifying the existence or otherwise of such firewalls:

--check-waf

#You can find more information in the following official link sqlmap:

https://github.com/sqlmapproject/sqlmap/wiki/Usage

Once identified first type of WAF (if web application has any), the programming language used to develop web, and the type and version that uses the manager of the database, and are ready to choose the tamper option more appropriate.

Since the purpose of this post is to understand the Tamper Sqlmap option and I think is quite clear. I will simply say that there is much information on the Internet regarding what kind of tamper option is used depending on the above parameters.

Regards,